Sub-processors & DPA

Every vendor. Every jurisdiction. Every mechanism.

The full register of every third party that processes personal data on behalf of EngageX customers. This is the page your procurement and legal teams are looking for.

Last updated: 22 April 2026
What this page is for

EngageX processes personal data on behalf of our customers (the Data Controllers) to deliver the platform. A small number of third-party providers — our sub-processors — receive that data to help us deliver specific parts of the service. This page lists every one of them. If you need a copy of our Data Processing Addendum or want to ask questions before signing it, this is the reference.

Legal basis & contracts

Every sub-processor relationship is governed by a Data Processing Agreement meeting Article 28 GDPR, DIFC Data Protection Law 2020, and UAE PDPL obligations. Cross-border transfers are covered by Standard Contractual Clauses, explicit data-subject consent, or both. Transfer Impact Assessments are on file for every non-adequate-country transfer.

Sub-processor register

Anthropic, PBC
United States
PurposeClaude API — matchmaking, meeting analysis, virtual SDR drafts, chatbot, ICP file reasoning
Data categoriesMeeting transcripts · profile text · lead context · chat conversation text
Transfer mechanismSCCs (EU + DIFC onward) · explicit user consent (cross_border_transfer) · TIA on file
Retention at sub-processorNot retained by Anthropic beyond request lifetime · no training on customer data
OpenAI, LLC
United States
PurposeWhisper — meeting audio transcription · GPT-4o-mini — business card OCR (CorteX Vision)
Data categoriesMeeting audio (M4A, processed in-memory) · captured image data (processed in-memory)
Transfer mechanismSCCs · explicit user consent · TIA on file
Retention at sub-processorAudio + images discarded after transcription · zero data retention policy · no training on customer data
Hetzner Online GmbH
Finland / Germany (EU)
PurposeVirtual server hosting — runs the PostgreSQL database, MinIO object storage, API and web containers
Data categoriesAll platform data at infrastructure level (encrypted at rest with AES-256)
Transfer mechanismEU-resident — no cross-border transfer for EU data subjects
Retention at sub-processorStandard infrastructure retention · no access to unencrypted customer data
Functional Software, Inc. (Sentry)
United States / EU
PurposeApplication error tracking and performance monitoring for API and web console
Data categoriesStack traces · user agent · session identifiers · incidental personal data in error payloads
Transfer mechanismSCCs · EU datacentre region selected where available
Retention at sub-processor90 days (standard Sentry retention)
Microsoft Corporation (Office 365)
United States / EU
PurposeTransactional email delivery via SMTP — invitations, confirmations, DSR deliveries, alerts
Data categoriesEmail address · email content · subject lines
Transfer mechanismMicrosoft standard DPA (accepted via Office 365 subscription) · SCCs
Retention at sub-processorMessage delivery retention per Microsoft SLA
Google LLC (Firebase Cloud Messaging)
United States
PurposePush notification delivery to iOS and Android devices (via Expo push service)
Data categoriesDevice push tokens only · no profile data, no message body personal data
Transfer mechanismGoogle Data Processing Addendum · SCCs
Retention at sub-processorDelivery retention per Google Cloud SLA
Cloudflare, Inc.
United States (global edge)
PurposeDNS, TLS termination at edge, DDoS protection, static-site hosting for public pages
Data categoriesIP addresses · HTTP headers · request metadata for proxied traffic
Transfer mechanismCloudflare standard DPA · SCCs · EU customer setting enabled
Retention at sub-processorLogs retained per Cloudflare standard (≤ 30 days for most categories)

CRM integrations are not sub-processors

When you connect your Salesforce, HubSpot, Pipedrive, Zoho or Dynamics instance to EngageX, data flows from our platform to your CRM — not through us to a third party. Your CRM vendor is your direct processor, not ours. Their DPA is with you, not with EngageX. We never store CRM credentials in plaintext; OAuth tokens are encrypted with per-tenant keys.

How we notify you about changes

When we add, remove or materially change a sub-processor, we update this page and notify affected customers via the email address on file at least 30 days before the new sub-processor starts receiving data. You have the right to object during that window.

Need our signed DPA?

Our Data Processing Addendum incorporates DIFC, UAE PDPL and EU GDPR obligations into a single document. Email legal@engagex.io or request it via the form below — we'll send a countersigned copy within 3 business days.

Request DPA
Security & Privacy overview → Integrations hub → Contact our DPO →
Get In Touch

Ready to transform
your next event?

Get in touch with our team and discover how EngageX connects visitors, exhibitors, and organisers with real purpose.

Legal & DPO
HQ
Innovation Hub, DIFC — Dubai, UAE

Get in Touch with Us