Sub-Processors
Version 1.0 · Effective 14 May 2026 · Forms part of the QENEX Data Processing Agreement
Under Article 28 GDPR / UK GDPR, processors must disclose the Sub-Processors they engage to process personal data on a controller’s behalf. This page is the canonical, version-anchored list for QENEX. Material additions and replacements are announced via operational email to Customers with at least thirty (30) days’ notice and recorded with the document’s cryptographic provenance at /legal/evidence/.
| Sub-processor | Purpose | Personal data processed | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Subscription billing, card processing for QENEX Pulse and storefront plans. | Customer contact name + work email; card data is tokenised by Stripe and never reaches QENEX servers. | Ireland (data-processing); United States (some Stripe operations under SCCs). |
| Hetzner Online GmbH | Primary infrastructure host (compute, storage) for qenex.ai apex and Pulse production. | All Customer data hosted on QENEX systems passes through Hetzner servers. | Falkenstein, Germany (EU). |
| Hurricane Electric LLC | Secondary authoritative DNS (ns2/ns3.he.net) for qenex.ai and Customer-delegated domains. | Zone records only (no personal data unless a Customer chooses to publish such data as a DNS record). | United States (under SCCs / UK IDTA). |
| Cloudflare, Inc. | Optional CDN / edge cache for static assets where the Customer enables it. | Visitor IP address and request metadata (typical CDN log fields). | Global edge network; primary processing under SCCs / UK IDTA where outside the EEA. |
| Google LLC (AdSense) | Advertising on check.qenex.ai only. |
Visitor IP, browser characteristics, advertising-cookie identifiers (where consent granted). | United States, with SCCs and the EU-US Data Privacy Framework where applicable. |
| Anthropic PBC (Claude API), OpenAI Inc. (where Customer enables it) | AI-generated site design (qenex.ai storefront) and AI-classification features in QENEX Pulse, behind feature flags. | Prompt content the Customer submits via the AI features. QENEX does not send Customer authentication data, billing data, or scope-artifact bodies to AI providers without explicit Customer instruction. | United States, under SCCs / Data Privacy Framework as applicable. |
| IPFS pinning operators (currently self-hosted on QENEX infrastructure; planned third-party pinning via Pinata / Filebase under evaluation) | Persisting the daily evidence-chain CIDs. | SHA-256 hashes only (no personal data inside the pinned objects). | Hetzner DE today; third-party plans not yet executed. |
| OpenTimestamps public calendars | Bitcoin-anchored timestamps for the daily evidence chain. | SHA-256 hashes only (no personal data leaves QENEX). | Global; operated by multiple independent volunteers. |
Change history
Every version of this list is hashed and anchored. Historical versions
(text + signature + IPFS CID + OpenTimestamps proof) can be retrieved
from /legal/evidence/
and programmatically at
/api/v1/pulse/legal/version-record/subprocessors.