Elenco dei Sub-responsabili del Trattamento
Last updated: March 2026
Pursuant to GDPR Article 28 and applicable data protection legislation
1. Overview
GIORIZZ S.r.l. (“we”, “us”, “our”) engages the following sub-processors to assist in the delivery of our luxury chauffeur booking platform and related services. Each sub-processor has been assessed for compliance with applicable data protection requirements and is bound by a Data Processing Agreement (DPA) in accordance with GDPR Article 28.
This page is maintained as a living document. We will notify registered users and agency partners of any changes to this list at least 30 days before the new sub-processor begins processing personal data, as required by our Privacy Policy and Agency Terms.
2. Current Sub-processors
| Sub-processor | Purpose | Data Categories | Location | Transfer Mechanism |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, invoicing, and fraud prevention | Payment card data (tokenised), billing address, transaction amounts, invoice records | United States (with EU data residency option) | EU SCCs (Commission Decision 2021/914) |
| Supabase, Inc. (hosted on AWS) | Database hosting, authentication, and row-level security | Account data, booking records, driver profiles, agency data, communication logs | EU (AWS eu-central-1, Frankfurt) | EU data residency (no transfer outside EEA) |
| Resend, Inc. | Transactional email delivery (booking confirmations, invoices, account notifications) | Email address, name, email content (booking details) | United States | EU SCCs (Commission Decision 2021/914) |
| Twilio, Inc. | SMS notifications (booking updates, OTP verification) | Phone number, message content (booking status, OTP codes) | United States (with EU processing available) | EU SCCs (Commission Decision 2021/914) |
| Vercel, Inc. | Web application hosting, serverless function execution, edge CDN | IP address, request metadata, server-side rendered page data | Global edge network (primary: US East) | EU SCCs (Commission Decision 2021/914) |
| Cloudflare, Inc. | Security (Turnstile CAPTCHA), DDoS protection, CDN | IP address, browser fingerprint (anonymised), CAPTCHA interaction data | Global edge network | EU SCCs (Commission Decision 2021/914) |
3. Data Processing Details
Stripe, Inc.
| Purpose | Payment processing, invoicing, and fraud prevention |
| Data Categories | Payment card data (tokenised), billing address, transaction amounts, invoice records |
| Data Subjects | Customers (B2C), agency partners (B2B) |
| Processing Location | United States (with EU data residency option) |
| Transfer Mechanism | EU SCCs (Commission Decision 2021/914) |
| DPA Status | Executed |
| Certifications | PCI DSS Level 1, SOC 1/2, ISO 27001 |
Supabase, Inc. (hosted on AWS)
| Purpose | Database hosting, authentication, and row-level security |
| Data Categories | Account data, booking records, driver profiles, agency data, communication logs |
| Data Subjects | Customers, chauffeur partners, agency partners, concierge accounts |
| Processing Location | EU (AWS eu-central-1, Frankfurt) |
| Transfer Mechanism | EU data residency (no transfer outside EEA) |
| DPA Status | Executed |
| Certifications | SOC 2 Type II, ISO 27001 (AWS infrastructure) |
Resend, Inc.
| Purpose | Transactional email delivery (booking confirmations, invoices, account notifications) |
| Data Categories | Email address, name, email content (booking details) |
| Data Subjects | Customers, chauffeur partners, agency partners |
| Processing Location | United States |
| Transfer Mechanism | EU SCCs (Commission Decision 2021/914) |
| DPA Status | Executed |
| Certifications | SOC 2 Type II |
Twilio, Inc.
| Purpose | SMS notifications (booking updates, OTP verification) |
| Data Categories | Phone number, message content (booking status, OTP codes) |
| Data Subjects | Customers, chauffeur partners |
| Processing Location | United States (with EU processing available) |
| Transfer Mechanism | EU SCCs (Commission Decision 2021/914) |
| DPA Status | Executed |
| Certifications | SOC 2 Type II, ISO 27001, PCI DSS |
Vercel, Inc.
| Purpose | Web application hosting, serverless function execution, edge CDN |
| Data Categories | IP address, request metadata, server-side rendered page data |
| Data Subjects | All website visitors |
| Processing Location | Global edge network (primary: US East) |
| Transfer Mechanism | EU SCCs (Commission Decision 2021/914) |
| DPA Status | Executed |
| Certifications | SOC 2 Type II, ISO 27001 |
Cloudflare, Inc.
| Purpose | Security (Turnstile CAPTCHA), DDoS protection, CDN |
| Data Categories | IP address, browser fingerprint (anonymised), CAPTCHA interaction data |
| Data Subjects | All website visitors (signup flow) |
| Processing Location | Global edge network |
| Transfer Mechanism | EU SCCs (Commission Decision 2021/914) |
| DPA Status | Executed |
| Certifications | SOC 2 Type II, ISO 27001, PCI DSS |
4. International Transfer Mechanisms
Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in compliance with GDPR Chapter V (Articles 44–49):
- EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, used for transfers to the United States and other countries without an EU adequacy decision
- UK International Data Transfer Agreement (IDTA) — or UK Addendum to EU SCCs, as approved by the ICO, for transfers involving UK personal data
- Swiss Addendum — EU SCCs with Swiss-specific modifications recommended by the FDPIC, for transfers involving Swiss personal data
- ANPD Standard Contractual Clauses — in force since August 2025, for transfers involving personal data of Brazilian data subjects under the LGPD
- Adequacy Decisions — where the European Commission, UK Government, or other relevant authority has issued an adequacy decision for the destination country, transfers proceed without additional contractual safeguards
We regularly review the legal landscape and will update transfer mechanisms as required by supervisory authority guidance or court rulings.
5. Change Notification Process
In accordance with GDPR Article 28(2) and our contractual obligations, we follow this process when engaging a new sub-processor or making material changes to an existing sub-processor relationship:
| Step | Action | Timeline |
|---|---|---|
| 1 | Vendor due diligence and security assessment | Before engagement |
| 2 | DPA execution with new sub-processor | Before processing begins |
| 3 | Notification to registered users and agency partners via email | 30 days before processing begins |
| 4 | Update this sub-processor list page | Same day as notification |
| 5 | Objection window for agency partners | 30 days from notification |
Right to object: Agency partners under a Data Processing Agreement may object to the engagement of a new sub-processor within 30 days of notification. If no reasonable resolution can be reached, the agency partner may terminate the affected services in accordance with the Agency Terms.
6. Our Obligations
For each sub-processor, GIORIZZ ensures:
- Written DPA imposing equivalent data protection obligations to those in our own processing agreements (GDPR Art 28(4))
- Due diligence on the sub-processor’s technical and organisational security measures before engagement
- Ongoing monitoring of sub-processor compliance through audit rights, certifications review, and incident response procedures
- Liability — GIORIZZ remains fully liable for the performance of its sub-processors (GDPR Art 28(4))
- Data minimisation — each sub-processor receives only the minimum personal data necessary for its designated processing purpose
- Incident response — sub-processors are contractually required to notify GIORIZZ of any personal data breach within 24 hours of discovery
7. Audit Rights
In accordance with GDPR Article 28(3)(h), controllers and their authorised representatives have the right to audit GIORIZZ’s use of sub-processors. For agency partners, audit rights are governed by Section 9.2 of the Agency Terms.
Audit requests should be directed to:
- Email: info@giorizz.com
- Subject: Sub-processor Audit Request — [Organisation Name]
8. Contact
For questions about our sub-processors or to subscribe to change notifications:
| Data Protection Email | info@giorizz.com |
| General Support | info@giorizz.com |
| Postal Address | GIORIZZ S.r.l., Via Alcibiade 8, Siracusa (SR), Italy |
Related documents:
- Privacy Policy — full details on data collection and processing
- Data Subject Access Request — exercise your privacy rights
- Agency Terms — including Data Processing Agreement provisions
- Cookie Policy — cookies and tracking technologies