REGISTER
Sub-processors
List of parties that process personal data on Pinpointer's behalf under GDPR Article 28.
Last updated: 19 May 2026
About the list
Pinpointer engages sub-processors for specific parts of the service. All sub-processors have data processing agreements with Pinpointer and process data only according to our instructions.
We notify our customers of changes to this list so they have the opportunity to object to specific sub-processors under the applicable DPA.
Current sub-processors
| Sub-processor | Service | Nature of processing | Location | Security |
|---|---|---|---|---|
| Tripnet / Supabase | Hosting of database and edge functions | Storage and processing of all customer data | Sweden | EU/EEA, encryption at rest and in transit, role-based access control |
| Resend | Transactional email | Sends email on Pinpointer's behalf (name, email) | EU | SOC 2 Type II, EU-hosted |
| 46elks | SMS delivery | Sends SMS on Pinpointer's behalf (phone number) | Sweden | Swedish operator |
| Tickstar (Galaxy GW) | BEAst Peppol transport | Transports delivery reports between companies (company data, no personal data directly) | EU | Peppol network security requirements |
| Criipto (Idura) | BankID and e-signing | Identification and signing of documents (name, personal identification number) | Denmark/EU | Bank-grade encryption, EU-based |
| Google Maps | Geocoding and maps | Address to coordinates (no direct personal data) | USA | EU SCC, Schrems II-compliant |
| Anthropic (Claude) | AI functionality | Text generation for insights and help chat (data processed momentarily, not stored for training) | EU/USA | EU connection where possible, SCC |
| Klimatklar | Climate budget data | Retrieval of climate data for projects (no personal data) | Sweden | Swedish supplier |
| OpenMeteo | Weather data | Retrieves weather forecasts for projects (no personal data) | EU | Public API |
| Naturvårdsverket (the Swedish Environmental Protection Agency) | Waste register API | Reporting of hazardous waste (organisation data, transporter data) | Sweden | Swedish government authority, OAuth2-protected |
International transfers
Most of Pinpointer's sub-processors are based in the EU/EEA and do not transfer personal data outside this area.
For sub-processors in the USA (currently Google Maps and partly Anthropic), we apply:
- Standard Contractual Clauses adopted by the European Commission (SCC)
- Supplementary technical measures (encryption, pseudonymisation)
- Assessment of the supplier's legal environment under the Schrems II ruling
- Minimisation of data transferred
For Google Maps, we use only geographic data (addresses) — no directly identifying personal data is transferred.
For Anthropic, AI functionality is used for specific purposes (text generation, insights, support chat). Data is not stored at Anthropic for model training or other purposes.
Objection to sub-processor
As a customer of Pinpointer, you have the right to object to specific sub-processors under the applicable DPA. We undertake to notify our customers in writing at least 30 days before adding or replacing a sub-processor, so that the customer can object within a reasonable time.
Contact us at kundtjanst@pinpointer.se to discuss alternative solutions or exercise your right to object.
Questions about sub-processors
Do you have questions about a specific sub-processor or want more detailed information? Contact us at kundtjanst@pinpointer.se.
Back to the Data Processing Agreement (DPA).