DWS IQ 6 Platform — GDPR Article 28 Transparency
The following sub-processors are authorized to process Personal Data on behalf of the Customer in connection with DWS IQ 6 Services. This list is maintained as Annex A of the Data Processing Agreement.
| Sub-processor | Purpose | Data Location | Data Processed |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, real-time services | EU Finland/Germany | All platform data, user authentication data |
| Google Cloud (Google LLC) | Cloud Run compute services, AI APIs (Gemini) | EU Finland | Application processing data, AI inference data |
| Cloudflare Inc. | CDN, edge computing (Workers), DDoS protection | EU EU edge nodes | Web traffic metadata, cached content |
| Anthropic PBC | AI language model services (Claude API) | USA + SCC | Anonymized/pseudonymized compliance analysis data |
| Groq Inc. | AI inference acceleration | USA + SCC | Anonymized/pseudonymized AI processing data |
| Temporal Technologies Inc. | Workflow orchestration | EU | Workflow metadata, task identifiers |
| Shufti Pro Limited | Identity verification (KYC/IDV) | EU only | Biometric data (facial images), identity documents, verification results |
Supabase, Google Cloud, Cloudflare, Temporal, and Shufti Pro process data within EU/EEA jurisdictions. No additional transfer safeguards required.
Standard Contractual Clauses (SCC) per Commission Implementing Decision (EU) 2021/914 are in place. Supplementary measures include:
Shufti Pro processes biometric data (GDPR Article 9 special category) exclusively within EU/EEA data centers. EU-only processing and storage confirmed in writing by Shufti Compliance (2026-04-02) and contractually embedded in the Shufti DPA addendum. Underlying infrastructure (Google Cloud) is locked to EEA regions only. Sub-processor Programmers Force (Pakistan) is not applicable to the Lifetime Oy account under EU-only mode. Biometric data is deleted after verification completion per agreed retention schedule.
Vendor verification: Shufti Pro Limited (UK Companies House #11039567) verified active. DPA signatory Stephen Ullman confirmed as director (ICAEW chartered accountant). Company filings current. LEI: 984500AF891013CE9D42. Clause-by-clause DPA audit completed April 2026.
Accuracy trade-off (transparency note): Under EU-only mode, Shufti does not perform model training on Lifetime Oy customer data and does not route uncertain verifications to non-EU manual reviewers. ML training prohibition is contractually binding (DPA addendum Clause 6). Lifetime Oy accepts this trade-off in favour of full EU data sovereignty, and maintains an internal secondary verification layer to handle borderline cases.
Per DPA Article 7.4: Lifetime Oy will notify customers 30 days in advance of any changes to this sub-processor list. Customers may raise objections if the change is contrary to Data Protection Regulations.
To subscribe to sub-processor change notifications, contact privacy@lifetime.fi.
| Date | Change | Sub-processor |
|---|---|---|
| 2026-04-08 | DPA audit completed | Shufti Pro Limited — clause-by-clause DPA audit (PR #768); Companies House verification; ML training prohibition clause added; Art. 9 legal basis clause added |
| 2026-04-05 | Confirmed EU-only | Shufti Pro Limited — EU-only processing + GCP EEA lock contractually embedded; Programmers Force (PK) excluded |
| 2026-04-01 | Added | Shufti Pro Limited (KYC/IDV, EU-only processing) |
| 2026-02-05 | Initial list | Supabase, Google Cloud, Cloudflare, Anthropic, Groq, Temporal |