Compliance

Sub-processors

Last updated: June 2026

Justido Design operates through two legal entities — Justido GmbH (data controller for EU/EEA and DACH visitors) and Justido LLC (data controller for US visitors). Both entities engage the same small number of third-party providers ("sub-processors") to deliver this marketing site and the AI chat demo. This page lists every direct sub-processor — what they do, what data reaches them, where they sit, and the safeguard in force. The safeguards below cover the EU and US controller chains.

Direct sub-processors

Large-language-model inference for the homepage AI chat demo (Claude Sonnet 4.6 via the Anthropic API).

Data processed
Conversation messages typed into the chat demo, plus IP address and request metadata at inference time.
Location
United States
Safeguard
Anthropic Customer DPA terms apply via API subscription. EU 2021 SCCs and UK IDTA incorporated. Inputs and outputs are not used to train Anthropic's models per the Anthropic API terms.

Website hosting, serverless functions, and edge CDN — serves justido.design including EU-region routing for /de/* traffic.

Data processed
Request logs (IP, user agent, path, timestamps), in-transit form data, deployment artefacts.
Location
United States; global CDN edge; EU-region (fra1) for /de/* traffic
Safeguard
Signed DPA on file. Vercel is certified under the EU-US Data Privacy Framework; EU 2021 SCCs and UK IDTA also incorporated per vercel.com/legal/dpa.

Serverless Redis powering the IP rate limits that protect the AI chat demo and the SMS opt-in form against abuse.

Data processed
Visitor IP address and request timestamps, held as short-lived sliding-window counters that expire with the one-hour rate-limit window.
Location
United States
Safeguard
Upstash Data Processing Agreement applies; EU 2021 SCCs incorporated. Rate-limit telemetry is disabled; counters expire automatically.

Privacy-friendly web analytics — no cookies, no cross-site tracking, EU-hosted.

Data processed
Anonymized pageview events (route, referrer, derived country and device only). No identifiers persist between visits.
Location
European Union (Hetzner, Germany)
Safeguard
EU-internal processing; data never leaves the EU. DPA available on request. GDPR-compliant by design.

Discovery-call booking widget, calendar management, CRM, and follow-up automation. The booking widget sets its own analytics cookies once loaded; on /book it is consent-gated so it loads only after you accept cookies.

Data processed
Contact details (name, email, phone), booking metadata, follow-up email and SMS content (when sent), workflow events.
Location
United States
Safeguard
Signed DPA on file. EU-US Data Privacy Framework + UK Extension + Swiss-US DPF (certified); EU 2021 SCCs and UK IDTA incorporated.

Spam protection inside the GoHighLevel booking widget (a downstream service of HighLevel — our own pages never invoke it). Loads only after you consent to the booking calendar.

Data processed
Interaction signals collected by the reCAPTCHA check within the booking widget: device and browser characteristics and IP address.
Location
United States
Safeguard
Google LLC is certified under the EU-US Data Privacy Framework. Consent-gated: never loads before you accept the booking calendar.

Transactional SMS delivery (discovery-call booking confirmations and reminders), sent via GoHighLevel / LeadConnector, which uses Twilio as its messaging carrier.

Data processed
Recipient mobile number and the transactional appointment message content, plus delivery metadata.
Location
United States
Safeguard
Signed DPA on file. Self-certified under the EU-US Data Privacy Framework, UK Extension, and Swiss-US DPF; EU 2021 SCCs, UK IDTA, and BCRs incorporated.

We update this list when we add, change, or remove a sub-processor. To be notified of changes, email office@justido.design with the subject "Sub-processor updates".

Related documents

Privacy Policy Impressum