Sub-processors
policies-public/subprocessors.mdSub-processors
Version: 1.0 | Effective date: 2026-06-17 | Last reviewed: 2026-06-30 | Last updated: 2026-06-30
This page lists the third parties that Vezoft — a company registered in Bulgaria (European Union) under company number (EIK) 202823109, with its registered office in Kardzhali, Bulgaria, trading as "Vezoft" / "TimerOS" ("we", "us") — engages to process personal data on behalf of its Customers ("sub-processors"). It is incorporated by reference into the Data Processing Agreement.
We will give Customers at least 30 days' prior notice by email to the account owner address on file before adding or replacing a sub-processor, and Customers may object in writing on reasonable grounds within that 30-day window. To receive notifications, ensure your account owner email is current, or email privacy@timeros.ai to be added to the sub-processor change notification list.
Current sub-processors
| Sub-processor | Service provided | Categories of personal data | Location of processing | Transfer mechanism |
|---|---|---|---|---|
| MongoDB, Inc. (MongoDB Atlas) — 1633 Broadway, 38th Floor, New York, NY 10019, USA. EEA contracting via MongoDB Ltd. (Ireland). | Managed database hosting for the platform, organisation, and portal databases | All Customer Personal Data at rest: account/auth credentials (hashed), employee and client records, time entries, payroll, projects, support tickets, notifications, and activity-classification metadata (label/confidence/source tag only) | EU — Atlas clusters pinned to AWS EU regions (eu-central-1 Frankfurt / eu-west-1 Ireland), dedicated tier (M10+), encryption at rest (AES-256) |
EU-US Data Privacy Framework (MongoDB holds active EU-US, Swiss-US and UK Extension certification) + EU 2021 Standard Contractual Clauses (Modules 2 and 3); UK IDTA and Swiss FADP supplements where applicable |
| Render Services, Inc. — 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA. Compute runs on Amazon Web Services. | Application and API hosting/compute (the API, the marketing/admin website, and the client portal) | All personal data transiting and processed by the application — account and employee identifiers, names, emails, time-tracking records, and IP/usage metadata (transient on the instance; not persisted by Render) | EU — Frankfurt (AWS eu-central-1) |
EU-US Data Privacy Framework + EU Standard Contractual Clauses (per the Render DPA) |
| Cloudflare, Inc. — 101 Townsend Street, San Francisco, CA 94107, USA | Object storage for uploaded files (R2); DNS; content delivery (CDN) and reverse-proxy / web application firewall in front of the Service | Uploaded project files and their contents/metadata; and, for the CDN/proxy layer, end-user IP addresses, request metadata, and TLS/connection logs | EU — the R2 uploads bucket is created with the EU jurisdictional restriction (jurisdiction=eu, pinned to EU data centres); the CDN/proxy edge is global (traffic served from the nearest point of presence) |
EU Standard Contractual Clauses + EU-US Data Privacy Framework (per the Cloudflare Customer DPA) |
| Lettermint B.V. — Willemsvaart 16 B, Unit 1.08, 8019 AB Zwolle, The Netherlands (Dutch Chamber of Commerce (KvK) no. 99337711) | Transactional / system email delivery via API/SMTP (email verification, password reset, team invitations, invoice copies, sub-processor-change and legal-change notices) | Recipient email address and name; the subject line and body of system-generated emails (which may contain user names, workspace names, and invoice amounts); and engagement/technical metadata (opens, clicks, bounces, IP address, email-client/device data) | EU/EEA only — Lettermint runs its own EU infrastructure (Autonomous System AS213427): primary hosting UpCloud (Netherlands), backup OVHcloud (France); the sending domain (mail.timeros.ai) is served from this EU infrastructure and email data is encrypted at rest in EU data centres; no AWS/Google/Microsoft in the email path | None required — processed within the EU/EEA (EU-to-EU). No EU-US Data Privacy Framework and no Standard Contractual Clauses are required for the email payload |
| Stripe Payments Europe, Limited — 1 Grand Canal Street Lower, Dublin 2, D02 H210, Ireland (with Stripe, Inc., South San Francisco, CA, USA, for certain cross-border processing) | Subscription billing, payment processing, and invoicing | Billing contact name and email, billing address, card token / last-4 and payment metadata, transaction amounts, subscription/seat data, and tenant identifiers. Full card data is held by Stripe and is never seen by TimerOS. | EU — contracting and primary processing via Stripe Payments Europe, Ltd (Ireland); certain processing in the US | EU-US Data Privacy Framework + EEA Standard Contractual Clauses (per the Stripe Data Processing Agreement) |
| Zoho Corporation B.V. — operator of Zoho's EU service (zoho.eu), Amsterdam, the Netherlands | Hosted business email inboxes (support@, hello@, privacy@, security@) — receiving, storing, and managing inbound and outbound correspondence | Sender email address and name; message contents and attachments; and any personal data a data subject includes in a support, privacy, or security email | EU — Zoho EU data centres (Amsterdam, NL and Dublin, IE) | EEA Standard Contractual Clauses via Zoho Corporation B.V.; no processing outside the EEA for the EU service |
| Google LLC (Google Play + Firebase Cloud Messaging) — 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Distribution and automatic updates of the TimerOS Android companion app via Google Play; Firebase Cloud Messaging (FCM) push-notification delivery where the Customer enables in-app notifications | Device install/update telemetry (collected directly by Google under its own terms); the FCM device token (an opaque per-installation identifier); and the content of push notifications the Service sends to the device (subject and body) | United States (Mountain View, CA) with global edge delivery via Google's network | EU-US Data Privacy Framework (Google holds active certification) + EU Standard Contractual Clauses (Module 2) |
Notes on data location and international transfers
- Processing stays in the EU across the stack. All Customer Personal Data is processed in the EU: the databases (MongoDB Atlas, Frankfurt/Ireland), uploaded files (Cloudflare R2, EU jurisdiction), application compute (Render, Frankfurt), inbound support email (Zoho EU), and outbound system email (Lettermint, EU — Netherlands/France).
- US-incorporated vendors, EU processing. Several sub-processors (MongoDB, Render, Cloudflare) are US-incorporated companies that nonetheless process the relevant data in the EU. Because a US parent could in principle be compelled to access data (for example, under the US CLOUD Act), the EU-US Data Privacy Framework and Standard Contractual Clauses in each provider's DPA apply as a safeguard.
- One channel involves US processing: Google (Play Store distribution and Firebase Cloud Messaging push for the Android companion app), covered by the EU-US Data Privacy Framework and Standard Contractual Clauses. No time-tracking, payroll, or activity-classification data is routed through it beyond what a push notification itself contains.
Notes on MongoDB Atlas
- Atlas AI features disabled for tenant clusters. Atlas Vector Search and any generative-AI / embedding services that would route through US-based downstream providers are disabled on tenant clusters. TimerOS does not use these features for Customer Personal Data.
- Activity classification is on-device. The desktop app assigns an activity category entirely on the user's own machine using a two-layer engine: a deterministic, scored rule engine, with a small on-device statistical classifier as a fallback. There is no model download, no inference server, no GPU dependency, and no network call from the classifier. Raw window titles and application names are never sent off the device for classification — only the resulting label and confidence are transmitted to the TimerOS API as time-entry telemetry and stored in MongoDB Atlas. Full documentation of the classifier (architecture, training data, evaluation) is maintained in the TimerOS model card and made available to competent authorities on request.
- DPA archive. Vezoft archives a dated snapshot of the MongoDB DPA in its Article 30 records each time MongoDB publishes a material change.
Notes on Render
- Why a hosting provider is needed. Render runs the API, the website, and the client portal. The EU service is deployed in Frankfurt (AWS
eu-central-1) so that application compute and any data in transit through it remain in the EU. - No persistence at the hosting layer. Customer Personal Data is persisted in MongoDB Atlas (and uploaded files in Cloudflare R2), not on Render instances; data on a Render instance is transient request/response state and logs.
Notes on Cloudflare
- R2 object storage is EU-pinned. The bucket used for uploaded project files is created with Cloudflare's EU jurisdictional restriction, so uploaded files are stored in EU data centres.
- CDN / reverse-proxy / WAF. Cloudflare also fronts the Service for DNS, content delivery, and security (DDoS / web application firewall). In that role its edge processes end-user IP addresses, request metadata, and terminates TLS at the nearest global point of presence. The CDN edge is global by design; the stored R2 data is EU-pinned.
Notes on Lettermint
- Why a transactional email provider is needed. TimerOS sends system-generated emails (password resets, email verification, sub-processor-change notices, material legal-change notices, invoice copies, team invitations). Sending these from a self-operated SMTP server is impractical because of deliverability filtering by Gmail / Outlook / Yahoo. Lettermint handles deliverability, bounce processing, and delivery receipts — the latter is important for proving that, for example, a 30-day sub-processor change notice was actually delivered.
- EU/EEA-only processing. Lettermint B.V. is a Netherlands entity and runs its own EU infrastructure (Autonomous System AS213427): primary hosting on UpCloud (Netherlands) with backup on OVHcloud (France). The sending domain (mail.timeros.ai) is served from this EU infrastructure and email data is encrypted at rest in EU data centres; there is no AWS/Google/Microsoft in the email path. All processing takes place within the EU/EEA (EU-to-EU), so no EU-US Data Privacy Framework and no Standard Contractual Clauses are required for the email payload (Lettermint's own DPA references SCCs only as a contingency). Only the recipient details and the content of the system email itself are processed — no database records are shared with Lettermint. Email is transmitted over TLS-encrypted connections, and message content and delivery/engagement metadata are retained only as long as needed to deliver the message and provide deliverability reporting. Post-termination, Lettermint deletes data within 30 days; Lettermint's DPA is at https://lettermint.co/dpa and its sub-processor list at https://lettermint.co/subprocessors.
- Transactional only. Vezoft uses Lettermint strictly for transactional email — not for newsletters, drip campaigns, or marketing automation. Any future marketing email would be disclosed by a sub-processor-list update and a Privacy Policy update.
- Notice-period commitment. Vezoft commits to 30 days' prior notice to Customers before adding or changing any sub-processor in this list.
Notes on Zoho
- EU-resident business mailboxes. Vezoft's business inboxes (support@, hello@, privacy@, security@) run on Zoho's EU service (zoho.eu, Zoho Corporation B.V.), with data in Zoho's EU data centres (Amsterdam and Dublin). Inbound mail to privacy@ and security@ routinely contains personal data (data-subject requests, security reports), which is why Zoho is listed as a sub-processor.
- EU posture. For the EU service, Zoho does not process this email data outside the EEA.
Notes on Google LLC
- Scope — Android companion app only. Google LLC is engaged only for the TimerOS Android companion app, which is a review-and-management dashboard: like the web dashboard, it does not track time and does not run the activity classifier — those remain on the Windows desktop. The desktop application, the web application, the marketing/admin website, and the client portal do not route through Google.
- iOS planned. When TimerOS launches its iOS app, Apple, Inc. will be added here as a separate sub-processor for App Store distribution and APNs push, with 30 days' prior notice to Customers per the procedure above.
- What FCM sees. If your tenant has enabled in-app push notifications, FCM receives the notification payload (subject line and body) for delivery to your device. The payload contains only data the Customer chose to push to its workforce; we do not route activity-classification telemetry through FCM.
Affiliates
Vezoft currently operates without affiliated entities. If we form affiliates in the future and they process Customer Personal Data on our behalf, they will be added to this list as sub-processors with notice as above.
How to object to a new sub-processor
Email privacy@timeros.ai within 30 days of notification, stating your concern. We will work with you to find an acceptable alternative. If we cannot, and you cannot in good faith use the Service with the new sub-processor, you may terminate the relevant Order Form on written notice and we will refund any prepaid fees covering the period after termination.
Inquiries
privacy@timeros.ai / Vezoft, with registered office in Kardzhali, Bulgaria (see Imprint for the full registered address).