Sub-processors
Last updated: 10 October 2025
This page lists the third-party service providers (“Sub-processors”) authorised by Zula Group, LLC (“we”, “us”, “our”) to process personal data on behalf of customers using the CSRD Pro platform.
Each Sub-processor is bound by a written agreement requiring compliance with applicable data-protection laws, including the EU General Data Protection Regulation (GDPR) and the UK GDPR, and provides sufficient guarantees to implement appropriate technical and organisational measures.
1. Purpose of Sub-processing
We engage carefully selected Sub-processors to perform limited activities necessary to operate, support, and improve our Services. These may include:
- Secure hosting and data storage
- Application monitoring and error reporting
- Transactional email delivery
- Payment processing
- Optional AI-powered document generation
Sub-processors are not permitted to use personal data for any purpose other than delivering their contracted services to us.
2. Current Sub-processors
| Category | Sub-processor | Location of Processing | Purpose | Safeguards |
|---|---|---|---|---|
| Infrastructure Hosting | Scaleway SAS | Paris, France | Primary cloud hosting and data storage | EU-based processing; GDPR compliant |
| Error & Performance Monitoring | Sentry (Germany GmbH) | Frankfurt, Germany | Application error tracking and performance monitoring | EU data residency; GDPR compliant |
| Email Delivery | Scaleway Transactional Email | Paris, France | Transactional email sending (account notifications, password resets) | EU processing; contractual DPA in place |
| Payment Processing | Stripe Payments Europe Ltd. | Dublin, Ireland (EU) / United States | Payment collection and subscription management | Standard Contractual Clauses (SCCs) and DPA |
| AI Service Provider | OpenAI, L.L.C. | United States / EU region (as applicable) | Optional AI document generation features | Standard Contractual Clauses (SCCs); minimal data exposure |
3. How We Select and Manage Sub-processors
We conduct due-diligence reviews of each Sub-processor’s:
- Data-protection practices and certifications (e.g. ISO 27001)
- Technical and organisational security controls
- Record of regulatory compliance
Sub-processors are required to:
- Process data only on our documented instructions;
- Maintain confidentiality and appropriate security;
- Notify us promptly of any data incident; and
- Assist us in supporting customer obligations under GDPR.
4. Changes to This List
We may appoint new Sub-processors or remove existing ones as our Services evolve. Where required by law, customers will be notified in advance of any material change and will have the right to object if they reasonably believe such change would adversely affect data protection.
The latest version of this list will always be available at www.csrdpro.com/en/legal/subprocessors.
5. Contact
Questions or requests regarding Sub-processors may be sent to:
Zula Group, LLC Data Protection Officer 400 West Broadway Street, STE 101-351 Missoula, MT 59802, United States 📧 data@csrdpro.com