Chargement…
Liste des sous-traitants
Derniere mise a jour : 8 mai 2026
Cadre juridique
Conformement a l'article 28 du RGPD (Reglement (UE) 2016/679) et notamment a l'article 28.2 imposant l'information prealable du responsable du traitement avant tout recours a un sous-traitant ulterieur, Trinity Insights publie la liste exhaustive de ses sous-traitants intervenant dans le traitement de donnees personnelles d'utilisateurs.
Cette liste constitue un engagement contractuel opposable, conformement aux recommandations du Comite europeen de la protection des donnees (CEPD , Lignes directrices 07/2020 sur les concepts de responsable du traitement et de sous-traitant).
Sous-traitants actifs
| Sous-traitant | Role | Pays | Base juridique du transfert | Ajoute le | DPA |
|---|---|---|---|---|---|
| Hetzner Online GmbH | Infrastructure d'hebergement (Postgres, Next.js, FastAPI, monitoring) | Allemagne (UE) | Traitement intra-UE, aucun transfert hors EEE | 2024-01-01 | DPA |
| Clerk Inc. | Authentification utilisateur et gestion de session | Etats-Unis | EU-US Data Privacy Framework (Decision d'adequation 10/07/2023) + CCT 2021/914 en backup | 2024-01-01 | DPA |
| Paddle.com Market Ltd. | Traitement paiements (Merchant of Record), collecte TVA, facturation | Royaume-Uni / UE | Adequation UK GDPR + RGPD UE Art. 46 CCT pour transferts hors UK | 2024-01-01 | DPA |
| Sentry (Functional Software Inc.) | Suivi des erreurs applicatives et monitoring de performance | Etats-Unis | EU-US Data Privacy Framework + CCT 2021/914 en backup | 2024-01-01 | DPA |
| PostHog Inc. | Analytique produit (consentement requis, instance UE-hebergee) | Union europeenne (Francfort) | Traitement intra-UE via eu.posthog.com | 2024-01-01 | DPA |
| Google LLC (Google Cloud / BigQuery) | Acces au jeu de donnees public blockchain Bitcoin (aucune PII utilisateur) | Etats-Unis / UE | EU-US Data Privacy Framework + CCT 2021/914 | 2024-01-01 | DPA |
| Anthropic PBC | API LLM pour le copilot conversationnel Trinity Ask (contrat zero-data-retention) | Etats-Unis | EU-US Data Privacy Framework + CCT 2021/914 + garantie zero-data-retention | 2026-01-01 | DPA |
| Mistral AI | API LLM souveraine UE pour traitements PII clients sensibles | France (UE) | Traitement intra-UE, aucun transfert hors EEE | 2026-04-01 | DPA |
| Google LLC (Gemini API) | API LLM pour traitements analytiques non-PII | Union europeenne | EU-US Data Privacy Framework + CCT 2021/914 | 2026-04-01 | DPA |
| Cloudflare Inc. | DNS, CDN, pare-feu applicatif (WAF), protection DDoS | Etats-Unis | EU-US Data Privacy Framework + CCT 2021/914 | 2024-01-01 | DPA |
Notification prealable et droit d'opposition
Toute modification substantielle de la liste (ajout, retrait ou changement de role d'un sous-traitant) fait l'objet d'une notification a l'Utilisateur au moins trente (30) jours avant son entree en vigueur, par email et par bandeau d'information dans le tableau de bord du Service.
L'Utilisateur dispose d'un droit d'opposition raisonnee a tout ajout de sous-traitant. En cas d'opposition fondee, Trinity Insights pourra, a sa discretion, retirer le sous-traitant concerne ou resilier le contrat avec remboursement prorata temporis du mois en cours.
Pour s'opposer a un nouveau sous-traitant ou exercer tout autre droit relatif a cette liste, contactez [email protected].
Mecanismes de transfert hors UE
Les transferts de donnees personnelles vers des sous-traitants situes hors de l'Espace Economique Europeen (EEE) reposent sur les mecanismes prevus aux articles 44 a 49 du RGPD :
- Decisions d'adequation de la Commission europeenne (notamment Data Privacy Framework UE-US du 10 juillet 2023) ;
- Clauses Contractuelles Types (CCT 2021/914) en backup et pour les transferts non couverts par decision d'adequation ;
- Analyses d'impact des transferts (TIA) conformement aux Recommandations 01/2020 du CEPD post-arret Schrems II.
Conforme RGPD Art. 28-2 · CEPD Lignes directrices 07/2020 · Convention 108+
Sub-processors
Last updated: May 8, 2026
Legal framework
In accordance with Article 28 of the GDPR (Regulation (EU) 2016/679), and in particular Article 28.2 imposing prior information of the data controller before engaging a sub-processor, Trinity Insights publishes the exhaustive list of its sub-processors involved in the processing of users' personal data.
This list constitutes an enforceable contractual commitment, in accordance with the European Data Protection Board (EDPB) Guidelines 07/2020 on the concepts of controller and processor.
Active sub-processors
| Sub-processor | Role | Country | Transfer legal basis | Added | DPA |
|---|---|---|---|---|---|
| Hetzner Online GmbH | Hosting infrastructure (Postgres, Next.js, FastAPI, monitoring) | Germany (EU) | EU intra-Union processing, no transfer outside EEA | 2024-01-01 | DPA |
| Clerk Inc. | User authentication and session management | United States | EU-US Data Privacy Framework (Adequacy Decision 10/07/2023) + SCC 2021/914 backup | 2024-01-01 | DPA |
| Paddle.com Market Ltd. | Payment processing (Merchant of Record), VAT collection, billing | United Kingdom / EU | UK GDPR adequacy + EU GDPR Art. 46 SCC for non-UK transfers | 2024-01-01 | DPA |
| Sentry (Functional Software Inc.) | Application error tracking and performance monitoring | United States | EU-US Data Privacy Framework + SCC 2021/914 backup | 2024-01-01 | DPA |
| PostHog Inc. | Product analytics (consent-gated, EU-hosted instance) | European Union (Frankfurt) | EU intra-Union processing via eu.posthog.com | 2024-01-01 | DPA |
| Google LLC (Google Cloud / BigQuery) | Public Bitcoin blockchain dataset access (no user PII) | United States / EU | EU-US Data Privacy Framework + SCC 2021/914 | 2024-01-01 | DPA |
| Anthropic PBC | LLM API for the Trinity Ask conversational copilot (zero-data-retention contract) | United States | EU-US Data Privacy Framework + SCC 2021/914 + zero-data-retention guarantee | 2026-01-01 | DPA |
| Mistral AI | EU sovereign LLM API for PII-sensitive client processing | France (EU) | EU intra-Union processing, no transfer outside EEA | 2026-04-01 | DPA |
| Google LLC (Gemini API) | LLM API for non-PII analytical processing | European Union | EU-US Data Privacy Framework + SCC 2021/914 | 2026-04-01 | DPA |
| Cloudflare Inc. | DNS, CDN, web application firewall (WAF), DDoS protection | United States | EU-US Data Privacy Framework + SCC 2021/914 | 2024-01-01 | DPA |
Prior notification and right to object
Any substantial modification to the list (addition, removal, or role change of a sub-processor) is notified to the User at least thirty (30) days before it takes effect, by email and by an information banner in the Service dashboard.
The User has a right to object on reasoned grounds to any new sub-processor addition. In case of a well-founded objection, Trinity Insights may, at its discretion, withdraw the sub-processor concerned or terminate the contract with a pro rata temporis refund of the current month.
To object to a new sub-processor or to exercise any other right relating to this list, contact [email protected].
Non-EU transfer mechanisms
Transfers of personal data to sub-processors located outside the European Economic Area (EEA) rely on the mechanisms provided in Articles 44 to 49 of the GDPR:
- European Commission adequacy decisions (in particular the EU-US Data Privacy Framework of July 10, 2023);
- Standard Contractual Clauses (SCC 2021/914) as backup and for transfers not covered by an adequacy decision;
- Transfer Impact Assessments (TIA) in accordance with EDPB Recommendations 01/2020 post-Schrems II.
GDPR Art. 28-2 compliant · EDPB Guidelines 07/2020 · Convention 108+