In accordance with GDPR Article 28, this document lists all sub-processors (third-party service providers) that process personal data on behalf of Beemi. We maintain this list to ensure transparency about where and how your data is processed.
Current Sub-Processors
| Service Provider | Purpose | Data Location | Data Processed |
|---|---|---|---|
| Google Cloud Platform (GCP) | Infrastructure hosting, database, object storage | United States (Primary), EU (Optional) | All user data, game assets, metadata |
| Firebase (Google) | Authentication, storage, real-time database | United States, EU | User credentials, profile data, session data |
| Amplitude | Analytics and user behavior tracking | United States | Usage data, device info, session logs |
| Agora.io | Real-time communication (audio/video metadata) | United States, Singapore | Connection metadata, quality metrics (no content storage) |
| OpenAI | AI code generation (Studio only) | United States | User prompts, generated code (not stored long-term) |
| Anthropic (Claude) | AI code generation (Studio only) | United States | User prompts, generated code (not stored long-term) |
| Cloudflare | CDN, DDoS protection, DNS | Global (Edge Locations) | IP addresses, request metadata (logs only) |
| SendGrid (Twilio) | Transactional email delivery | United States | Email addresses, delivery status |
Data Transfer Mechanisms
For sub-processors located outside the European Economic Area (EEA), we ensure appropriate safeguards through one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
- Adequacy Decisions: When processing in countries deemed adequate by EU Commission
- Privacy Shield Successor: When applicable (monitoring EU-US Data Privacy Framework)
- Binding Corporate Rules: For processors with approved BCRs
Change Notification
Beemi will notify affected users at least 30 days in advance when:
- Adding a new sub-processor
- Changing data processing locations
- Materially changing data processing activities
Notification will be sent via:
- Email to registered email addresses
- In-app notification
- Update to this document (with revision date)
Objection Rights
If you object to a new sub-processor or change, you may:
- Contact our Data Protection Officer at dpo@qenetech.com
- Request restriction of your data processing
- Request deletion of your data (right to erasure)
We will work with you to address your concerns while maintaining service functionality.
Audit & Compliance
All sub-processors listed above:
- ✅ Have signed Data Processing Agreements (DPAs)
- ✅ Comply with GDPR requirements
- ✅ Implement appropriate technical and organizational measures
- ✅ Maintain SOC 2 Type II or equivalent certifications
- ✅ Are subject to our vendor security review process
Contact Information
For questions about sub-processors or data processing:
Data Protection Officer: dpo@qenetech.com
Privacy Team: privacy@qenetech.com
Address: 2035 Sunset Lake Road, Suite B-2, Newark, DE 19702, United States