Sub-processors
The third-party services Crossflow uses to process Tenant Data, in line with clause 8 of the Crossflow Data Processing Addendum.
Version 1.0.0 · effective 17 May 2026 · 20 sub-processors listed
What this page is
A “sub-processor” is a third-party service that processes Tenant Data on Crossflow’s behalf. POPIA section 21 and GDPR Article 28 require that tenants are told who these third parties are and are given the opportunity to object before a new one is engaged.
This page lists every sub-processor currently engaged for Tenant Data, the service each one provides, where they store data, and the data-processing terms that govern them. It is the public reference cited by the Crossflow Data Processing Addendum.
How we authorise sub-processors
When you accept the Crossflow Data Processing Addendum as a Tenant Admin, you grant Crossflow general authorisation to engage the sub-processors listed below on your behalf. We commit to:
- Maintaining a written agreement (or captured-by-reference equivalent) with every sub-processor that imposes data-protection obligations no less protective than those between you and Crossflow.
- Remaining liable to you for the acts and omissions of every sub-processor as if they were our own.
- Notifying Tenant Admins by email at least 30 days in advance of engaging a new sub-processor or replacing an existing one, so that you may object before the change takes effect.
If you object to a proposed change, we will work with you to find a workable alternative. If none is reasonably available, you may terminate the affected service on the notice terms set out in the Crossflow Master Services Agreement.
Core infrastructure
Always-on hosting, database, authentication, and serverless compute. Every byte of Tenant Data passes through these.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| Google / Firebase | Firestore (database), Firebase Auth, Cloud Storage, Cloud Functions, Hosting, App Check, Cloud Tasks Firestore is the primary datastore for all tenant records. Cloud Storage is used for tenant file uploads. | Firestore + Cloud Functions: europe-west2 (London, UK). Cloud Storage tenant uploads: us-central1 (Iowa, US). | Public DPA | 1 September 2025 |
| Google Cloud Platform | Underlying infrastructure for Firebase services, including network, compute, and managed services. | Per Firebase region (see above). | Public DPA | 1 September 2025 |
Email delivery
Outbound transactional and marketing email on the tenant’s behalf.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| AWS SES | Transactional and marketing email delivery (Crossflow product emails + tenant Email Marketing campaigns). | af-south-1 (Cape Town, South Africa). | Public DPA | 15 March 2026 |
| Google Workspace SMTP | Fallback transactional email relay for low-volume system mail (e.g. trial reminders, founder-side notifications). | Per Google Workspace defaults; covered by Google Cloud DPA. | Captured by reference | 1 September 2025 |
Payments
Card and EFT processing for tenant subscriptions. PCI scope is SAQ-A.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| Paystack | Card and EFT payment processing for tenant subscriptions and token purchases. Card data never touches Crossflow servers (PCI SAQ-A). Paystack does not publish a standalone DPA at the URL above; a bilateral DPA can be requested at support@paystack.com. Their general terms and POPIA-compliance statement are public. | Nigeria + South Africa infrastructure. | Bilateral DPA | 1 October 2025 |
Messaging
SMS and WhatsApp send/receive on the tenant’s behalf.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| Twilio | SMS and WhatsApp Business message send and receive on the tenant’s behalf. | US infrastructure; South African SMS via local interconnect (SS7). | Public DPA | 1 February 2026 |
| WinSMS | South African SMS gateway for tenant outbound SMS. WinSMS publishes a POPIA-compliant privacy policy but no standalone DPA. A bilateral DPA has been requested for the public sub-processor relationship. | South Africa. | Bilateral DPA | 1 February 2026 |
Tenant-connected integrations
These only process Tenant Data when a tenant explicitly connects their own account. The tenant remains the data controller for the connected account.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| Microsoft Graph / Microsoft 365 | Tenant Outlook inbox sync, calendar overlay, and contact import. Only active when the tenant connects their own Microsoft account. The tenant’s own Microsoft contract is the primary data-processing instrument. Crossflow accesses the tenant Microsoft account via delegated OAuth scopes. | Per the tenant’s own Microsoft 365 tenant region. | Captured by reference | 1 February 2026 |
| Google APIs (People, Calendar, Gmail) | Tenant Gmail contact sync, calendar overlay, and Gmail integration. Only active when the tenant connects their own Google account. | Per the tenant’s own Google account region. | Captured by reference | 1 February 2026 |
| Vimeo | Optional video hosting for tenant LMS course content. Enterprise tier only — self-serve Vimeo accounts have no DPA. | United States. | Public DPA | 1 March 2026 |
| Loom | Optional video recording and embed for tenant LMS content and support replies. Loom is Atlassian-owned; the Atlassian Customer DPA covers Loom usage. | United States (AWS). | Captured by reference | 1 March 2026 |
| YouTube | Optional embedded video player for tenant LMS course content. Embeds use the privacy-enhanced youtube-nocookie.com origin. No tenant content is uploaded to YouTube by Crossflow. | United States (Google). | Captured by reference | 1 March 2026 |
| Metricool | Tenant social-media scheduling and analytics. Only active when the tenant connects their own Metricool workspace. A signed DPA copy is requested per tenant via legal@metricool.com. | European Union. | Bilateral DPA | 1 March 2026 |
AI services
Large-language-model inference used by the ARIA chatbot.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| Anthropic | Claude LLM inference for the ARIA chatbot. Anthropic’s commercial terms commit to no model training on Customer Content. The Anthropic DPA is incorporated by reference into the Commercial Terms. Tenant conversation content is sent for inference only and is not retained for training. | United States. | Captured by reference | 1 April 2026 |
Operations
Error monitoring and operational tooling. These process error reports and telemetry that may incidentally contain Tenant Data.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| Sentry | Application error monitoring. Error reports may incidentally contain Tenant Data fragments (stack traces, user IDs). | European Union (Frankfurt). | Public DPA | 15 March 2026 |
| GitHub | Source-code hosting for Crossflow platform code. Used by the Crossflow team only; does not process Tenant Data. Listed for transparency. Tenant Data is never stored in GitHub repositories. | United States. | Public DPA | 1 September 2025 |
Marketing site only
These run on the public crossflow-solutions.co.za marketing site and do not process Tenant Data. Listed for transparency.
| Sub-processor | Service | Data residency | Data-processing terms | Listed since |
|---|---|---|---|---|
| Google Analytics 4 | Marketing-site visitor analytics on crossflow-solutions.co.za. Does not process Tenant Data inside the product. Tenant slugs are scrubbed from page_path before GA4 receives any URL. No cross-site user tracking. | United States. | Public DPA | 16 April 2026 |
| Google Fonts | Marketing-site web fonts. IP address and User-Agent leak on first font load per visit. No separate DPA. Self-hosting under evaluation. | United States (Google). | No standalone DPA | 16 April 2026 |
| Google reCAPTCHA | Abuse-prevention signal used via Firebase App Check on the marketing-site signup forms. | United States. | Captured by reference | 16 April 2026 |
| FormSubmit | Form-handling service for the public marketing contact form. Receives the visitor’s name, email, company, interest, and message before forwarding to the Crossflow team. No standalone DPA — privacy policy commits to delete-after-forwarding. Used only on the public marketing site; does not process Tenant Data. | United States. | No standalone DPA | 16 April 2026 |
Notification of changes
Tenant Admins are emailed at least 30 days before any new sub-processor begins processing Tenant Data, or before an existing sub-processor is replaced. The notification email links back to this page and describes:
- What is changing (sub-processor added, removed, or regional change).
- Why the change is being made.
- The effective date.
- How to object.
Notifications are sent from noreply@crossflow-solutions.co.za to the email address registered as the Tenant Admin for each account. To update that address, sign in and go to Settings → Business profile.
Version history
- v1.0.0 · 17 May 2026 — Initial published list. 20 sub-processors enumerated per Phase 0 audit (2026-04-25), including FormSubmit (marketing-site contact form).
Questions
For any question about the sub-processors on this page, our Information Officer can be reached at stiaan@crossflow-solutions.co.za. For our broader compliance posture, see our Privacy Policy, Terms of Service, and PAIA manual.