Skip to Content

List of Sub-Processors

pursuant to Art. 28(2) General Data Protection Regulation (GDPR)

Controller: IT-Direkt GmbH, Aroser Allee 66, 13407 Berlin, Germany

IT-Direkt GmbH engages the following sub-processors in connection with the provision of the machine interface service (API integration). These sub-processors may have access to, or process, personal data in the course of service delivery:

1. Hetzner Online GmbH

  1. 1.1 Company: Hetzner Online GmbH
  2. 1.2 Registered address: Industriestraße 25, 91710 Gunzenhausen, Germany
  3. 1.3 Purpose of processing: Server hosting, data storage (encrypted access credentials), access logs, data backups
  4. 1.4 Categories of personal data: Access credentials (encrypted), authentication tokens, access logs
  5. 1.5 Location of processing: Germany (EU)
  6. 1.6 Legal basis: Data Processing Agreement (DPA) pursuant to Art. 28 GDPR, concluded via the Hetzner Cloud Console
  7. 1.7 Last reviewed: March 2026

2. Microsoft Ireland Operations Limited

  1. 2.1 Company: Microsoft Ireland Operations Limited
  2. 2.2 Registered address: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (EU)
  3. 2.3 Purpose of processing: Email sending and receiving via Exchange Online; message delivery
  4. 2.4 Categories of personal data: Email addresses, message content, email delivery metadata
  5. 2.5 Location of processing: EU (Ireland); additional Microsoft EU data centres as per Microsoft DPA
  6. 2.6 Legal basis: Data Processing Agreement (DPA) pursuant to Art. 28 GDPR, concluded via Microsoft Online Services Terms (OST) / Microsoft Product Terms
  7. 2.7 Last reviewed: March 2026

3. Meta Platforms Ireland Limited

  1. 3.1 Company: Meta Platforms Ireland Limited
  2. 3.2 Registered address: Merrion Road, Dublin 4, D04 X2K5, Ireland (EU)
  3. 3.3 Purpose of processing: Provision of the WhatsApp Business API for handling customer support communication between IT-Direkt and its customers (sending and receiving WhatsApp messages)
  4. 3.4 Categories of personal data: Phone numbers, message content (including attached files), send and receive metadata (timestamps, delivery status, read receipts)
  5. 3.5 Location of processing: Ireland (EU); transfers to Meta Platforms, Inc. (USA) and affiliated companies outside the EU possible in individual cases
  6. 3.6 Safeguards for third-country transfers: European Commission adequacy decision regarding the EU-US Data Privacy Framework (Art. 45 GDPR); supplemented by Standard Contractual Clauses (Art. 46(2)(c) GDPR)
  7. 3.7 Legal basis: Data Processing Agreement (DPA) pursuant to Art. 28 GDPR, concluded with Meta Platforms Ireland Limited under the WhatsApp Business Solution Terms
  8. 3.8 Last reviewed: April 2026

4. Weenat SAS

  1. 4.1 Company: Weenat SAS
  2. 4.2 Registered address: 2 rue Crucy, 44000 Nantes, France (EU)
  3. 4.3 Purpose of processing: Provision of parcel- and site-specific weather and environmental data (virtual weather station) via the Weenat API on behalf of IT-Direkt GmbH
  4. 4.4 Categories of personal data: Geolocation data (coordinates) of the parcels or sites configured in the portal, internal parcel/site identifiers, query periods, and technical query parameters
  5. 4.5 Location of processing: France (EU)
  6. 4.6 Legal basis: Data Processing Agreement (DPA) pursuant to Art. 28 GDPR, concluded with Weenat SAS
  7. 4.7 Last reviewed: April 2026

5. Startec S.r.l.

  1. 5.1 Company: Startec S.r.l.
  2. 5.2 Registered address: Viale Stazione 26, 33079 Sesto al Reghena, Italy (EU)
  3. 5.3 Purpose of processing: Provision of the StarTec API for automated querying and control of machines connected by the customer, on behalf of IT-Direkt GmbH
  4. 5.4 Categories of personal data: Machine access codes (as printed on the machine), internal machine/integration identifiers within Raindancer, technical query parameters and control commands, as well as operational and status data reported back from the machine
  5. 5.5 Location of processing: Italy (EU)
  6. 5.6 Legal basis: Data Processing Agreement (DPA) pursuant to Art. 28 GDPR, concluded with Startec S.r.l.
  7. 5.7 Last reviewed: April 2026

6. Anthropic, PBC (Claude API – AI help assistant)

  1. 6.1 Company: Anthropic, PBC
  2. 6.2 Registered address: 548 Market St, PMB 90375, San Francisco, CA 94104, USA
  3. 6.3 EU representative pursuant to Art. 27 GDPR: Anthropic Ireland, Limited, 6th Floor, South Bank House, Barrow Street, Dublin 4, D04 TR29, Ireland
  4. 6.4 Purpose of processing: Provision of the AI-based help assistant within the portal operated by IT-Direkt GmbH. User inputs (help requests, questions) as well as supplementary context data from the portal (e.g. the function currently in use, technical configuration and status information) are transmitted via the Claude API to the AI model in order to generate a context-aware response from the help assistant.
  5. 6.5 Categories of personal data:
    1. 6.5.1 The content of the user's request (free text);
    2. 6.5.2 Context data from the portal (e.g. the function currently in use, configuration parameters, technical sensor and status data);
    3. 6.5.3 A pseudonymous user or session identifier used for technical assignment of the request. Account master data (name, email address, login identifier) is not transmitted to the Claude API.
  6. 6.6 Location of processing: USA. Anthropic operates the Claude API on infrastructure located in the United States (relying, in particular, on the sub-processors Amazon Web Services and Google Cloud Platform).
  7. 6.7 Safeguards for third-country transfers: Transfers to the USA are based on the European Commission's adequacy decision regarding the EU-US Data Privacy Framework (Art. 45 GDPR; Anthropic, PBC is certified under the Data Privacy Framework List); supplemented by the Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR), which form part of the Data Processing Addendum concluded with Anthropic.
  8. 6.8 Legal basis: Data Processing Addendum (DPA) pursuant to Art. 28 GDPR, concluded with Anthropic, PBC as part of the Anthropic Commercial Terms of Service. Anthropic processes inputs received via the API exclusively to provide the contractually agreed service and does not use them to train the Claude models.
  9. 6.9 Retention at Anthropic: Inputs and outputs are retained at Anthropic for a period of up to 30 days for security and abuse-monitoring purposes and are subsequently deleted. The data is at no time used to train the models.
  10. 6.10 Anthropic's own sub-processors: Anthropic in turn engages sub-processors (in particular Amazon Web Services, Inc. and Google LLC). The current list is available at https://trust.anthropic.com .
  11. 6.11 Last reviewed: May 2026

7. Notes

  1. 7.1 External third-party providers whose interfaces (APIs) the Controller makes available for use within the services (e.g. machine interfaces, ERP systems, industry-specific platforms) are not sub-processors within the meaning of this list. They act as independent controllers pursuant to Art. 4(7) GDPR.
  2. 7.2 This list will be updated whenever sub-processors are added or replaced. Customers will be notified of any changes with a minimum notice period of 14 days by email, in accordance with § 6 of the Data Processing Agreement.
  3. 7.3 For enquiries regarding this list, please contact: datenschutz@it-direkt.de

As of: 01/07/2026 | IT-Direkt GmbH, Aroser Allee 66, 13407 Berlin | +49 30 8900610 | info@it-direkt.de