Who processes data on our behalf.
Class2Class engages a small set of trusted vendors to deliver parts of the platform — the database, the email service, the customer-support chatbot, the AI features. Every one of them is on this list, with their location, transfer mechanism, and the contractual safeguards we've put in place.
Signed DPAs
Every sub-processor has signed a written contract with Class2Class that imposes the same data-protection obligations we accept toward you, per GDPR Art. 28(2)–(4).
EU-first
Backend, data warehouse, AI frontend hosting, ETL, and email all run in the EU. US transfers use SCCs, the EU–US Data Privacy Framework where applicable, and a Transfer Impact Assessment.
No AI training
Every AI sub-processor (Chatbase, OpenAI, Google Gemini, Anthropic) is contractually prohibited from using Class2Class data to train any AI model — theirs or anyone else's.
30-day notice
Partner schools are notified of any addition, replacement, or material change at least 30 calendar days in advance, with a 15-day window to object on reasonable grounds.
Nineteen sub-processors, organised by what they do.
Click any vendor to open their privacy or DPA documentation directly.
Bubble
Frontend platform — user interface and workflow runtime for the main Class2Class web platform.
Xano
Backend database — API and data storage. Where most of your account and project data actually lives.
Vercel
Hosting and edge-runtime infrastructure for the project creation assistant frontend.
CookieYes
Consent management platform — stores and honours your cookie-consent choices across the site. The consent cookie itself is strictly necessary.
Sentry
Error and performance monitoring — captures exception and crash reports so we can keep the platform stable. Hosted in Sentry's EU region (Frankfurt). Personal data is not sent by default and remaining event data is scrubbed before sending; events are tunnelled through a first-party proxy on our own domain. Retention is the Sentry Developer-plan default of approximately 30 days.
Make
Workflow automation in the certificate pipeline — when a student completes a project, Make renders the completion certificate as a PDF from the participant's name, project title, and completion date. Triggered server-side from Xano; no marketing or analytics data flows through it.
Chatbase
AI-powered customer support chatbot. System AI-01 in our AI Inventory.
OpenAI
LLM API for the Project Creation Assistant text generation. Teacher-only. System AI-02.
Google (Gemini API)
Image generation for project covers (Gemini 2.5 Flash, "Nano Banana"). Teacher-invoked only. System AI-04.
Anthropic (Claude)
AI assistant used by Class2Class staff to query the data warehouse. Staff-only, not user-facing. System AI-05.
PostHog
Product-usage analytics inside the platform — the successor to Mixpanel. Consent-gated; session replay and exception capture are switched off.
Stape
First-party server-side tagging proxy that forwards analytics events from a Class2Class subdomain, keeping tagging first-party and consent-gated.
Mixpanel
Product analytics — being retired. No longer sets cookies on the platform; historical data is retained in the data warehouse only and covered by the Privacy Policy retention schedule.
Google Analytics
Website analytics for the marketing site. IP anonymisation enabled.
Google Cloud — BigQuery
Centralised data warehouse for product, marketing, and platform-usage data. Internal analytics only.
Airbyte
ETL platform — moves data from Mixpanel, Google Analytics, Search Console, Meta Ads, and Xano into BigQuery.
Brevo
Transactional and marketing email — password-reset emails, programme announcements, opt-in newsletters.
Meta
Marketing pixel and advertising — consent-based only, never engaged without explicit cookie consent.
Elementor
Website builder for the marketing site only — does not touch the main platform or student data.
All 19 sub-processors in one place.
For partner schools, regulators, and auditors who want the comprehensive view in a single table.
| # | Sub-processor | Service | Location | Transfer mechanism | Reference |
|---|---|---|---|---|---|
| 1 | Bubble (Bubble Group, Inc.) | Frontend platform — UI & workflow runtime | United States | SCCs + TIA | DPA |
| 2 | Xano (Xano, Inc.) | Backend database — API & data storage | European Union | Not applicable — EU storage | Privacy notice |
| 3 | Brevo (Sendinblue SAS) | Transactional & marketing email | European Union | Not applicable — EU storage | Privacy policy |
| 4 | Mixpanel (Mixpanel, Inc.) | Product analytics — being retired; superseded by PostHog (historical data only) | United States | SCCs + TIA | DPA |
| 5 | Google Analytics (Google LLC) | Website analytics | United States | EU–US DPF (Google LLC) + SCCs fallback + TIA + IP anonymisation | Privacy |
| 6 | Meta (Meta Platforms, Inc.) | Marketing pixel, advertising (consent-based) | United States | SCCs + TIA | DPA |
| 7 | Elementor (Elementor Ltd.) | Website builder (marketing site only) | EU / US | SCCs where applicable | Trust centre |
| 8 | Chatbase (Chatbase, Inc.) | AI customer-support chatbot (system AI-01) | United States | SCCs + TIA + contractual no-AI-training | Privacy |
| 9 | OpenAI (OpenAI, L.L.C.) | LLM API for project creation assistant — text generation; teacher-only (system AI-02) | United States | SCCs + TIA · standard API: no-training-by-default · 30-day retention for abuse monitoring | Privacy & DPA |
| 10 | Google — Gemini API (Google LLC) | Image generation for project covers; teacher-only (system AI-04) | United States | EU–US DPF (Google LLC) + SCCs fallback + TIA + contractual no-AI-training | DPA |
| 11 | Vercel (Vercel, Inc.) | Hosting & edge-runtime for the project creation assistant frontend | European Union | Not applicable — EU regions configured | DPA |
| 12 | Google Cloud — BigQuery (Google LLC) | Data warehouse for product, marketing, and platform-usage analytics; staff-only | European Union | EU regions configured · DPF (Google LLC) for any control-plane processing | GDPR overview |
| 13 | Airbyte (Airbyte, Inc.) | ETL platform — moves data into BigQuery on a schedule | EU region | SCCs + TIA if any US transfer occurs; otherwise EU residency | Data protection |
| 14 | Anthropic (Anthropic PBC — Claude) | AI assistant for staff querying the data warehouse; staff-only (system AI-05) | United States | SCCs + TIA + Anthropic Commercial Terms with no-AI-training | Legal |
| 15 | PostHog (PostHog, Inc.) | Product-usage analytics inside the platform (successor to Mixpanel); consent-gated, session replay off | European Union (EU Cloud, Frankfurt) | Not applicable — EU Cloud configured; SCCs fallback for any US control-plane access; contractual no-AI-training | DPA |
| 16 | CookieYes (Synconize Solutions Pvt. Ltd.) | Consent management platform — stores and honours cookie-consent choices | India | SCCs + TIA | DPA |
| 17 | Stape (Stape OÜ) | First-party server-side tagging proxy — forwards analytics events | European Union (Estonia) | Not applicable — EU storage | Terms |
| 18 | Sentry (Functional Software, Inc.) | Error & performance monitoring — no PII by default + scrubbed event data; retention ≈ 30 days (Developer-plan default) | European Union (EU region, Frankfurt) | Not applicable — EU region configured; SCCs fallback for any US control-plane access | DPA |
| 19 | Make (Make.com s.r.o.) | Workflow automation — renders completion-certificate PDFs (name, project, date) in the certificate pipeline; triggered server-side from Xano | United States | SCCs + TIA | DPA |
What "sub-processor" means in plain language
A sub-processor is a third-party service we use to deliver some part of the Class2Class platform — for example, the database that stores your account, the email service that sends you a password-reset link, or the analytics tool that helps us understand which features teachers actually use. Every sub-processor on this list:
- Has signed a written contract with Class2Class that requires them to protect your data to the same standard we do
- Is on this list because they perform a specific role we cannot perform ourselves at our scale
- Is reviewed before engagement and at least annually thereafter
We do not sell your personal data to anyone, and no sub-processor on this list uses Class2Class data to train AI models — whether their own or any third party's.
International transfers and Transfer Impact Assessments
Where a sub-processor is established outside the European Economic Area (EEA), we rely on a valid transfer mechanism under Chapter V of the GDPR. The mechanisms we use, in order of preference:
- EU–U.S. Data Privacy Framework (DPF) — for sub-processors who are certified under the DPF, the European Commission's Adequacy Decision (EU) 2023/1795 of 10 July 2023 provides an adequacy basis for transfers to the U.S. Google LLC (covering Google Analytics, Google Cloud / BigQuery, and Google's Gemini API) is DPF-certified.
- Standard Contractual Clauses (SCCs) — used as the primary mechanism for non-DPF-certified U.S. sub-processors (Bubble, Mixpanel, Meta, Chatbase, OpenAI, Anthropic) and for CookieYes (India), and as a fallback for DPF-certified ones and for EU-hosted providers' incidental control-plane access (e.g. PostHog, Sentry).
- Transfer Impact Assessment (TIA) — supplemented across the board, in accordance with the Schrems II judgment and EDPB Recommendations 01/2020. The TIA is maintained internally and provided to partner schools on reasonable request.
AI sub-processors — additional safeguards
Class2Class uses AI features in line with the principle "You Decide. AI Helps." — teachers and staff remain the decision-makers, AI is assistive only. Where an AI sub-processor processes personal data on our behalf:
- The contract prohibits the sub-processor from using Class2Class data to train any AI model, whether their own or any third party's
- The AI system is classified as non-high-risk (or limited-risk for systems that interact directly with users) under the EU AI Act, and is documented in our AI System Inventory and Article 6(3) assessment
- Where a system interacts directly with a natural person, it identifies itself as AI before the conversation starts, in accordance with EU AI Act Article 50
The current AI sub-processors on this list are Chatbase (limited-risk, customer support — system AI-01), OpenAI (LLM API, teacher-only, non-high-risk under Art. 6(3)(b) — system AI-02), Google (Gemini) (image generation, teacher-only, non-high-risk under Art. 6(3)(b) — system AI-04), and Anthropic (Claude) (internal analytics, staff-only, no Annex III applicability, no Article 50 obligation — system AI-05).
Vercel, Google Cloud (BigQuery), and Airbyte are not AI sub-processors — Vercel is hosting infrastructure, BigQuery is a data warehouse, and Airbyte is an ETL platform. None of them train AI models on Class2Class data.
Questions partner schools and regulators ask.
Why are some sub-processors based in the United States?
Some specialised services we depend on (LLM APIs, certain analytics tools, the customer-support chatbot) are not available with EU-only operations at our scale. Where we transfer to the US, we rely on the EU–US Data Privacy Framework (where the vendor is DPF-certified), Standard Contractual Clauses, and a Transfer Impact Assessment supplemented per Schrems II and EDPB Recommendations 01/2020.
The TIA is maintained internally and shared with partner schools on reasonable request.
How will I be notified when this list changes?
Partner schools are notified at least 30 calendar days in advance through the contact on file under their signed Data Processing Agreement. Schools may object to a proposed change on reasonable data-protection grounds within 15 calendar days.
Individual users (teachers, parents) who want to be notified of material changes can write to [email protected] and we'll add you to the notification list.
Do any of these sub-processors train AI models on our data?
No. The four AI sub-processors we use — Chatbase, OpenAI, Google Gemini, and Anthropic — are each contractually prohibited from using Class2Class data to train any AI model, whether their own or any third party's.
For OpenAI specifically, we use the standard API which is no-training-by-default; OpenAI retains API request/response data for 30 days for abuse monitoring (as processor, security purpose) and then deletes it. Our DPA Appendix D.6 has the contractual detail.
Where is my school's student data actually stored?
The primary location for account data, project content, and platform messages is Xano in the EU (our backend database, EU residency confirmed). Some operational and analytics data flows through US-based sub-processors under the safeguards described above.
For schools where US transfers are not acceptable for any data type, write to [email protected] — we can discuss what data flows can be turned off (analytics, marketing pixel) while keeping the core platform functional.
Can I get a copy of the Transfer Impact Assessment?
Yes — partner schools can request a copy of the current TIA from [email protected]. It's reviewed annually and on every change to a sub-processor's data location or contractual terms.
How do I object to a sub-processor change?
Partner schools have 15 calendar days from notification to object on reasonable data-protection grounds. Write to [email protected] with the basis for your objection and we'll work with you on a path forward — that may be additional contractual safeguards, an alternative sub-processor, or, in rare cases, terminating the relationship.
Have a sub-processor question?
Whether you're a partner school doing due diligence, a regulator running an audit, or a teacher wanting to understand who handles your data — we're happy to answer. Write to our DPO directly.
- Data Protection OfficerGiancarlo Mena — [email protected]
- Partner schoolsYour designated account manager, or [email protected]
- General concern[email protected]
- Concern about the CEOIndependent Reviewer — [email protected]
- Lodge a complaintDatatilsynet — [email protected]
Looking for the full Data Processing Agreement?
If your school is preparing to onboard with Class2Class, write to our DPO at [email protected] for the current DPA template. It covers all 14 sub-processors in Appendix C, with SCCs, transfer mechanisms, breach notification SLAs, and AI-specific Technical and Organisational Measures.
Email the DPO