Hosting & sub-processors
We work with as few external service providers as possible. This page is the authoritative list of all third parties that process personal data on behalf of DeepScript – with purpose, location and safeguards.
Overview
We run our entire infrastructure – application, database, transcription engine, object storage, backups – in the Hetzner data centres in Germany. This keeps content data under German law and prevents transfer to third countries. A US cloud provider (AWS, Azure, GCP) never has access to audio or transcripts.
The only third-country transfer occurs for payment processing via Stripe – safeguarded by EU Standard Contractual Clauses and the Data Privacy Framework (DPF).
List of sub-processors
Hetzner Online GmbH
View DPA →Industriestr. 25, 91710 Gunzenhausen, Germany
- Purpose
- Application hosting, data storage, backup infrastructure
- Data categories
- All data processed as part of the service (audio, transcripts, account data, backups)
- Processing location
- Nuremberg and Falkenstein, Germany
- Third-country transfer
- No third-country transfer
- Safeguards
- ISO/IEC 27001 certified; data processing agreement (DPA) concluded under Art. 28 GDPR
Stripe Payments Europe Ltd.
View DPA →1 Grand Canal Street Lower, Dublin 2, Ireland
- Purpose
- Payment processing, invoicing, customer portal for card and SEPA management
- Data categories
- Name, address, VAT ID, email, payment-method tokens, transaction data – no access to content data
- Processing location
- EU (Ireland); parent group: USA
- Third-country transfer
- EU → USA: EU Standard Contractual Clauses (SCCs) + DPF certification
- Safeguards
- DPA under Art. 28 GDPR; PCI-DSS Level 1 certified
Google Ireland Limited (Google Tag Manager / Analytics 4)
View DPA →Gordon House, Barrow Street, Dublin 4, Ireland
- Purpose
- Reach measurement of the marketing website – page views, click paths, technical stability. NO access to the logged-in area, audio data or transcripts. Activated only after explicit consent (banner).
- Data categories
- IP address (truncated by GA4), pseudonymous device ID (cookie _ga), requested URL, referrer, user agent
- Processing location
- EU (Ireland); parent group: Google LLC, USA
- Third-country transfer
- EU → USA: EU Standard Contractual Clauses (SCCs) + DPF certification
- Safeguards
- DPA under Art. 28 GDPR; active only on the production environment deepscript.com (not on dev.deepscript.com); deactivatable at any time via the footer link „Cookie settings“
Changes and right to object
Business customers with an active data processing agreement are informed by email at least 30 days before the addition of a new sub-processor with access to personal data. In this case the customer has a right to object on important grounds within 14 days – if disagreement persists, they have the right to extraordinary termination of the main contract.
This page is the authoritative source for the respective current list. It is updated without delay upon any change and forms part of every DPA (Annex 3).
What we deliberately do NOT use
The following providers are not used at DeepScript – as a deliberate architectural decision for data sovereignty:
- · AWS, Azure, Google Cloud – no US hyperscalers for content processing
- · OpenAI, Anthropic, Google Gemini – no external AI APIs for transcription or summarisation
- · Meta Pixel, Hotjar, Mixpanel – no marketing tracking, no session recording
- · Intercom, Zendesk, Drift – no external support chat with data flow
- · Mailchimp, HubSpot, Marketo – no external marketing stack with account data
We use Google Tag Manager + Google Analytics 4 only on the publicly accessible marketing site, exclusively after consent in the cookie banner. For the app itself (logged-in area, transcriptions, editor) no web tracking whatsoever takes place.
Questions?
Send us an email at datenschutz@deepscript.com – we reply within one business day.