In accordance with our Privacy Policy and Terms and Conditions, we use sub-processors to provide our services. This page lists the main sub-processors who potentially have access to our customers' personal data or operate systems on which such data could be processed or stored as part of service provision. We carefully select our sub-processors and ensure that they comply with appropriate privacy and security standards.
Sub-processor:
Google Cloud EMEA Limited (acting as Google Cloud Platform)
Purpose of Processing / Service:
Hosting our backend infrastructure for ClinicOS
Provision and operation of databases
General data center operations and cloud infrastructure
Location of Data Processing:
Primary: Germany (data center regions Frankfurt (
europe-west3) and Berlin (europe-west10))Important: All core application data and patient data from ClinicOS remain exclusively in Germany.
Transfer mechanisms (if relevant for other Google services):
For the core services mentioned above, there is no transfer of core application data outside Germany. Google Cloud offers comprehensive assurances for GDPR compliance.
Further Information: https://cloud.google.com/terms/data-processing-addendum?hl=en
Legally Required Data Protection Officer
Purpose of Processing / Service:
Hosting and delivery of our web frontend (user interface of ClinicOS)
Provision of static content (e.g., images, scripts) via a global Content Delivery Network (CDN) to optimize loading times and performance.
Location of Data Processing:
Global (CDN): Vercel uses a global network of servers (primarily based on AWS infrastructure) to deliver web content quickly and efficiently.
In the context of CDN usage, personal data, particularly the IP addresses of users accessing the ClinicOS frontend, is processed worldwide to deliver content from the nearest server.
Transfer Mechanisms and Guarantees for Data Transfers Outside the EU/EAA:
Data transfers to countries outside the EU/EAA (particularly the USA) are safeguarded by the following appropriate guarantees in accordance with Art. 46 GDPR:
Vercel is certified under the EU-U.S. Data Privacy Framework (DPF).
EU Standard Contractual Clauses (SCCs) are applied.
Further Information: https://vercel.com/legal/dpa
Cloudflare, Inc.
Purpose of Processing / Service:
DNS Services: Resolving our domain names (e.g., app.clinicos.de) to the corresponding IP addresses of the servers.
Reverse Proxy Services (CDN & Security): Optimization of loading times, protection against DDoS attacks and other online threats through Cloudflare's global network. Requests to our servers are routed through Cloudflare.
Location of Data Processing:
Global (Edge Network): Cloudflare operates a worldwide network of data centers (Edge Locations).
As part of the DNS resolution and proxy services, personal data, especially the IP addresses of users accessing ClinicOS, is processed globally to route requests through the nearest and most secure server.
Transfer Mechanisms and Guarantees for Data Transfers Outside the EU/EEA:
Data transfers to countries outside the EU/EEA (particularly the USA) are secured by the following appropriate safeguards according to Art. 46 GDPR:
Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF).
EU Standard Contractual Clauses (SCCs) are applied.
Cloudflare also offers binding corporate rules (Binding Corporate Rules - BCRs) approved by European data protection authorities.
Further information: https://www.cloudflare.com/cloudflare-customer-dpa/
Analysis & Error Monitoring
Functional Software, Inc. (operating as Sentry)
Purpose of processing: Collection and analysis of anonymized error messages and performance data of our application. This helps us proactively identify technical issues and improve the stability of ClinicOS. No personal health data or other sensitive customer data is transmitted to Sentry.
Data processing location: Primarily EU (Germany). We have configured Sentry so that all data submitted to us is processed and stored in their EU data center.
Guarantees for data transfers outside the EU/EEA: Since Sentry is a US company, any necessary data transfers (e.g., for support purposes) are secured by the EU-U.S. Data Privacy Framework (DPF) and EU Standard Contractual Clauses (SCCs).
More information: Sentry DPA
Explanation of the data processing locations:
Core Application Data: All your primary application and customer data that you actively store and process in our web application (backend data) are hosted exclusively on the infrastructure of Google Cloud Platform in Germany.
Frontend Delivery & Technical Data: For fast and reliable delivery of the user interface of our web application (code, design, images), we use the global Content Delivery Network (CDN) of Vercel. When you access our website, technical data such as your IP address is processed by Vercel servers, which may be geographically close to your location. This serves to optimize loading times and security (e.g., DDoS protection). Since Vercel operates a global network, this technical data can also be processed outside the EU/EEA. Vercel ensures compliance with GDPR requirements through appropriate measures (EU-U.S. DPF certification and standard contractual clauses).
Changes to this list:
We review this list regularly and update it as needed. We will announce significant changes to our sub-processors or the processing locations of your core application data to our customers (generally at least thirty (30) days) in advance via appropriate channels (e.g. via email or notice in the application).