Legal
Sub-processors
Last updated: 26 May 2026
This page lists all sub-processors used by Scopia to provide the Scopia.app service. It is the authoritative public source referenced by our Privacy Policy and Data Processing Agreement (DPA).
Current sub-processors
The following sub-processors are currently engaged to process personal data on behalf of our customers:
| Sub-processor | Legal entity | Role | Personal data processed | Location | DPA |
|---|---|---|---|---|---|
| Google Cloud | Google Cloud EMEA Limited | Cloud hosting: application runtime, database, secrets and logging | User identification (name, email, medical speciality, user ID), authentication credentials, IP addresses, application logs, quality measurement metadata | EU (Germany) | Google Cloud DPA |
| Google Workspace | Google Ireland Limited | Document and contract storage | Contract counter-party data (company names, contact persons, signatures) | EU | Google Workspace DPA |
| Brevo | Sendinblue SAS | Transactional and system email delivery | Recipient name, email address | EU (France) | Brevo DPA |
Notes on processing
- All data residency in EU/EEA. Scopia does not transfer personal data to third countries on a regular basis. Sub-processors operate within the EU and are subject to the GDPR.
- Encryption. Personal data is encrypted both at rest and in transit using industry-standard mechanisms.
- Further detail on technical and organisational measures is available in our information security overview, provided to customers and prospects on request.
How customers are notified of changes
Per Article 7.3 of our DPA, we notify each customer's named contact person by email in advance of any change, and provide a reasonable period during which the customer may object on justified grounds.