Subprocessor List
Last updated: December 2025
This Subprocessor List describes the third-party processors (“Sub-processors”) that Ampliro AB (“Ampliro”, “we”, “our”, or “us”) engages to support the provision of the Diplino platform and related services available at diplino.com (the “Service”).
These Sub-processors may process personal data on behalf of customers (the “Controllers”) in accordance with our Data Processing Agreement (DPA) and Applicable Data Protection Laws (including the GDPR where relevant).
Ampliro remains responsible for the performance of its Sub-processors as set out in the DPA.
1. General Information About Sub-processors
We engage Sub-processors to provide infrastructure, payment processing, email delivery and other supporting services that are necessary to operate Diplino. For each Sub-processor, we:
- Enter into a written data processing agreement that includes obligations equivalent to those imposed on Ampliro under the DPA.
- Ensure that appropriate technical and organisational measures are implemented by the Sub-processor.
- Where required, implement appropriate safeguards for transfers of personal data to countries outside the EU/EEA (e.g. Standard Contractual Clauses).
The list below reflects the core Sub-processors used in the standard configuration of Diplino. In some cases, customers may choose to integrate additional services on their own; such integrations are not covered by this list.
2. Current Sub-processors
2.1 Supabase Inc.
- Service: Backend infrastructure, including database hosting, authentication, and file/object storage for Diplino.
- Location / Data centres: Primarily EU data centres (e.g., Frankfurt, Germany) for customer data; Supabase is headquartered in the US.
- Data processed:
- User account data (e.g. names, email addresses, password hashes).
- Organisation and configuration data.
- Certificate and credential data (e.g. recipient details, course information, issue/expiry dates).
- Uploaded files and attachments (if used by the customer).
- Logs and metadata related to application usage.
- Role: Sub-processor (infrastructure provider).
- Safeguards:
- Data stored in EU-based infrastructure for standard Diplino deployments.
- SOC 2 Type II and/or comparable security certifications (as maintained by Supabase).
- Data processing terms and GDPR-compliant addendum.
- Standard Contractual Clauses and additional safeguards where any access from outside the EU/EEA occurs.
2.2 Stripe Inc.
- Service: Payment processing, subscription management and billing for Diplino plans.
- Location / Data centres: EU and US (with EU data residency options); Stripe is headquartered in the US.
- Data processed:
- Billing contact details (e.g. name, email, organisation, address).
- Payment-related information (e.g. card details, transaction identifiers) primarily handled directly by Stripe.
- Subscription status and metadata required for invoicing and account management.
- Role: Sub-processor / independent controller for certain payment processing activities.
- Safeguards:
- PCI DSS Level 1 certified payment processor.
- Data processing agreements and Standard Contractual Clauses for data transfers to the US where applicable.
- Strong security and fraud prevention measures as documented by Stripe.
Note: Diplino does not store full payment card numbers on its own systems. These are handled directly by Stripe or its acquiring banks.
2.3 Resend Inc.
- Service: Transactional email delivery (e.g. sending certificate issuance notifications, account-related emails, and other Service communications).
- Location / Data centres: Primarily US-based infrastructure (with regional options depending on Resend’s configuration and roadmap).
- Data processed:
- Recipient email addresses.
- Email content (subject line and body), which may include certificate-related information or account details.
- Delivery and engagement metadata (e.g. timestamps, delivery status).
- Role: Sub-processor (email delivery service).
- Safeguards:
- Data processing agreement including Standard Contractual Clauses for EU/EEA data.
- SOC 2 Type II and/or comparable security controls.
- Technical and organisational measures to secure email traffic and logs.
2.4 OpenRouter Inc.
- Service: AI-powered chatbot assistance and language model routing, used to provide optional support and assistance within Diplino (e.g. in-product help, conversational guidance).
- Location / Data centres: Primarily US-based infrastructure; OpenRouter routes traffic to model providers under its own terms.
- Data processed:
- Chat messages and prompts submitted via the AI assistant interface.
- Contextual data required to respond to user queries (e.g. generic application context or configuration), as configured by Diplino.
- Diplino does not intentionally send certificate payloads or full certificate datasets to OpenRouter as part of normal operation.
- Role: Sub-processor (AI routing and inference service).
- Safeguards:
- Data processing agreement including Standard Contractual Clauses for transfers from the EU/EEA.
- Contractual assurances that data submitted via the API is not used for model training or profiling by default (subject to OpenRouter’s current policies).
- Configuration to minimise the amount of personal data shared in prompts where possible.
Note: Use of the AI assistant is optional and may be limited or disabled by the customer, depending on their internal policies and requirements.
3. Changes to Sub-processors
We may add, replace or remove Sub-processors from time to time as our Service evolves.
- We will provide notice of any new Sub-processor engagements at least 30 days before the new Sub-processor begins processing personal data on behalf of customers (for example, by updating this page and/or sending an email or in-app notification).
- Customers who have a valid DPA in place with Ampliro may object in writing to the use of a new Sub-processor on reasonable data protection grounds within 14 days of receiving such notice.
If a customer reasonably objects and the parties cannot resolve the objection (for example, by changing configuration or using an alternative Sub-processor), the customer may have the right to terminate the affected Services in accordance with the terms of the DPA and the main Agreement.
4. Customer-Controlled Integrations
Customers may, at their own discretion, connect Diplino to additional third-party tools or platforms (e.g. via APIs, webhooks or custom integrations). These tools are not Sub-processors engaged by Ampliro; instead, they are engaged directly by the customer, who is responsible for:
- Reviewing and accepting such providers’ terms and privacy policies.
- Ensuring that any data transfers are lawful and appropriately safeguarded.
5. Contact
If you have any questions about this Subprocessor List or our use of Sub-processors in connection with Diplino, please contact us at:
- Email: privacy@diplino.com
- Postal Address:
Ampliro AB
Attn: Privacy / Diplino
Warfvinges väg 31
112 51 Stockholm
Sweden