Subprocessor & Data Processing Policy

Last updated: March 14, 2026

1. Introduction

This policy discloses all sub-processors and third-party data processors used by Michal Černáček to process personal and business data on behalf of clients. This policy is critical for GDPR compliance and transparency regarding data handling.

2. Primary Sub-Processors by Category

2.1 Advertising Platforms (Tier 1 Priority)

  • META Platforms (Facebook, Instagram, Messenger, Audience Network)
    • Service: Campaign management, pixel tracking, audience management, conversion tracking
    • Data Processing: Ad account management, customer data processing (CDPs), pixel firing
    • Location: USA (with EU data center options available)
    • DPA Status: Standard Contractual Clauses (SCCs) available
  • Google Ads/Google Marketing Platform
    • Service: Search ads, display ads, conversion tracking, audience management
    • Data Processing: Campaign creation, bid management, performance tracking
    • Location: USA
    • DPA Status: Standard Contractual Clauses (SCCs)
  • LinkedIn Ads
    • Service: B2B advertising, conversion tracking, audience targeting
    • Location: USA
    • DPA Status: Data Processing Addendum available

2.2 Analytics and Measurement

  • Google Analytics (GA4)
    • Service: Website traffic analysis, user behavior tracking, conversion tracking
    • Location: USA/EU
    • DPA Status: Standard Contractual Clauses, Data Processing Addendum
  • Hotjar
    • Service: Session recording, heatmaps, user feedback
    • Location: EU (Ireland)
    • DPA Status: GDPR compliant

2.3 Email and Communications

  • Email Service Providers (Mailchimp, Brevo, etc.)
    • Service: Email distribution, subscriber management, open/click tracking
    • Data Processing: Email address, engagement metrics
    • Location: USA/EU
    • DPA Status: Data Processing Agreements available

2.4 Website Hosting and Infrastructure

  • Cloud Hosting Providers
    • Service: Server infrastructure, website hosting, data backup
    • Location: EU or USA (depending on provider selection)
    • DPA Status: Data Processing Agreements

2.5 Payment Processing

  • Payment Gateways (Stripe, Square, etc.)
    • Service: Invoice processing, payment collection, billing
    • Compliance: PCI-DSS Level 1 compliant
    • Data Handled: Minimal (invoice data only, not full card data)

3. Data Processing Agreements (DPAs)

All sub-processors have executed Data Processing Agreements (or equivalent) that include:

  • Clear description of processing scope and instructions
  • Data security and confidentiality obligations
  • Data subject rights assistance and cooperation
  • Audit and compliance provisions
  • Data deletion and return upon termination
  • Sub-processor notification and change procedures

4. International Data Transfers

Critical Notice for GDPR: Several sub-processors are located in the USA or process data in the USA. Transfers to USA-based processors are governed by:

  • Standard Contractual Clauses (SCCs) - Court-approved safeguards required by GDPR
  • Supplementary Measures - Additional technical and organizational measures to protect data
  • Mutual Legal Assistance Treaties (MLATs)
  • Regular compliance audits and risk assessments

Clients are informed of these international transfers, and EU/EEA data subjects have the right to object or request alternative processing arrangements.

5. Sub-Processor Changes and Notification

Notification Process:

  • Clients are notified of new sub-processor additions at least 30 days in advance
  • Notification is provided via email or website notice
  • Clients may object to new sub-processors on reasonable grounds
  • If objection is made, we will work to resolve the issue or offer service termination
  • This policy is updated to reflect all current sub-processors

6. Data Security Standards

All sub-processors are contractually required to maintain:

  • Encryption at rest (AES-256 or equivalent)
  • Encryption in transit (TLS 1.2 or higher)
  • Access controls and authentication mechanisms
  • Regular security audits and penetration testing
  • Incident response procedures with breach notification
  • Staff training and confidentiality agreements
  • Data retention and deletion policies

7. Right to Information

Under GDPR, you have the right to:

  • Know which sub-processors process your data
  • Understand the nature of processing and storage location
  • Request copies of Data Processing Agreements
  • Object to sub-processor changes on reasonable grounds
  • Request audit information about sub-processor compliance

Contact us at michal@cernacek.com to exercise these rights.

8. Compliance with EU Regulations

This policy ensures compliance with:

  • GDPR Article 28: Data Processing Agreements and sub-processor requirements
  • GDPR Article 44-49: International data transfer safeguards
  • GDPR Article 32: Security of processing and data protection measures
  • GDPR Article 33-34: Breach notification requirements

9. Contact for Subprocessor Inquiries

For questions about sub-processors, DPAs, or data processing arrangements:

michal@cernacek.com