Sub-processors List
1. Introduction
1.1. Purpose
This document contains the current list of third-party sub-processors used by Evaste to provide its services.
Under GDPR Article 28 and KVKK, we are required to inform our customers about sub-processors used to process personal data.
1.2. Definition
Sub-processors are third-party service providers that perform part of the personal data processing activities on behalf of Evaste.
1.3. Scope
Sub-processors listed in this document:
- Provide infrastructure for the Evaste platform
- Offer data storage and processing services
- Provide customer support and communication tools
- Handle payment processing
- Offer analytics and monitoring services
2. Sub-processor Policy
2.1. Selection Criteria
Sub-processors are selected based on:
(a) Security Certifications
- ISO 27001
- SOC 2 Type II
- PCI DSS (for payment providers)
(b) Data Protection Compliance
- GDPR compliance
- KVKK compliance
- Privacy policies
(c) Technical Competence
- Service reliability
- Performance standards
- Scalability
2.2. Contractual Requirements
With all sub-processors, we have:
- Data Processing Agreement (DPA)
- EU Standard Contractual Clauses (SCCs) where required
- Confidentiality and security commitments
3. Current Sub-processors
Below is a summary table of sub-processors used by Evaste.
| Sub-processor | Category | Location | Safeguard |
|---|---|---|---|
| AWS | Cloud Infrastructure | USA, EU | DPF, SCC |
| Google Cloud | Cloud Infrastructure | USA, EU | DPF, SCC |
| Cloudflare | CDN, Security | USA, Global | DPF, SCC |
| Stripe | Payment Processing | USA, Ireland | DPF, SCC |
| Intercom | Customer Support | USA, Ireland | SCC |
| SendGrid | USA | DPF, SCC | |
| Google Analytics | Analytics | USA, EU | DPF, SCC |
| Sentry | Error Tracking | USA | SCC |
Safeguard Descriptions:
- DPF: EU-US Data Privacy Framework
- SCC: EU Standard Contractual Clauses
CLOUD INFRASTRUCTURE SERVICES
Amazon Web Services (AWS): Cloud infrastructure, server hosting, data storage. All platform data stored encrypted. ISO 27001, SOC 2 Type II, PCI DSS certified.
Google Cloud Platform (GCP): Backup cloud infrastructure, data processing. ISO 27001, SOC 2 Type II certified.
CDN AND SECURITY SERVICES
Cloudflare: CDN, DDoS protection, SSL/TLS, security. IP addresses, HTTP headers, traffic data processed. ISO 27001, SOC 2 Type II certified.
PAYMENT PROCESSING SERVICES
Stripe: Payment processing, billing. PCI DSS Level 1, SOC 2 Type II certified. Note: Credit card numbers are processed by Stripe and not stored in Evaste systems.
CUSTOMER SUPPORT AND COMMUNICATION
Intercom: Live support, customer communication, knowledge base. Name, email, support conversations processed. SOC 2 Type II certified.
EMAIL SERVICES
SendGrid (Twilio): Transactional email delivery. Email addresses, email content, delivery logs processed. SOC 2 Type II, ISO 27001 certified.
ANALYTICS AND MONITORING SERVICES
Google Analytics (Optional): Web analytics, usage statistics. IP addresses anonymized. ISO 27001, SOC 2 Type II certified.
ERROR TRACKING AND MONITORING
Sentry: Error tracking, application performance monitoring. Error logs, stack traces processed (minimal personal data). SOC 2 Type II certified.
4. Data Transfer Safeguards
4.1. Transfers Outside the EEA
For data transfers to US sub-processors, the following safeguards apply:
- EU-US Data Privacy Framework (DPF): Many of our sub-processors are DPF certified.
- Standard Contractual Clauses (SCCs): 2021 EU Commission approved SCCs are signed with all sub-processors.
- Supplementary Technical Measures: Data encryption (in transit and at rest), Pseudonymization (where possible), Access control and monitoring
4.2. Transfer Impact Assessment (TIA)
Transfer Impact Assessment has been conducted for each sub-processor:
- Evaluation of destination country legislation
- Analysiş of government access risks
- Assessment of supplementary measure adequacy
TIA results are available upon request.
4.3. Data Localization Option
For enterprise customers:
- EU region data storage option
- Turkey data storage option (upon request)
5. Change Notification
5.1. Adding New Sub-processors
Before adding a new sub-processor:
- Email notification at least 30 days in advance
- Updated list published on website
- DPA customers notified separately
5.2. Notification Content
New sub-processor notifications include:
- Sub-processor name and location
- Processing purpose
- Types of data to be processed
- Safeguards applied
5.3. Tracking Updates
To track updates to this list:
- Email subscription: subprocessors@evaste.co
- Web page: https://evaste.co/legal-center/sub-processors
- RSS feed: https://evaste.co/legal-center/sub-processors/feed
6. Objection Procedure
6.1. Right to Object
Customers who have signed a Data Processing Agreement (DPA) may object to new sub-processor usage.
6.2. Objection Process
- Objection must be made in writing within 15 days of notification
- Objection must contain reasonable and specific grounds
- Objection should be sent to: dpa@evaste.co
6.3. Objection Evaluation
- Evaste will evaluate objections within 10 business days
- Good-faith negotiations will be conducted with the Customer
- Alternative solutions will be explored
6.4. Failure to Resolve
If parties cannot reach agreement:
- Customer has the right to terminate the DPA
- Service continues until end of current subscription period
- Data return/deletion procedures apply
7. Contact Information
For questions about sub-processors:
Evaste (Group Taiga) Address: Levent, Istanbul, Turkey
General Inquiries: info@evaste.co Sub-processor Notifications: subprocessors@evaste.co Data Protection: dpa@evaste.co
Web: https://evaste.co/legal-center/sub-processors Phone: +90 532 494 42 64
This Sub-processors List was last updated on January 12, 2026.
This list is published to fulfill our notification obligations under GDPR Article 28/2 and our Data Processing Agreement.
Sub-processors List
1. Introduction
1.1. Purpose
This document contains the current list of third-party sub-processors used by Evaste to provide its services.
Under GDPR Article 28 and KVKK, we are required to inform our customers about sub-processors used to process personal data.
1.2. Definition
Sub-processors are third-party service providers that perform part of the personal data processing activities on behalf of Evaste.
1.3. Scope
Sub-processors listed in this document:
- Provide infrastructure for the Evaste platform
- Offer data storage and processing services
- Provide customer support and communication tools
- Handle payment processing
- Offer analytics and monitoring services
2. Sub-processor Policy
2.1. Selection Criteria
Sub-processors are selected based on:
(a) Security Certifications
- ISO 27001
- SOC 2 Type II
- PCI DSS (for payment providers)
(b) Data Protection Compliance
- GDPR compliance
- KVKK compliance
- Privacy policies
(c) Technical Competence
- Service reliability
- Performance standards
- Scalability
2.2. Contractual Requirements
With all sub-processors, we have:
- Data Processing Agreement (DPA)
- EU Standard Contractual Clauses (SCCs) where required
- Confidentiality and security commitments
3. Current Sub-processors
Below is a summary table of sub-processors used by Evaste.
| Sub-processor | Category | Location | Safeguard |
|---|---|---|---|
| AWS | Cloud Infrastructure | USA, EU | DPF, SCC |
| Google Cloud | Cloud Infrastructure | USA, EU | DPF, SCC |
| Cloudflare | CDN, Security | USA, Global | DPF, SCC |
| Stripe | Payment Processing | USA, Ireland | DPF, SCC |
| Intercom | Customer Support | USA, Ireland | SCC |
| SendGrid | USA | DPF, SCC | |
| Google Analytics | Analytics | USA, EU | DPF, SCC |
| Sentry | Error Tracking | USA | SCC |
Safeguard Descriptions:
- DPF: EU-US Data Privacy Framework
- SCC: EU Standard Contractual Clauses
CLOUD INFRASTRUCTURE SERVICES
Amazon Web Services (AWS): Cloud infrastructure, server hosting, data storage. All platform data stored encrypted. ISO 27001, SOC 2 Type II, PCI DSS certified.
Google Cloud Platform (GCP): Backup cloud infrastructure, data processing. ISO 27001, SOC 2 Type II certified.
CDN AND SECURITY SERVICES
Cloudflare: CDN, DDoS protection, SSL/TLS, security. IP addresses, HTTP headers, traffic data processed. ISO 27001, SOC 2 Type II certified.
PAYMENT PROCESSING SERVICES
Stripe: Payment processing, billing. PCI DSS Level 1, SOC 2 Type II certified. Note: Credit card numbers are processed by Stripe and not stored in Evaste systems.
CUSTOMER SUPPORT AND COMMUNICATION
Intercom: Live support, customer communication, knowledge base. Name, email, support conversations processed. SOC 2 Type II certified.
EMAIL SERVICES
SendGrid (Twilio): Transactional email delivery. Email addresses, email content, delivery logs processed. SOC 2 Type II, ISO 27001 certified.
ANALYTICS AND MONITORING SERVICES
Google Analytics (Optional): Web analytics, usage statistics. IP addresses anonymized. ISO 27001, SOC 2 Type II certified.
ERROR TRACKING AND MONITORING
Sentry: Error tracking, application performance monitoring. Error logs, stack traces processed (minimal personal data). SOC 2 Type II certified.
4. Data Transfer Safeguards
4.1. Transfers Outside the EEA
For data transfers to US sub-processors, the following safeguards apply:
- EU-US Data Privacy Framework (DPF): Many of our sub-processors are DPF certified.
- Standard Contractual Clauses (SCCs): 2021 EU Commission approved SCCs are signed with all sub-processors.
- Supplementary Technical Measures: Data encryption (in transit and at rest), Pseudonymization (where possible), Access control and monitoring
4.2. Transfer Impact Assessment (TIA)
Transfer Impact Assessment has been conducted for each sub-processor:
- Evaluation of destination country legislation
- Analysiş of government access risks
- Assessment of supplementary measure adequacy
TIA results are available upon request.
4.3. Data Localization Option
For enterprise customers:
- EU region data storage option
- Turkey data storage option (upon request)
5. Change Notification
5.1. Adding New Sub-processors
Before adding a new sub-processor:
- Email notification at least 30 days in advance
- Updated list published on website
- DPA customers notified separately
5.2. Notification Content
New sub-processor notifications include:
- Sub-processor name and location
- Processing purpose
- Types of data to be processed
- Safeguards applied
5.3. Tracking Updates
To track updates to this list:
- Email subscription: subprocessors@evaste.co
- Web page: https://evaste.co/legal-center/sub-processors
- RSS feed: https://evaste.co/legal-center/sub-processors/feed
6. Objection Procedure
6.1. Right to Object
Customers who have signed a Data Processing Agreement (DPA) may object to new sub-processor usage.
6.2. Objection Process
- Objection must be made in writing within 15 days of notification
- Objection must contain reasonable and specific grounds
- Objection should be sent to: dpa@evaste.co
6.3. Objection Evaluation
- Evaste will evaluate objections within 10 business days
- Good-faith negotiations will be conducted with the Customer
- Alternative solutions will be explored
6.4. Failure to Resolve
If parties cannot reach agreement:
- Customer has the right to terminate the DPA
- Service continues until end of current subscription period
- Data return/deletion procedures apply
7. Contact Information
For questions about sub-processors:
Evaste (Group Taiga) Address: Levent, Istanbul, Turkey
General Inquiries: info@evaste.co Sub-processor Notifications: subprocessors@evaste.co Data Protection: dpa@evaste.co
Web: https://evaste.co/legal-center/sub-processors Phone: +90 532 494 42 64
This Sub-processors List was last updated on January 12, 2026.
This list is published to fulfill our notification obligations under GDPR Article 28/2 and our Data Processing Agreement.