GitScrum Subprocessors

Effective date: January 5, 2026

1. Introduction

This Subprocessor List ("List") identifies all third-party service providers ("Subprocessors") engaged by GitScrum to process Personal Data on behalf of our customers in connection with the provision of GitScrum services (the "Services").

This List is maintained pursuant to GitScrum's Data Processing Agreement (DPA) and in compliance with GDPR Article 28(2) and 28(4).

Important: By using GitScrum's Services, customers provide general authorization for GitScrum to engage the Subprocessors listed below, subject to the notification and objection procedures described in Section 4 of this document and in our DPA.

2. What is a Subprocessor?

A Subprocessor is a third-party service provider engaged by GitScrum (as a Processor) to process Personal Data on behalf of our customers (Data Controllers) in connection with providing the GitScrum platform and services.

Examples of Subprocessors include:

Cloud hosting and infrastructure providers
Payment processors
Email delivery services
Customer support platforms
Analytics and monitoring tools
Security and fraud prevention services

Not Subprocessors:

The following are not considered Subprocessors under GDPR:

Services that do not process customer Personal Data (e.g., internal tools used only by GitScrum employees)
Services where GitScrum acts as a Data Controller (e.g., our own analytics for business operations)
Independent Data Controllers who process data for their own purposes pursuant to their own terms

3. Current Authorized Subprocessors

The following Subprocessors are currently authorized to process Personal Data on behalf of GitScrum customers:

3.1 Infrastructure and Hosting Services

Subprocessor Name	Entity Location	Data Processing Location	Service Description	Data Processed	Privacy Policy
Amazon Web Services (AWS)	United States	EU (Frankfurt, Germany; Dublin, Ireland)	Cloud infrastructure, compute resources, data storage, database hosting	All customer data stored in the GitScrum platform	AWS Privacy Policy

Purpose: Provides the foundational cloud infrastructure for the GitScrum platform, including servers, storage, databases, and networking resources.

Safeguards for International Transfers: Standard Contractual Clauses (SCCs) and AWS GDPR Data Processing Addendum.

3.2 Payment Processing

Subprocessor Name	Entity Location	Data Processing Location	Service Description	Data Processed	Privacy Policy
Stripe, Inc.	United States	Global (EU-U.S. Data Privacy Framework certified)	Payment processing, subscription billing, invoice generation	Billing contact information, payment card details, transaction records	Stripe Privacy Policy

Purpose: Processes all subscription payments, manages billing, and generates invoices for GitScrum customers.

Important Note: GitScrum does not directly store or access full payment card details. Payment card information is collected and processed solely by Stripe in accordance with PCI-DSS standards.

Safeguards for International Transfers: EU-U.S. Data Privacy Framework certification, Standard Contractual Clauses (SCCs), and Stripe DPA.

3.3 Email Delivery Services

Subprocessor Name	Entity Location	Data Processing Location	Service Description	Data Processed	Privacy Policy
Amazon SES (AWS Simple Email Service)	United States	Global	Transactional email delivery (notifications, password resets, system alerts)	User email addresses, email content (notifications, alerts), email interaction data	AWS Privacy Policy

Purpose: Delivers transactional emails from GitScrum to users, including account notifications, password reset emails, system alerts, and platform updates.

Note: Marketing emails (if any) are managed separately and may use different services.

Safeguards for International Transfers: Standard Contractual Clauses (SCCs) and AWS GDPR Data Processing Addendum.

3.4 Analytics and Performance Monitoring

Google Analytics

Subprocessor Name	Entity Location	Data Processing Location	Service Description	Data Processed	Privacy Policy
Google Analytics	United States	Global	Web analytics, usage tracking, user behavior analysis	IP addresses (anonymized), browser type, device type, page views, user interactions, approximate location (country/city level)	Google Privacy Policy

Purpose: Analyzes platform usage, user behavior, and performance metrics to improve GitScrum's Services and user experience.

Configuration: GitScrum enables IP anonymization in Google Analytics to enhance privacy protection.

Safeguards for International Transfers: EU-U.S. Data Privacy Framework certification (Google LLC), Google Ads Data Processing Terms, IP anonymization.

3.5 Marketing and Advertising

Subprocessor Name	Entity Location	Data Processing Location	Service Description	Data Processed	Privacy Policy
Meta Platforms, Inc. (Facebook Pixel)	United States	United States	Advertising tracking, audience building, conversion measurement	IP addresses, browser information, device identifiers, website interactions, advertising performance data	Meta Privacy Policy

Purpose: Enables targeted advertising, measures campaign effectiveness, and builds audiences for marketing purposes.

Note: Facebook Pixel is only active for users who have consented to marketing cookies in accordance with our Cookie Policy.

Safeguards for International Transfers: EU-U.S. Data Privacy Framework certification, Standard Contractual Clauses (SCCs).

4. Notification of Changes to Subprocessors

4.1 Advance Notice Requirement

GitScrum will provide customers with at least 30 days' prior written notice before:

Adding a new Subprocessor, or
Replacing an existing Subprocessor with a different provider

4.2 Notification Methods

Notice of Subprocessor changes will be provided through the following methods:

Email Notification: Sent to the email address associated with the customer's GitScrum account
Update to this List: This Subprocessor List will be updated with the new Subprocessor information and the date of the update
Email Subscription (Optional): Customers may subscribe to receive automated email notifications of Subprocessor changes by emailing subprocessors[at]gitscrum.com with "Subscribe to Subprocessor Updates" in the subject line

Note: The updated Subprocessor List will always reflect the "Last Updated" date at the top of this document.

4.3 Customer Objection Rights

If a customer has legitimate grounds related to data protection for objecting to GitScrum's appointment of a new Subprocessor, the customer must:

Notify GitScrum in writing within 30 days of receiving notice of the new Subprocessor
Submit objection to: legal[at]gitscrum.com or dpo[at]gitscrum.com
Clearly state the grounds for objection, including specific data protection concerns

Resolution Process:

GitScrum will use reasonable efforts to address the customer's concerns or provide an alternative solution (e.g., not using the Subprocessor for the customer's data, migrating to a different Subprocessor, or implementing additional safeguards)
If GitScrum cannot provide a reasonable alternative within 60 days and the customer maintains a legitimate objection, the customer may terminate the affected portion of the Services (or the entire Services if the Subprocessor is essential) without penalty or fees for the remainder of the prepaid term

Deemed Acceptance: If the customer does not object within 30 days of notice, the customer is deemed to have accepted the new Subprocessor.

5. Subprocessor Management and Compliance

5.1 GitScrum's Obligations

GitScrum ensures that all Subprocessors:

Enter into written contracts with data protection terms substantially equivalent to GitScrum's DPA, including:
- Confidentiality obligations
- Appropriate technical and organizational security measures
- Assistance with data subject rights requests
- Data breach notification procedures (within 72 hours)
- Data deletion or return upon contract termination
- Audit rights
Comply with GDPR and applicable data protection laws
Process Personal Data only in accordance with the customer's documented instructions (as provided through GitScrum)
Implement appropriate security measures to protect Personal Data

5.2 GitScrum's Liability

GitScrum remains fully liable to customers for the performance of any Subprocessor's obligations under the DPA, as if GitScrum were performing the services directly.

If a Subprocessor fails to fulfill its data protection obligations, GitScrum remains directly liable to the customer for the Subprocessor's failure to perform its obligations.

5.3 Due Diligence and Monitoring

GitScrum conducts due diligence on all Subprocessors before engagement, including:

Review of security certifications (e.g., ISO 27001, SOC 2 Type II)
Assessment of data protection policies and practices
Evaluation of technical and organizational security measures
Verification of compliance with GDPR and applicable data protection laws

GitScrum performs ongoing monitoring of Subprocessor performance and compliance through:

Periodic reviews of Subprocessor security posture
Review of Subprocessor security incident reports
Monitoring of Subprocessor certifications and audit reports

6. International Data Transfers

6.1 Data Transfer Mechanisms

When Subprocessors process Personal Data outside the European Economic Area (EEA), GitScrum ensures that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs): European Commission-approved Standard Contractual Clauses (2021) with Subprocessors located in Third Countries
Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection (e.g., UK, Switzerland, select others)
EU-U.S. Data Privacy Framework (DPF): For transfers to U.S. entities certified under the DPF (e.g., Stripe, Google)
Supplementary Measures: Additional technical and organizational measures (e.g., encryption, pseudonymization) where required by Transfer Impact Assessments (TIAs)

6.2 Verification

Customers may verify the data transfer mechanisms and certifications for each Subprocessor by:

Reviewing the Subprocessor's privacy policy (linked in Section 3)
Contacting GitScrum at legal[at]gitscrum.com or dpo[at]gitscrum.com to request additional information
Verifying EU-U.S. DPF certification at: https://www.dataprivacyframework.gov/list

7. Audit Rights

Customers have the right to audit GitScrum's compliance with Subprocessor requirements as described in Section 11 of the GitScrum Data Processing Agreement.

Upon written request, GitScrum will provide:

Copies of Subprocessor data processing agreements (with commercially sensitive information redacted)
Evidence of Subprocessor security certifications (e.g., ISO 27001, SOC 2 Type II reports)
Summary of due diligence conducted on Subprocessors

Requests should be submitted to: legal[at]gitscrum.com or dpo[at]gitscrum.com

8. Subprocessor Categories Summary

For easy reference, the following table summarizes Subprocessor categories and the types of Personal Data processed:

Category	General Purpose	Types of Personal Data Processed
Infrastructure & Hosting	Cloud infrastructure, data storage, compute resources	All customer data stored in GitScrum platform (projects, tasks, files, user data)
Payment Processing	Subscription billing, payment processing	Billing contact information, payment card details, transaction records
Email Delivery	Transactional emails, notifications	User email addresses, email content (notifications, alerts)
Analytics & Monitoring	Platform analytics, error tracking, performance monitoring	IP addresses, browser/device information, usage data, error logs
Marketing & Advertising	Advertising tracking, audience building	IP addresses, browser information, device identifiers, advertising performance data

9. Updates and Version History

GitScrum maintains a record of all updates to this Subprocessor List:

Version	Date	Changes Made
1.0	January 5, 2026	Initial publication of Subprocessor List

To view previous versions of this Subprocessor List, please contact: legal[at]gitscrum.com

10. Contact Information and Subscription

10.1 General Inquiries

For questions, concerns, or requests regarding Subprocessors or data processing, please contact:

Data Protection Officer (DPO):

Email: dpo[at]gitscrum.com

Response Time: 5 business days

Legal Department:

Email: legal[at]gitscrum.com

Subprocessor-Specific Inquiries:

Email: subprocessors[at]gitscrum.com

10.2 Subscribe to Subprocessor Updates

To receive automated email notifications whenever this Subprocessor List is updated (new Subprocessors added or existing Subprocessors changed), send an email to:

Email: subprocessors[at]gitscrum.com

Subject Line: "Subscribe to Subprocessor Updates"

Body: Include your name, company name, and GitScrum account email address

You will receive a confirmation email and will be notified of all future Subprocessor changes at least 30 days in advance.

11. Additional Resources

GitScrum Data Processing Agreement (DPA): /legal/data-processing-agreement
GitScrum Privacy Policy: /legal/privacy-policy
GitScrum Security Policy: /legal/security
GitScrum Terms and Conditions: /legal/terms-and-conditions

12. Legal Disclaimer

This Subprocessor List is provided for informational purposes and constitutes part of GitScrum's Data Processing Agreement (DPA). By using GitScrum's Services, customers agree to the terms of the DPA, including the engagement of Subprocessors listed herein, subject to the notification and objection procedures described in this document.

GitScrum reserves the right to update this Subprocessor List from time to time in accordance with the notification procedures set forth in Section 4.

Effective Date: This Subprocessor List is effective as of January 5, 2026, and applies to all customers using GitScrum Services.