Cloop Subprocessor List
Last updated: 2026-02-15
This document lists the third-party subprocessors that ROFFI Oy ("Cloop") engages to process personal data on behalf of our customers. This list is maintained as required by our Data Processing Agreement and GDPR.
Current Subprocessors
| Subprocessor | Purpose | Data Processed | Location | DPA/Safeguards |
|---|---|---|---|---|
| Hetzner Online GmbH | Server hosting (VPS), object storage for uploaded documents | All service data (database, files, logs) | Helsinki, Finland (EU) | Hetzner DPA, EU-based |
| Nebius B.V. | AI inference — embedding generation and chat response generation | Chat message text, content chunks, system prompts, conversation history | EU data centers | Nebius AI Studio Terms of Service; data not used for model training |
| Let's Encrypt (ISRG) | TLS certificate issuance | Domain names only (no personal data) | Global | No personal data processed |
What Each Subprocessor Does
Hetzner Online GmbH
- Role: Infrastructure provider
- Data: Hosts the PostgreSQL database (all customer content, visitor sessions, leads), serves the application, stores uploaded documents in S3-compatible object storage
- Location: Hetzner data center in Helsinki, Finland (hel1)
- Why them: German company, EU data centers, strong GDPR compliance track record, Finnish data center for lowest latency
- DPA: Available at https://www.hetzner.com/legal/privacy-policy
Nebius B.V.
- Role: AI model inference (OpenAI-compatible API)
- Data: When a visitor sends a chat message, we send the message text, relevant content chunks from the customer's knowledge base, and system instructions to Nebius for response generation. We also send content for embedding generation.
- What we do NOT send: Visitor email addresses, visitor identifiers, account credentials
- Data retention by Nebius: Transient processing only — input/output data is not stored after response generation
- Model training: Nebius does not use API data for model training
- Location: EU data centers (Netherlands-based company)
- Why them: EU-based, strong performance/cost ratio, OpenAI-compatible API for portability
Let's Encrypt (Internet Security Research Group)
- Role: Free TLS certificate authority
- Data: Only our domain names (cloop.io, www.cloop.io, console.cloop.io) — no personal data
- Included for completeness — no data processing agreement needed as no personal data is involved
Subprocessors We Do NOT Use
For clarity, we do not currently use:
- Google Analytics or any analytics service
- Advertising platforms (Meta, Google Ads, etc.)
- Email marketing services (Mailchimp, SendGrid, etc.)
- CDN providers (Cloudflare, etc.)
- Error tracking services (Sentry, etc.)
- Customer support platforms (Intercom, Zendesk, etc.)
If we add any of these in the future, we will update this list and notify customers per the DPA (30 days advance notice).
Changes to This List
We notify customers of new subprocessors at least 30 days before they begin processing data, via:
- Email notification to account owners
- Dashboard notification
- Update to this document
If you object to a new subprocessor, you may terminate the affected service within 30 days of notification per the DPA.
Change History
| Date | Change |
|---|---|
| 2026-02-15 | Initial list published |
Contact
Questions about our subprocessors: privacy@cloop.io