Legal Docs Hub

Credentium — Sub‑Processors (Live List)

Effective date: 2026-07-08
Scope: This page lists third‑party sub‑processors (Art. 28(4) GDPR) engaged by CloudTeam sp. z o.o. to support the Credentium Issuer app and related services where they may process personal data on our behalf. It mirrors the style of our Terms of Service and Privacy Policy.

TL;DR (≈1 minute): We primarily process in EU/EEA regions. Today, our core sub‑processors are Microsoft Azure (EU regions) for hosting, Amazon Web Services (EU — Frankfurt) for identity/authentication (Amazon Cognito) and transactional email (Amazon SES), EuroCert (EU) for qualified e‑seal and time‑stamping services, and Sentry (EU data residency) for error monitoring. Auth0 (EU tenant) remains engaged only as a legacy identity provider during the ongoing migration to Amazon Cognito. If we add or replace a sub‑processor, we will update this page and, for Issuer customers, provide advance notice with an opportunity to object on justified grounds.


How to read this page

  • Role (Purpose): What the sub‑processor does.

  • Data categories: Types of personal data the vendor can access when providing its service.

  • Location: Primary processing/hosting region for the service we use.

  • Transfers: Additional safeguards if a vendor or its group involves restricted third‑country access (e.g., remote support).

  • Notes: Extra info relevant to security/compliance.


Authorized Sub‑Processors

Name

Role (Purpose)

Data categories (typical)

Location

Transfers

Notes

Microsoft Azure (EU regions)

Cloud hosting, storage, databases, queues, managed services for Issuer/Wallet/Validator

Account data (name, email), credential issuance metadata, operational logs, support files

EU/EEA

Not applicable by default (EU hosting).

Data residency in EU. Security & compliance per Azure SOC/ISO reports.

Amazon Web Services (AWS) — EU (Frankfurt)

Identity & authentication (Amazon Cognito); transactional email delivery (Amazon SES)

Login identifiers (email), password verification data, organization/tenant identifiers, authentication events (Cognito); recipient names, email addresses and notification content (SES)

EU/EEA (Frankfurt, eu-central-1)

Group headquartered outside EEA; possible restricted remote support by non‑EEA personnel; protected via SCCs (2021/914) and supplementary measures.

Amazon Cognito replaces Auth0 as the identity provider; SES email is sent over TLS.

EuroCert (Qualified Trust Service Provider)

Qualified eIDAS electronic seals for issuance workflows — PDF documents (PAdES) and EDC JSON‑LD credentials (JAdES) — and qualified time‑stamping (TSA)

Organization identification data necessary to produce the qualified e‑seal; PDF documents submitted for sealing (which contain credential/holder data); for JSON‑LD sealing and time‑stamping, only cryptographic digests (hashes) are transmitted

EU/EEA

Not applicable (EU trust service)

Creates the qualified e‑seals attached to credentials (sealed PDFs and sealed JSON‑LD); its TSA provides the qualified timestamps embedded for long‑term validation.

Sentry (Functional Software, Inc.)

Error monitoring / crash reporting for background credential processing

Technical error data (stack traces, correlation identifiers). Transmission of personal data is disabled by default (no user identifiers or IP addresses); error payloads may incidentally contain fragments of processed data

EU/EEA (Germany — EU data‑residency ingestion)

Vendor headquartered outside EEA; protected via SCCs (2021/914) and supplementary measures.

Configured not to send personal data; only error‑level events are transmitted.

Auth0 (Okta) — EU tenant — LEGACY

Identity & authentication (OIDC/SSO), session/token management, role mapping

Login identifiers, organization/tenant identifiers, authentication events

EU/EEA

Possible restricted remote support by non‑EEA personnel; protected via SCCs and supplementary measures.

Group headquartered outside EEA; EU tenant configured. Retained only for the duration of the ongoing migration to Amazon Cognito; being decommissioned.

Controller‑chosen integrations (e.g., LMS/Moodle connectors, webhooks) operate under the Controller’s responsibility as independent controllers or processors of the Controller. Those are not sub‑processors of CloudTeam unless explicitly stated here.
User‑initiated sharing (e.g., a credential holder sharing their credential to LinkedIn) is performed at the data subject’s own initiative; the receiving platform acts as an independent controller and is not a sub‑processor of CloudTeam.


Objections & notifications

  • Notice of changes: We will post updates to this page before a new sub‑processor gains access to personal data. Issuer customers may subscribe to change notifications via privacy@cloudteam.pl.

  • Right to object: If you have justified grounds relating to data protection, email us within the notice window. If unresolved, you may suspend the affected feature or terminate it as your sole remedy (per DPA).

Security & transfers (summary)

  • Processing is primarily in the EU/EEA.

  • Where a vendor is EU‑hosted but owned outside the EEA (e.g., Auth0/Okta, AWS, Sentry), restricted remote support may constitute a transfer; we rely on SCCs (2021/914) and apply supplementary measures.

  • Technical/organizational measures include encryption in transit/at rest, RBAC/least privilege, logging/monitoring, isolation, and incident response (see DPA Annex II).

Changelog

  • 2026-07-08 — Added Amazon Web Services (Amazon Cognito — identity/authentication; Amazon SES — transactional email; EU region Frankfurt) and Sentry (error monitoring; EU data‑residency ingestion; personal‑data transmission disabled). Marked Auth0 (Okta) as legacy — retained only during the migration to Amazon Cognito and being decommissioned. Expanded the EuroCert entry to cover JAdES sealing of EDC JSON‑LD credentials and qualified time‑stamping, and clarified the data transmitted for sealing (full PDFs for PAdES; digests only for JSON‑LD/TSA). Added a note on user‑initiated social sharing integrations.

  • 2025-10-11 — Initial publication of live sub‑processor list for Credentium.


Contacts
CloudTeam sp. z o.o., Plac Konesera 9, 03‑736 Warszawa, Poland • privacy@cloudteam.pl

References

Document Hash (SHA-256):
bdc2ecc6eabcb524889af5b0dea8dcb37dadb7e51b72c383c3132e924fbd9d88

Download the raw content and verify: sha256sum filename.html
(The downloaded file contains the exact content used for hash calculation)