Subprocessors / Auftragsverarbeiter

Last updated: May 2026 · Provider: KI·SUM·AI - Kisum GmbH (see Impressum)

This page lists all third-party processors ("Auftragsverarbeiter" / "subprocessors") that MaskBeforeAI uses to provide the service. Disclosure per GDPR Art. 28(2) and § 28 BDSG.

Diese Seite listet alle Drittanbieter, die wir zur Bereitstellung von MaskBeforeAI einsetzen, gemäß Art. 28 Abs. 2 DSGVO.

Data minimisation note: The MaskBeforeAI browser extension processes your images, documents, and text locally in your browser. The content you mask never leaves your device and is never transmitted to any of the subprocessors below. The subprocessors are used only for: payment processing, license validation, website hosting, support email, and (with your consent) anonymous website analytics.

Transfer mechanisms for non-EEA recipients

Where personal data is transferred to a recipient outside the European Economic Area, the transfer is lawful under Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module 2 (controller-to-processor) — together with supplementary technical and organisational safeguards as required by GDPR Chapter V.

A separate Transfer Impact Assessment (TIA) per EDPB Recommendations 01/2020 is documented internally for each non-EEA transfer (available on request to info@ki-sum.ai; see also tia-lemonsqueezy.md on GitHub).

None of our US sub-processors are currently self-certified under the EU-U.S. Data Privacy Framework (DPF), so SCCs are the sole transfer tool — not a DPF-as-primary, SCCs-as-fallback configuration. Note re: LemonSqueezy: although its parent company Stripe Inc. is DPF-certified, DPF self-certification does not automatically extend to subsidiaries. LemonSqueezy LLC would need to file its own DPF certification to claim it; until then, we treat its DPA's SCCs as the sole transfer tool.

Active subprocessors

Processor	Purpose	Data categories	Location	Legal basis
Lemon Squeezy DPA · Privacy Lemon Squeezy LLC	Payment processing, invoicing, EU VAT, license-key issuance. Acts as Merchant of Record.	Name, billing address, email, payment method, transaction history, IP address.	USA SCCs 2021/914 Module 2 (no DPF)	Art. 6(1)(b) GDPR (contract performance) · Art. 46(2)(c) (SCCs) · TIA filed
Hetzner Online GmbH DPA (AV-Vertrag) Gunzenhausen, Germany	Hosting of mask.ki-sum.ai website and the error/compliance API (request logs, cancellation requests).	IP address (server logs), email address (compliance request submissions), request metadata.	Germany (EU)	Art. 6(1)(f) GDPR (legitimate interest in service operation) · Art. 28 DPA in place
PostHog DPA · Privacy PostHog Inc. (EU instance: eu.posthog.com)	Anonymous website analytics (page views, anonymous user funnel). Only with your consent via the cookie banner.	Anonymous device/browser fingerprint, page URLs visited, click events, referrer. No name, no email.	EU (Frankfurt)	Art. 6(1)(a) GDPR (consent via cookie banner) · TTDSG § 25(1)
Strato AG Privacy Berlin, Germany	DNS for ki-sum.ai (incl. mask.ki-sum.ai). Email hosting for info@ki-sum.ai support inbox.	Inbound/outbound support email content, sender/recipient addresses, timestamps.	Germany (EU)	Art. 6(1)(b) GDPR (contract / pre-contractual support) · DPA in place
Google LLC (only when you click YouTube embed) Privacy Mountain View, USA	Demo videos embedded as `youtube-nocookie.com` placeholders. No data sent to Google until the user actively clicks Play.	If video played: IP address, video viewing data (Google's terms apply).	USA SCCs + Google DPF	Art. 6(1)(a) GDPR (consent by user clicking Play). Google LLC is DPF-certified for the cloud-services scope; YouTube embed traffic is covered by Google's framework.

Chrome Web Store distribution

The MaskBeforeAI browser extension is distributed via the Chrome Web Store (Google LLC). Google acts as a distribution partner, not a processor of customer content. Extension installations and update checks are handled by Chrome itself; we do not receive identifying data from these events.

Notification of changes

Pursuant to GDPR Art. 28(2), we will notify you in advance before adding or replacing a subprocessor that processes personal data, giving you at least 14 days to object. Notification is via email to the address on file for your subscription, and via update to this page.

Contact

Questions about subprocessors or your rights as a data subject (Art. 15-22 GDPR): info@ki-sum.ai