This page lists the subprocessors that Treffio ApS (“Treffio”) engages to operate the Treffio platform. It is referenced by, and is part of, the Data Processing Agreement and the Privacy Policy.
A “subprocessor” is a third party that processes Personal Data on Treffio’s behalf. Each subprocessor below is bound by data-protection terms no less protective than those in the DPA. Where a subprocessor is located outside the European Economic Area (EEA) and the destination country is not subject to a European Commission adequacy decision, transfers are made under the Standard Contractual Clauses (SCCs) adopted by Implementing Decision (EU) 2021/914, supplemented by appropriate technical and organizational measures (in particular, encryption in transit and at rest).
We will provide at least 30 days’ prior notice of any addition or replacement of a subprocessor that processes Personal Data of Customers. Notice is given by:
Customers may object to a new subprocessor on reasonable, documented data-protection grounds within 30 days of notice, as set out in the DPA, Section 5.
| Subprocessor | Purpose | Personal Data processed | Location of processing | Transfer mechanism (if outside EEA) |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage. Exposed to the browser at supabase.treffio.com (custom domain). | All Customer and Guest Personal Data stored in the platform; authentication credentials. | EEA (Frankfurt / Ireland) | Not applicable (EEA). |
| Digital Ocean LLC | Hosting of the admin dashboard, public registration sites (*.treffio.com), and the REST API at api.treffio.com. | Operational logs; data in transit through the application servers. | Configured per droplet; primary region within the EEA. Where a workload runs outside the EEA, SCCs apply. | SCCs (where applicable) |
| Resend Inc. | Transactional email delivery (sign-in codes, invitations, confirmations, reminders, post-event communications). | Recipient name, email address, message content, delivery / open / click metadata. | United States | SCCs |
| Twilio Inc. | SMS delivery for event communications (invitations, reminders, OTP). | Recipient phone number, message content, delivery metadata. | United States | SCCs |
| Stripe Payments Europe Ltd. and Stripe, Inc. | Payment processing for paid ticketing. Sets __stripe_mid and __stripe_sid cookies during payment. | Payment-card data (handled directly by Stripe and not stored by Treffio), payer name, email, billing address, transaction amounts and identifiers. | Ireland (EU contract entity); United States and global infrastructure for processing. | SCCs (for transfers outside the EEA) |
| Google LLC — Firebase Cloud Messaging (FCM) | Push notifications to Android devices and to the web app. | Device push tokens; notification payload (event-related). | United States | SCCs |
| Apple Inc. — Apple Push Notification service (APNs) | Push notifications to iOS devices. | Device push tokens; notification payload (event-related). | Apple infrastructure (United States and global). | SCCs |
| Simply.com | Domain registration and lightweight hosting for secondary Treffio sites and DNS services. | Domain ownership records; standard hosting / DNS metadata. No event Personal Data is sent here. | Denmark | Not applicable (EEA). |
| OpenAI, L.L.C. (conditional sub-processor) | Optional AI-powered text translation feature. Used only when an Administrator explicitly invokes the feature; otherwise no data is sent. Treffio does not intentionally submit Personal Data through this feature, and the integration is configured so that submitted text is not used for training, analytics, or improvement of OpenAI models, and is not retained beyond what is necessary to return the translation. | Free-text content provided by the Administrator (typically event titles, descriptions, or other event configuration text — not, by design, identifiable guest data). | United States | SCCs |
Google LLC — Google Fonts CDN (fonts.googleapis.com, fonts.gstatic.com) | Web-font delivery for treffio.com and app.treffio.com. We are migrating to self-hosted fonts to remove this dependency. | IP address of the visitor; user-agent. No cookies. | United States | SCCs |
| unpkg / Cloudflare | Delivery of one JavaScript library on treffio.com. We are migrating to bundle this library locally. | IP address of the visitor; user-agent. No cookies. | Global CDN (Cloudflare). | SCCs (where applicable) |
For transparency, the following subprocessors process some or all data outside the European Economic Area — primarily in the United States. For each, transfers are made under the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914), supplemented by encryption in transit and at rest and (where applicable) contractual restrictions on subprocessor access:
All other subprocessors listed above process data within the EEA.
| Subprocessor | Purpose | Status |
|---|---|---|
| Cloudflare (CDN, in addition to the existing unpkg fronting) | CDN in front of admin.treffio.com, registration sites, and app.treffio.com to improve performance and reduce origin load. | Planned. Will be added to the Active list and notified at least 30 days before activation. |
When a Customer chooses to integrate the Service with third-party tools (for example, exporting guest data to their own CRM, importing data from their own ticketing system, or hooking webhooks into a third-party automation tool), those third parties are not Treffio subprocessors. The Customer is responsible for managing data-protection obligations with those third parties.
To request more information about a subprocessor, or to lodge an objection in accordance with the DPA:
Treffio ApS — Data Protection Niels Ebbesens Vej 16 1911 Frederiksberg C Denmark Email: [email protected]
