Sub-Processors

In accordance with our Data Processing Agreement (DPA), Norman AI GmbH uses the following sub-processors to provide our services. We will update this page when sub-processors are added or replaced and notify affected customers in accordance with Section 6 of our DPA.

If you have questions, contact us at compliance@norman.finance.

Infrastructure & Hosting

DigitalOcean, LLC 101 Avenue of the Americas, New York, NY 10013, USA Purpose: Cloud infrastructure & hosting Data processed: All platform data including user accounts, financial data, and documents Location: EU data center (Frankfurt, Germany) Transfer mechanism: EU-U.S. Data Privacy Framework, Standard Contractual Clauses

Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luxembourg Purpose: Cloud infrastructure & storage Data processed: Platform data, backups, file storage Location: EU data center (Frankfurt, Germany) Transfer mechanism: EU-U.S. Data Privacy Framework, Standard Contractual Clauses

Payment Processing

Stripe Payments Europe, Limited 1 Grand Canal Street Lower, Dublin 2, Ireland Purpose: Payment processing & subscription management Data processed: Name, email address, payment transaction data Location: EU (Ireland) Transfer mechanism: N/A (EU-based entity)

AI Processing

OpenAI OpCo, LLC 3180 18th Street, San Francisco, CA 94110, USA Purpose: AI-assisted tax & accounting analysis Data processed: User queries, financial data as submitted by the user through the AI chat Location: USA Transfer mechanism: EU-U.S. Data Privacy Framework, Standard Contractual Clauses

Anthropic, PBC 548 Market St, PMB 90375, San Francisco, CA 94104, USA Purpose: AI-assisted tax & accounting analysis Data processed: User queries, financial data as submitted by the user through the AI chat Location: USA Transfer mechanism: Standard Contractual Clauses

Communication

Twilio Inc. (SendGrid) 101 Spear Street, Suite 500, San Francisco, CA 94105, USA Purpose: Transactional email delivery Data processed: Name, email address Location: USA Transfer mechanism: EU-U.S. Data Privacy Framework, Standard Contractual Clauses

Analytics & Monitoring

Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland Purpose: Website analytics (Google Analytics) Data processed: Pseudonymized usage data, IP address (anonymized) Location: EU (Ireland) Transfer mechanism: N/A (EU-based entity)

Functional Software, Inc. d/b/a Sentry 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA Purpose: Error monitoring & application performance Data processed: Technical error logs, anonymized usage data, IP addresses Location: EU data center available Transfer mechanism: EU-U.S. Data Privacy Framework, Standard Contractual Clauses

Scheduling

Calendly LLC 3423 Piedmont Road NE, Atlanta, GA 30305, USA Purpose: Appointment scheduling Data processed: Name, email address, phone number Location: USA Transfer mechanism: Standard Contractual Clauses

Third-Party Data Recipients (not sub-processors)

The following entities receive personal data in the course of our services but are not sub-processors in the GDPR sense, as they act as independent data controllers:

ELSTER / German Tax Authorities (Finanzamt) Purpose: Submission of tax returns and VAT filings Data transmitted: Tax return data, personal identification data, tax IDs