Annex 1 - Approved Sub-processors
to the Data Processing Agreement pursuant to Art. 28 GDPR between the controller and Lambus GmbH
Version: 2026-04-24
1. Sub-processors Already Engaged at the Commencement of the Contract
The Controller hereby grants authorization to engage the following sub-processors pursuant to Art. 28(2) GDPR:
| Service Provider | Registered Office | Service | Type of Processing | Third-country Reference |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Luxembourg | Cloud infrastructure, document storage, email receipt | Hosting, storage, processing of travel data | Possible |
| Supabase, Inc. | Singapore | Database infrastructure | Storage of structured personal data | Possible |
| Fly.io, Inc. | USA | Hosting of the application environment | Operation of server infrastructure | Possible |
| Plus Five Five, Inc. (Resend) | USA | Sending system-related emails | Sending of transactional emails | Possible |
| Google Cloud EMEA Limited | Irland | AI-based document analysis | Processing of document contents for structured extraction | Possible |
| Braintrust Data, Inc. | USA | Logging and monitoring of AI agents | Processing of technical usage and log data | Possible |
| Inngest, Inc. | USA | Job queue & background processing | Control of automated processes | Possible |
| BunnyWay d.o.o. (bunny.net) | Slovenia (EU) | Content delivery network, image delivery | Delivery and scaling of image content | No |
| Functional Software, Inc. (Sentry) | USA | Application monitoring and error diagnostics | Processing of technical diagnostic and usage data | Possible |
2. Scope of Engagement
Sub-processors are engaged exclusively for the provision of the contractually owed services.
Processing for the sub-processors' own purposes is contractually excluded.
3. Contractual Obligations of Sub-processors
The Processor ensures that agreements pursuant to Art. 28(4) GDPR have been concluded with all sub-processors that meet at least the data protection obligations set out in this Agreement.
This includes in particular:
- Obligation to follow instructions
- Confidentiality obligation
- Implementation of appropriate TOMs
- Support for data subject rights
- Deletion obligations
- Inspection rights
4. Third-Country Transfers
Insofar as sub-processors process data outside the EU/EEA or access from a third country cannot be excluded, this is done exclusively in compliance with Art. 44 et seq. GDPR.
In particular, transfer is made:
- on the basis of an adequacy decision of the European Commission (e.g. EU-US Data Privacy Framework), or
- on the basis of EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR.
The Processor documents the transfer mechanisms employed and makes them available to the Controller upon request.
5. Changes to Sub-processors
The Processor shall notify the Controller in good time of:
- the addition of new sub-processors or
- the replacement of existing sub-processors.
The Controller may object in writing within 30 days of receipt of the notification on important data protection grounds.
If no mutually agreed solution can be reached, the Controller is entitled to terminate the main contract for cause insofar as the data processing is affected thereby.
6. Liability
The Processor is liable to the Controller pursuant to Art. 28(4)(2) GDPR for the sub-processors' compliance with the data protection obligations imposed on them.
This document forms part of the Data Processing Agreement pursuant to Art. 28 GDPR.