faktoora uses the following third-party services to provide, support, and secure our platform. All subprocessors have a Data Processing Agreement (DPA) in place, and we regularly review their security posture.
Infrastructure
| Subprocessor | Purpose | Location | Certifications |
|---|
| Hetzner | Cloud hosting and infrastructure | Germany (EU) | ISO 27001 |
Payments
| Subprocessor | Purpose | Location | Certifications |
|---|
| Stripe | Payment processing and subscription management | US (EU SCCs) | PCI DSS Level 1, SOC 2 |
| BanksAPI | Bank transaction matching and reconciliation | EU | DPA in place |
Communication
| Subprocessor | Purpose | Location | Certifications |
|---|
| Mailjet | Transactional email delivery (invoices, notifications) | France (EU) | DPA in place |
E-Invoicing
| Subprocessor | Purpose | Location |
|---|
| Peppol network | Pan-European e-invoice delivery (AS4 protocol) | EU |
| AEAT (Spanish Tax Authority) | VeriFactu mandatory invoice registration | Spain (EU) |
AI Services
| Subprocessor | Purpose | Location | Data scope |
|---|
| OpenAI | Optional AI-assisted product catalogue input | US (DPA with SCCs) | Receives only user-provided input text — never existing product data, invoices, customer data, or personal data |
Data Protection
| Subprocessor | Purpose | Location |
|---|
| PROLIANCE GmbH | External Data Protection Officer | Germany (Munich) |
The following services may process customer data when explicitly configured and authorised by the customer. faktoora does not send data to these services unless the customer enables the integration.
| Service | Category | Purpose |
|---|
| Xero | Accounting | Invoice and contact synchronisation |
| DATEV | Accounting | German tax advisor data exchange |
| Bexio | Accounting | Swiss accounting synchronisation |
| Weclapp | ERP | Business process synchronisation |
| HubSpot | CRM | Contact and deal synchronisation |
| Pipedrive | CRM | Sales pipeline synchronisation |
| Monday.com | CRM | Project and contact management |
| Custom SMTP/IMAP | Email | Customer-provided email servers for sending and receiving |
| Custom webhooks | Integration | Customer-defined HTTP endpoints for event notifications |
Customers maintain their own relationships and agreements with these providers. faktoora acts as a processor under the customer's instructions for these integrations.
Evaluation Criteria
When selecting subprocessors, we evaluate:
- Data residency — EU-based hosting preferred; non-EU requires Standard Contractual Clauses
- Security certifications — ISO 27001, SOC 2, PCI DSS, or equivalent required for critical services
- Data Processing Agreements — mandatory for all personal data processors
- Encryption — TLS 1.2+ in transit and encryption at rest required for critical services
- Incident notification — timely breach notification obligations
Review Schedule
| Supplier classification | Review frequency |
|---|
| Critical | Quarterly |
| Important | Annually |
| Standard | Annually |
Changes to This List
We will notify affected customers before engaging a new subprocessor that processes personal data. If you have questions about our subprocessors, contact compliance@faktoora.com.