DeepScript
Back to the Trust Center
Sub-processors

Hosting & sub-processors

We work with as few external service providers as possible. This page is the authoritative list of all third parties that process personal data on behalf of DeepScript – with purpose, location and safeguards.

Overview

We run our entire infrastructure – application, database, transcription engine, object storage, backups – in the Hetzner data centres in Germany. This keeps content data under German law and prevents transfer to third countries. A US cloud provider (AWS, Azure, GCP) never has access to audio or transcripts.

The only third-country transfer occurs for payment processing via Stripe – safeguarded by EU Standard Contractual Clauses and the Data Privacy Framework (DPF).

List of sub-processors

Hetzner Online GmbH

View DPA →

Industriestr. 25, 91710 Gunzenhausen, Germany

Purpose
Application hosting, data storage, backup infrastructure
Data categories
All data processed as part of the service (audio, transcripts, account data, backups)
Processing location
Nuremberg and Falkenstein, Germany
Third-country transfer
No third-country transfer
Safeguards
ISO/IEC 27001 certified; data processing agreement (DPA) concluded under Art. 28 GDPR

Stripe Payments Europe Ltd.

View DPA →

1 Grand Canal Street Lower, Dublin 2, Ireland

Purpose
Payment processing, invoicing, customer portal for card and SEPA management
Data categories
Name, address, VAT ID, email, payment-method tokens, transaction data – no access to content data
Processing location
EU (Ireland); parent group: USA
Third-country transfer
EU → USA: EU Standard Contractual Clauses (SCCs) + DPF certification
Safeguards
DPA under Art. 28 GDPR; PCI-DSS Level 1 certified

Google Ireland Limited (Google Tag Manager / Analytics 4)

View DPA →

Gordon House, Barrow Street, Dublin 4, Ireland

Purpose
Reach measurement of the marketing website – page views, click paths, technical stability. NO access to the logged-in area, audio data or transcripts. Activated only after explicit consent (banner).
Data categories
IP address (truncated by GA4), pseudonymous device ID (cookie _ga), requested URL, referrer, user agent
Processing location
EU (Ireland); parent group: Google LLC, USA
Third-country transfer
EU → USA: EU Standard Contractual Clauses (SCCs) + DPF certification
Safeguards
DPA under Art. 28 GDPR; active only on the production environment deepscript.com (not on dev.deepscript.com); deactivatable at any time via the footer link „Cookie settings“

Changes and right to object

Business customers with an active data processing agreement are informed by email at least 30 days before the addition of a new sub-processor with access to personal data. In this case the customer has a right to object on important grounds within 14 days – if disagreement persists, they have the right to extraordinary termination of the main contract.

This page is the authoritative source for the respective current list. It is updated without delay upon any change and forms part of every DPA (Annex 3).

What we deliberately do NOT use

The following providers are not used at DeepScript – as a deliberate architectural decision for data sovereignty:

  • · AWS, Azure, Google Cloud – no US hyperscalers for content processing
  • · OpenAI, Anthropic, Google Gemini – no external AI APIs for transcription or summarisation
  • · Meta Pixel, Hotjar, Mixpanel – no marketing tracking, no session recording
  • · Intercom, Zendesk, Drift – no external support chat with data flow
  • · Mailchimp, HubSpot, Marketo – no external marketing stack with account data

We use Google Tag Manager + Google Analytics 4 only on the publicly accessible marketing site, exclusively after consent in the cookie banner. For the app itself (logged-in area, transcriptions, editor) no web tracking whatsoever takes place.

Questions?

Send us an email at datenschutz@deepscript.com – we reply within one business day.

Sub-processors – DeepScript Trust Center