SOLGREEN Subprocessors
Plain English: This page lists every third-party vendor that may process Personal Data on SOLGREEN's behalf when we deliver work for clients. We use a deliberately small stack — four vendors total. Each one is a US-headquartered service, so EU SCCs do the heavy lifting on cross-border transfers.
Last updated: 2026-05-07
This page identifies the third-party processors that SOLGREEN OÜ ("SOLGREEN") engages to process Personal Data of our clients' end-users in connection with the services we provide. It is incorporated by reference into SOLGREEN's Data Processing Agreement and Privacy Policy.
How We Manage Subprocessors
Plain English: We screen vendors before onboarding them, contractually flow our GDPR Article 28 obligations down to them, and review the list quarterly.
- Selection criteria: Security posture (SOC 2 Type II / ISO 27001 / equivalent preferred), data-protection commitments (signed DPA, EU SCCs, no-training commitments for AI), regional data-residency options, and direct fit with the service we need.
- Contracts: Every subprocessor is bound by a written DPA imposing obligations no less protective than those we accept from clients under our own DPA.
- Cross-border transfers: Where data flows from the EEA to a non-EEA jurisdiction, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), and on the UK ICO's International Data Transfer Addendum for UK-origin data. We have completed Transfer Impact Assessments for each US-based vendor below.
- Reviews: Quarterly review of the subprocessor list; refreshed due-diligence on a risk-tiered basis.
Notice of Changes
Plain English: We give clients at least 30 days' notice before we add or replace any subprocessor that processes their data. You can subscribe to be told as soon as we post a change.
We provide at least thirty (30) days' notice of any addition or replacement of a subprocessor that processes Personal Data of one of our clients.
To subscribe to subprocessor-change notifications, email privacy@solgreen.ee with the subject line "Subscribe: Subprocessors" and the email address(es) you want notified. To unsubscribe, reply with "Unsubscribe."
If you object to a new subprocessor on reasonable data-protection grounds, contact privacy@solgreen.ee within fifteen (15) days of the notice. We will work with you to resolve the objection; if we cannot, you may terminate the affected Statement of Work without penalty (other than for services already performed), as set out in Section 6 of our DPA.
Current Subprocessors
Plain English: Four vendors. Hosting, edge security, transactional email, and code repository. That's it. No analytics provider, no advertising network, no CRM, no AI vendor on this page (when AI vendors enter the picture for a specific engagement, we name them in the SOW and re-execute the DPA flow).
| Subprocessor | Purpose | Location of processing | Transfer mechanism (from EEA / UK / CH) | DPA reference |
|---|---|---|---|---|
| Railway Corp. | Application hosting (the runtime that hosts the marketing site and any client-deliverable services we operate) | United States, multi-region available | EU SCCs Module 3 (Processor-to-Processor) + Railway's signed DPA | Railway DPA |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, edge security for solgreen.ee and any client-deliverable services we route through Cloudflare |
United States with global edge POPs | EU SCCs Module 3 + Cloudflare DPF certification + UK Addendum | Cloudflare DPA |
| Resend, Inc. | Transactional email delivery (form responses, account notifications, contract handoffs). No marketing trackers. | United States | EU SCCs Module 3 + Resend's signed DPA | Resend DPA |
| GitHub, Inc. (Microsoft) | Source-code repository for SOLGREEN's own deliverables and for client-shared repositories (private). | United States | EU SCCs Module 3 + Microsoft DPF certification | GitHub DPA |
All four vendors are US-headquartered. EU-origin data transferred to any of them moves under the EU SCCs and (where vendor has self-certified) the EU-US Data Protection Framework. UK-origin data moves under the UK ICO's International Data Transfer Addendum to the EU SCCs. Swiss-origin data, where applicable, moves under the Swiss Addendum. We have completed Transfer Impact Assessments for each.
What we explicitly do NOT use
For transparency, the following categories and named vendors do not appear in our processing chain on solgreen.ee or in our standard delivery operations:
| Category | Examples we do NOT use | Why we mention it |
|---|---|---|
| Web analytics | Google Analytics, Microsoft Clarity, Hotjar, FullStory, Plausible-cloud | We don't run advertising and don't profile visitors |
| Advertising / retargeting | Google Ads, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel | We don't advertise |
| Session replay | FullStory, Hotjar Session Replay, LogRocket | We don't watch your screen |
| CRM / marketing automation | HubSpot, Salesforce, Klaviyo, Customer.io | We use email + calendar for ourselves |
| AI vendors (default) | OpenAI, Anthropic, Stability AI | When AI is part of a specific engagement, the vendor is named in that SOW and added here for that engagement only |
| Third-party fonts | Google Fonts, Adobe Fonts (cloud-hosted) | We self-host any web fonts to keep IPs out of US transfer paths |
| Tag managers | Google Tag Manager, Adobe Launch | No third-party tag injection |
When Engagement-Specific Subprocessors Apply
Plain English: Some client work needs additional vendors — for example, a RAG project may require an AI inference vendor, or a deployment may require a specific cloud provider the client uses. We name those vendors in the SOW and re-issue the DPA paperwork before processing starts.
When a Statement of Work introduces a new subprocessor (commonly: an AI vendor for content production or model inference, a client-specified cloud provider, a client-specified database service, or a customer-data platform), we will:
- Name the additional subprocessor in the SOW
- Confirm the vendor's DPA, security posture, and transfer-mechanism flow-through
- Update this list within 30 days, scoped to the engagement(s) that use the vendor
- Apply the same right-to-object workflow described above
Engagement-specific subprocessors are not maintained as a permanent part of this list — they appear only while the relevant engagement is active.
Past Changes
Plain English: A simple log so you can see how the list has evolved.
| Date | Change | Subprocessor | Reason |
|---|---|---|---|
| 2026-05-07 | Initial publication | — | First public version of this page |
Affiliate Sub-processors
SOLGREEN does not currently engage Affiliate sub-processors. If we do in the future, we will list them here.
Contact
For questions about this list, including subscription requests and objections to specific subprocessors:
- Email:
privacy@solgreen.ee - Postal: SOLGREEN OÜ, Tartu mnt 67/1-13b, 10115 Tallinn, Estonia