info@qbri.digital
Tornimäe 5, 10145 Tallinn, Estonia
Sign in
Sign up

Book Appointment

Get Quote

WHATSAPP

0

No products in the cart.

banner

Sub-Processors

Last Updated: May 2026 | Effective Date: May 2026
Service Provider: QBRI OÜ (trading as QBRI Digital) · Registration Number: 16230937 | Address: Tornimäe 5, 10145 Tallinn, Estonia.

Overview

QBRI Digital (QBRI OÜ) uses authorized sub-processors and third-party service providers to deliver our IT consulting, web development, mobile development, digital strategy, and digital marketing services. This page provides transparency about these sub-processors in accordance with GDPR Article 28 and Clause 7.5 of our Terms of Service.

All sub-processors who have access to personal data are bound by written data processing agreements requiring them to process personal data only as instructed and to maintain appropriate security measures consistent with GDPR requirements.

 

Current List of Authorized Sub-Processors

Sub-Processor NameService CategoryPurposeData TypeLocationGDPR Status
Amazon Web Services (AWS)Cloud InfrastructureHosting, storage, and backup of client data and applicationsPersonal data, client dataEU, USStandard Contractual Clauses (SCCs)
Google LLC (Google Cloud)Cloud HostingWebsite hosting, cloud infrastructure, backup servicesPersonal data, technical dataWorldwideStandard Contractual Clauses (SCCs)
Mailchimp (Intuit Inc.)Email & MarketingEmail delivery, newsletter management, marketing automationEmail addresses, contact information, engagement dataUS, EUStandard Contractual Clauses (SCCs)
StripePayment ProcessingSecure payment processing and billingPayment information (tokenized), billing addressUS, EUPayment Card Industry (PCI) compliant
PayPalPayment ProcessingAlternative payment processing and transaction managementPayment information (tokenized), billing addressWorldwidePayment Card Industry (PCI) compliant
HubSpotCustomer Relationship Management (CRM)Client relationship management, sales pipeline, contact managementContact information, company data, interaction historyUS, EUStandard Contractual Clauses (SCCs)
PipedriveCustomer Relationship Management (CRM)Alternative CRM for client tracking and project managementContact information, company data, deal informationEUGDPR Compliant
Google AnalyticsAnalytics & TrackingWebsite analytics, user behavior measurement, performance trackingIP address, usage data, device information, identifiersWorldwideStandard Contractual Clauses (SCCs)
Hotjar LtdAnalytics & User FeedbackHeatmaps, session recording, user feedback collectionIP address, session data, user interactions, feedbackEUGDPR Compliant
Facebook Pixel (Meta Platforms, Inc.)Advertising & TrackingWebsite conversion tracking, audience building, retargetingIP address, device data, conversion dataUS, WorldwideStandard Contractual Clauses (SCCs)
LinkedIn Insight Tag (LinkedIn Corporation)Advertising & AnalyticsWebsite visitor tracking, LinkedIn advertising, audience insightsIP address, device data, visitor identificationUS, WorldwideStandard Contractual Clauses (SCCs)
Google Ads (Google LLC)AdvertisingSearch advertising, conversion tracking, campaign managementConversion data, audience data, campaign performanceWorldwideStandard Contractual Clauses (SCCs)
AsanaProject ManagementInternal project coordination, task management, timeline trackingTeam member information, project data, task detailsUS, EUStandard Contractual Clauses (SCCs)
Monday.comProject ManagementAlternative project management platform for internal coordinationTeam member information, project data, work itemsEU, USStandard Contractual Clauses (SCCs)
SlackInternal CommunicationsTeam communication, file sharing, internal messagingEmployee data, communication records, filesUS, EUStandard Contractual Clauses (SCCs)
Microsoft TeamsInternal CommunicationsAlternative internal communications platform for team collaborationEmployee data, communication records, meeting dataWorldwideStandard Contractual Clauses (SCCs)
LinkedIn RecruiterRecruitmentJob posting management, candidate sourcing, recruitment coordinationRecruiter data, candidate information (with consent)WorldwideStandard Contractual Clauses (SCCs)
ConvertKitEmail & MarketingAlternative email marketing and newsletter platformEmail addresses, subscriber information, engagement dataUSStandard Contractual Clauses (SCCs)
External Accountants & Tax AdvisorsFinancial ComplianceAccounting services, tax preparation, financial auditsFinancial records, company data, tax informationEstonia, EUProfessional Confidentiality

Sub-Processor Categories and Purposes

1. Cloud Infrastructure and Hosting

Service Providers: Amazon Web Services, Google Cloud

These sub-processors host our website, applications, and client data in secure cloud environments with redundancy and backup capabilities. They process personal data for:

  • Website hosting and availability
  • Data storage and backup
  • Infrastructure security and monitoring
  • Disaster recovery

Data Protection: Both providers implement encryption in transit (TLS/SSL) and at rest, firewalls, and access controls. Data is primarily stored in EU regions where applicable.

2. Email and Communication Platforms

Service Providers: Mailchimp, ConvertKit

These platforms enable us to deliver newsletters, marketing communications, and transactional emails. They process:

  • Email addresses
  • Contact information
  • Communication preferences
  • Engagement and open rate data

Data Protection: All email communications are encrypted in transit. You can unsubscribe from marketing communications at any time using the unsubscribe link in our emails.

3. Customer Relationship Management (CRM)

Service Providers: HubSpot, Pipedrive

Our CRM systems help us manage client relationships, track interactions, and organize business operations. They process:

  • Contact and company information
  • Interaction history and communication records
  • Sales and project pipeline data
  • Service request details

Data Protection: CRM data is encrypted and access is restricted to authorized personnel. Data is retained according to our retention policy (Section 7 of Privacy Policy).

4. Analytics and User Feedback

Service Providers: Google Analytics, Hotjar

These tools help us understand website performance and user behavior to improve our services. They collect and process:

  • Website usage data (pages visited, time spent, links clicked)
  • Device information (type, operating system, browser)
  • IP address and approximate location
  • User session recordings and heatmaps (Hotjar only)
  • User feedback and surveys

Consent: These tools require your consent. Our cookie management system allows you to opt-out of non-essential analytics cookies.

User Opt-Out: You can opt-out using:

  • Google Analytics Opt-Out Browser Add-on (available from Google)
  • Hotjar Opt-Out Tools (available on Hotjar.com)
  • Browser cookie settings or our cookie preferences tool

5. Advertising and Conversion Tracking

Service Providers: Facebook Pixel, LinkedIn Insight Tag, Google Ads

These tools enable targeted advertising and track campaign performance. They process:

  • Website visitor identification
  • Conversion and user action data
  • Audience insights and demographics
  • Advertising performance metrics

Consent: Advertising cookies require your consent. Opt-out through:

  • Cookie preferences tool (available on our website)
  • Ad platform opt-out pages (Facebook, LinkedIn, Google)
  • Browser privacy settings

6. Project and Task Management

Service Providers: Asana, Monday.com

Internal tools used by our team to coordinate projects, manage timelines, and track deliverables. They process:

  • Team member and staff information
  • Project details and timelines
  • Task assignments and progress
  • Internal communications related to projects

Access Control: Access is limited to QBRI employees and contractors involved in project delivery. These systems are not accessible to clients unless specifically granted access as part of a service engagement.

7. Internal Communications

Service Providers: Slack, Microsoft Teams

Platforms used for internal team communication, file sharing, and collaboration. They process:

  • Employee and team member information
  • Internal messages and communications
  • Files and documents shared internally
  • Meeting records and video calls

Data Security: Communication channels are encrypted. Access is restricted to QBRI employees and authorized contractors.

8. Recruitment

Service Providers: LinkedIn Recruiter

Used for job posting, candidate sourcing, and recruitment coordination. They process:

  • Recruiter contact information
  • Job seeker and candidate information (only with explicit consent)
  • Application materials and CVs (with candidate consent)
  • Recruitment campaign data

Candidate Rights: Job applicants provide information voluntarily. Applicant data is retained for 1 year from application date per our Privacy Policy, Section 7.

9. Payment Processing

Service Providers: Stripe, PayPal

Third-party processors handle all payment transactions securely. They process:

  • Tokenized payment method information (QBRI does not store full credit card details)
  • Billing address
  • Transaction records and receipts
  • Fraud detection data

PCI Compliance: Both payment processors are PCI-DSS Level 1 certified. QBRI does not store or process raw credit card data.

10. Financial and Tax Services

Service Providers: External Accountants and Tax Advisors

Third-party professionals assist with financial compliance, tax preparation, and audits. They process:

  • Financial records and statements
  • Tax documentation
  • Company and business information
  • Client billing and revenue data (in anonymized form)

Professional Confidentiality: All external accountants and tax advisors sign confidentiality agreements and are bound by professional confidentiality obligations.

Sub-Processor Data Processing Agreements

GDPR Article 28 Compliance

All sub-processors who process personal data on QBRI’s behalf are bound by written Data Processing Agreements (DPAs) that comply with GDPR Article 28. These agreements include:

  • Clear definition of the nature, scope, and purpose of processing
  • Categories of personal data being processed
  • Categories of data subjects
  • Appropriate security measures (encryption, access controls, monitoring)
  • Obligation to process data only as instructed by QBRI
  • Sub-processor notification and authorization requirements
  • Data subject rights and mechanisms for exercising them
  • Data deletion or return obligations upon contract termination
  • Audit and compliance verification rights
  • Incident response and breach notification procedures

Sub-Processor Authorization and Objection Rights

Notification of Changes

Under Clause 7.5 of our Terms of Service and GDPR Article 28(2), QBRI shall notify you of material changes to sub-processors and permit you to object on reasonable grounds related to data protection risks.

When We Add or Change Sub-Processors

Material changes include:

  • Adding a new sub-processor with access to your personal data
  • Transferring processing to a sub-processor in a different jurisdiction
  • Materially changing the services provided by an existing sub-processor
  • Changing the location where personal data is processed

Notice Period: We provide at least 30 days’ written notice before engaging a new sub-processor or making material changes to an existing sub-processor’s role.

Objection Rights

You have the right to object to the use of a new or changed sub-processor on reasonable grounds related to data protection risks, including:

  • Security concerns (e.g., inadequate technical or organizational measures)
  • Location risks (e.g., transfer to a country with weaker data protection)
  • Compliance issues (e.g., conflict with applicable data protection laws)
  • Conflict of interest (e.g., competitor or conflicting business interests)

How to Object

To object to a sub-processor change, please contact us within 30 days of receiving notice:

Email: info@qbri.digital

Postal Address: QBRI OÜ, Tornimäe 5, 10145 Tallinn, Estonia

Phone: +372 5568 5570

In your objection, please:

  • Specify the sub-processor you are objecting to
  • Explain your data protection concerns
  • Describe any reasonable grounds for your objection

Our Response to Objections

Upon receiving a valid objection, we will:

  1. Acknowledge receipt within 5 business days
  2. Investigate your concerns and assess their validity
  3. Propose alternative measures if reasonable
  4. Inform you of our decision within 15 days, including:
    • Whether we accept or reject your objection
    • Any alternative solutions we propose
    • Your options if we proceed with the sub-processor change

Right to Terminate for Sub-Processor Disagreement

If you have a valid, documented objection to a material sub-processor change and QBRI cannot accommodate your concerns, you may:

  • Terminate affected services by providing 30 days’ written notice
  • Request data portability under GDPR Article 20 (where applicable)
  • Request data deletion under GDPR Article 17 (where applicable)

This right does not apply to sub-processor changes made for compliance with legal or regulatory requirements.

Transfers Outside the EU/EEA

Standard Contractual Clauses (SCCs)

For sub-processors located outside the European Economic Area (EEA), QBRI uses Standard Contractual Clauses (SCCs) as the legal mechanism to ensure adequate data protection in accordance with GDPR Article 46 and the Schrems II ruling.

SCCs with US-Based Sub-Processors

Where applicable, we rely on:

  • Standard Contractual Clauses as the primary safeguard
  • Supplementary measures specific to each sub-processor (encryption, access restrictions, etc.)
  • Sub-processor certifications (Privacy Shield alternatives, SOC 2, ISO 27001)

 

Addendum and Supplementary Measures

Consistent with GDPR guidance following the Schrems II ruling (Case C-311/18), we provide sub-processors with:

  • SCCs Addendum including supplementary technical and organizational measures
  • Data localization options where available
  • Encryption requirements for data transfers

Sub-Processor Security Standards

All sub-processors must maintain:

Technical Measures

  • Encryption in transit (TLS 1.2 or higher)
  • Encryption at rest for sensitive data
  • Multi-factor authentication for system access
  • Regular security updates and patches
  • Intrusion detection and prevention systems
  • Regular vulnerability assessments and penetration testing

Organizational Measures

  • Data protection training for personnel
  • Access controls (principle of least privilege)
  • Confidentiality agreements with employees
  • Data processing agreements with QBRI
  • Incident response plans
  • Business continuity and disaster recovery procedures

Compliance and Audit Rights

  • QBRI audit rights to verify compliance
  • Independent security certifications (SOC 2, ISO 27001)
  • Regular compliance reporting
  • Right to conduct security assessments

Removal of Sub-Processors

QBRI may terminate a sub-processor engagement if:

  • The sub-processor materially breaches its data processing agreement
  • The sub-processor fails to maintain required security standards
  • The sub-processor experiences a significant security incident
  • Legal or regulatory requirements necessitate removal
  • QBRI discontinues the services provided by that sub-processor

When removing a sub-processor, we will:

  • Ensure secure deletion or return of all personal data
  • Notify affected clients (if applicable)
  • Transition services to an alternative provider with minimal disruption
  • Maintain compliance throughout the transition

Your Rights Regarding Sub-Processors

Under GDPR and Estonian law, you have the right to:

  • Request information about sub-processors and their data processing activities
  • Object to new or changed sub-processors on reasonable data protection grounds
  • Access personal data processed by sub-processors (GDPR Article 15)
  • Rectify inaccurate data held by sub-processors (GDPR Article 16)
  • Request erasure of personal data (GDPR Article 17, “right to be forgotten”)
  • Restrict processing of personal data (GDPR Article 18)
  • Data portability to transfer personal data to another service provider (GDPR Article 20)
  • Lodge a complaint with the Estonian Data Protection Authority if you believe we have violated your rights

To exercise any of these rights, please contact us at info@qbri.digital or through our contact information provided above.

Dispute Resolution for Sub-Processor Issues

If you have concerns about our sub-processors or their data processing practices, we encourage you to:

  1. Contact QBRI directly with your concerns at info@qbri.digital
  2. Allow us to investigate and respond within 30 days
  3. Request mediation if you remain unsatisfied with our response
  4. Lodge a complaint with the Estonian Data Protection Authority if you believe your rights have been violated

Estonian Data Protection Authority

Address: Väike-Ameerika 19, 10001 Tallinn, Estonia

Website: www.aki.ee

Email: info@aki.ee

Transparency and Ongoing Compliance

QBRI is committed to maintaining transparency regarding our use of sub-processors. We regularly review this sub-processor list and update it as our service offerings evolve. All updates are reflected on this page with the “Last Updated” date clearly displayed.

We recognize that data protection is a shared responsibility. By using sub-processors, we do not transfer our obligations to protect your personal data—we remain accountable to you and regulatory authorities for all processing activities, whether conducted by QBRI directly or through authorized sub-processors.

Data Subject Rights Under GDPR

You have the following rights regarding your personal data processed by QBRI and our sub-processors:

  • Right to Access (GDPR Article 15)
    • Request information about what personal data is being processed
    • Identify which sub-processors have access to your data
    • Obtain confirmation of the processing activities
  • Right to Rectification (GDPR Article 16)
    • Request correction of inaccurate personal data held by sub-processors
    • Request completion of incomplete information
  • Right to Erasure (GDPR Article 17)
    • Request deletion of your personal data from sub-processors
    • Request erasure under specific circumstances (e.g., data no longer needed)
  • Right to Data Portability (GDPR Article 20)
    • Receive personal data in a structured, commonly used, machine-readable format
    • Transmit your data to another service provider without hindrance
  • Right to Object (GDPR Article 21)
    • Object to processing for direct marketing purposes
    • Object to processing for profiling or automated decision-making
    • Object to sub-processor changes on reasonable data protection grounds
  • Right to Restrict Processing (GDPR Article 18)
    • Request limitation of processing in specific circumstances
    • Restrict processing by certain sub-processors during disputes
  • Right to Lodge a Complaint
    • File a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
    • File a complaint with your local data protection authority if you are in another EU/EEA country

Exercising Your Rights

To exercise any of the rights listed above, please contact QBRI using the following information:

QBRI OÜ

Email: info@qbri.digital

Postal Address: Tornimäe 5, 10145 Tallinn, Estonia

Phone: +372 5568 5570

Response Timeline: We will respond to all requests within 30 days (extendable by 2 months for complex requests) in accordance with GDPR Article 12.

A Data Subject Rights Request Form is available for download to assist you in submitting your request.

Sub-Processor Changes History

QBRI maintains a record of all changes to our sub-processor list. The table below documents all updates to ensure transparency and compliance:

DateChange TypeSub-ProcessorServiceAction Taken
May 2026Initial ListAll listed sub-processorsCurrent servicesWebpage published; notice provided where required

This table will be updated as new sub-processors are added or removed.

Contact and Inquiries

For questions regarding our sub-processors, data processing practices, or to submit an objection to a new sub-processor, please contact us:

QBRI Digital / QBRI OÜ

Email: info@qbri.digital

Address: Tornimäe 5, 10145 Tallinn, Estonia

Company Registration Number: 16230937

Response Time: We will respond to inquiries within 30 days

  • Version: 1.0 (May 2026)
  • Language: English (Official Version)
  • Jurisdiction: These Sub-Processor disclosures are governed by Estonian law and EU GDPR.
  • This Sub-Processor page was last updated on May 22, 2026, and is effective immediately.