| 1 | Google Cloud (Compute Engine, Cloud SQL, Cloud Logging, Cloud Tasks) | Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland | European Union — europe-central2, Warsaw, Poland | Application hosting, primary PostgreSQL database, application and audit log storage, scheduled task execution | All categories listed in Annex 1B other than session recordings and product analytics events | Intra-EEA Processing — no Chapter V transfer |
| 2 | Cloudflare, Inc. | 101 Townsend Street, San Francisco, CA 94107, USA | Global edge network with EU-region routing; core data planes primarily in the United States | Content delivery, DNS, DDoS protection, web application firewall, object storage (R2), AI Gateway routing, Cloudflare Insights beacons | Device and connection data; object storage (attachments, screenshots, back-ups); AI Gateway request and response metadata | EU-US Data Privacy Framework (primary) + 2021/914 SCCs Module 3 (backstop) |
| 3 | Google LLC (Gemini API via Cloudflare AI Gateway) | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | United States and other regions in which Google operates | Processing of AI prompts and outputs for the Qualflare AI features | Prompts and outputs, which may include incidental Personal Data from test artefacts | EU-US Data Privacy Framework (primary) + 2021/914 SCCs Module 3 (backstop) |
| 4 | Amplitude, Inc. (EU server zone api.eu.amplitude.com) | 201 Third Street, Suite 200, San Francisco, CA 94103, USA; EU Processing through Amplitude's EU data residency zone | European Union (api.eu.amplitude.com) | Product analytics, session replay (sampled at 100%), autocapture, network capture, Web Vitals, and engagement metrics for the Qualflare application | Application usage data, session recordings, network capture events, device and connection data, approximate location | Intra-EEA Processing in the EU server zone — no Chapter V transfer. Core Amplitude entity in the US is not a data importer for Customer Personal Data. |
| 5 | Stripe, Inc. | 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA | United States | Subscription billing, payment processing, invoicing, payment-fraud prevention, and chargeback handling | Payment metadata (billing email, billing address, plan, transaction IDs, last four digits of card) | EU-US Data Privacy Framework (primary) + 2021/914 SCCs Module 3 (backstop) |
| 6 | Google LLC (Google Analytics 4 and Google Tag Manager) | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | United States | Marketing-site web analytics (first-party, Consent Mode v2, IP anonymisation) | Device and connection data from visitors to qualflare.com (marketing site only; not app.qualflare.com) | EU-US Data Privacy Framework (primary) + 2021/914 SCCs Module 3 (backstop) |
| 7 | Functional Software, Inc. (Sentry) | 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA | United States | Error monitoring, stack-trace capture, performance monitoring | Error stack traces, user identifiers, device and connection data | EU-US Data Privacy Framework (primary) + 2021/914 SCCs Module 3 (backstop) |
| 8 | Resend, Inc. | San Francisco, California, USA | United States | Transactional and product email delivery | Account data (email address, name), the content of transactional messages | EU-US Data Privacy Framework (primary) + 2021/914 SCCs Module 3 (backstop) |