Subprocessor List¶
MazeVault Third-party Data Processors and ICT Service Providers
Document ID: MV-LEG-033
Version: 1.0.0
Classification: Confidential
Owner: Data Protection Officer (DPO)
Last Updated: 2026-05-01
Review Cycle: Quarterly
Approved By: CISO / DPO
1. Purpose¶
This document lists all sub-processors and ICT third-party service providers engaged by MazeVault in the delivery of its services. It is maintained pursuant to:
- GDPR Article 28(2) — Processor shall not engage another processor without prior specific or general written authorization of the Controller
- DORA Article 29 — Financial entities must be informed of sub-contracting chains
- Act No. 264/2025 Sb. §27 — Supply chain transparency for regulated entities
Customers are notified at least 30 days in advance of any changes to this list and retain the right to object.
2. Current Sub-processors¶
2.1 Infrastructure & Cloud Services¶
| Sub-processor | Legal Entity | Location | Service | Data Processed | Certification |
|---|---|---|---|---|---|
| Microsoft Azure | Microsoft Corporation | EU (West Europe — Netherlands) | Cloud infrastructure: AKS, ACR, Key Vault, Managed HSM, PostgreSQL, Redis | Customer encrypted data (at rest), container images, encryption keys (HSM-wrapped) | ISO 27001, SOC 2 Type II, CSA STAR, FIPS 140-2 L3 (HSM) |
| Microsoft Azure (DR Region) | Microsoft Corporation | EU (North Europe — Ireland) | Disaster recovery infrastructure (cold standby) | Geo-replicated data (encrypted) | Same as above |
2.2 Development & CI/CD¶
| Sub-processor | Legal Entity | Location | Service | Data Processed | Certification |
|---|---|---|---|---|---|
| GitHub | GitHub, Inc. (Microsoft) | USA (with EU data residency) | Source code repository, CI/CD (GitHub Actions), Container Registry (GHCR) | Source code, CI artifacts, container images | SOC 2 Type II, ISO 27001 |
No Customer Data in GitHub
GitHub processes MazeVault source code and build artifacts only. No customer personal data or secrets are stored in or transmitted to GitHub. Customer deployments are fully self-contained.
2.3 Certificate Authority Providers¶
| Sub-processor | Legal Entity | Location | Service | Data Processed | Certification |
|---|---|---|---|---|---|
| DigiCert | DigiCert, Inc. | USA | Public certificate issuance | CSR data (CN, SAN), organization validation data | WebTrust, ISO 27001 |
| Let's Encrypt | Internet Security Research Group (ISRG) | USA | ACME automated certificates | Domain names, ACME challenge tokens | WebTrust |
| I.CA | I.CA (Prvni certifikacni autorita, a.s.) | Czech Republic | Qualified certificates (eIDAS) | CSR data, organization data | eIDAS QTSP, ISO 27001 |
CA Provider Usage
Certificate Authority providers are engaged only when the customer configures certificate issuance through these providers. Customers choose which CAs to use. MazeVault submits CSRs on behalf of the customer — no private keys are transmitted.
2.4 License Management¶
| Sub-processor | Legal Entity | Location | Service | Data Processed | Certification |
|---|---|---|---|---|---|
| Google Cloud Platform | Google LLC | EU (europe-west1 — Belgium) | License server hosting (Cloud Run) | Organization name, license key, admin email, usage metrics | ISO 27001, SOC 2 Type II |
3. Customer-Managed Components (NOT Sub-processors)¶
The following components are deployed and managed within the customer's own infrastructure. MazeVault does not have access to these systems in production:
| Component | Description | Data Location |
|---|---|---|
| PostgreSQL | Primary database | Customer infrastructure |
| Redis | Session cache, ephemeral data | Customer infrastructure |
| MazeVault Backend | Application server | Customer infrastructure |
| MazeVault Frontend | Web UI | Customer infrastructure |
| MazeVault Agent | On-premise certificate deployment | Customer infrastructure |
| OCSP Responder | Certificate status service | Customer infrastructure |
4. Sub-processor Change Notification Process¶
4.1 Notification¶
MazeVault will notify customers at least 30 calendar days before engaging a new sub-processor or materially changing an existing sub-processor's scope.
Notification is provided via:
- Email to the designated data protection contact
- Update to this document (version increment)
- Notification in the MazeVault administration panel (if applicable)
4.2 Customer Objection Right¶
Customers may object to a new sub-processor within 15 calendar days of notification. Objections must be in writing and state reasonable grounds related to data protection or security concerns.
Upon receiving an objection, MazeVault will:
- Discuss the concern with the customer within 5 business days
- If the objection cannot be resolved:
- MazeVault will make commercially reasonable efforts to provide an alternative
- If no alternative is feasible, either party may terminate the affected service with 90 days notice
4.3 Emergency Changes¶
In exceptional circumstances (e.g., sub-processor security incident requiring immediate migration), MazeVault may engage a replacement sub-processor with shorter notice, provided:
- Customer is notified immediately
- The replacement meets equivalent security standards
- Full documentation is provided within 7 days
5. Sub-processor Security Requirements¶
All sub-processors are required to:
| Requirement | Standard |
|---|---|
| Information security management | ISO/IEC 27001 certification or equivalent |
| Independent audit | SOC 2 Type II report or equivalent |
| Encryption in transit | TLS 1.2+ minimum |
| Encryption at rest | AES-256 or equivalent |
| Access control | Role-based, least privilege |
| Incident notification | Within 24 hours to MazeVault |
| Data processing agreement | Art. 28 GDPR compliant |
| Data localization | EU processing unless explicitly agreed |
| Audit rights | MazeVault retains audit rights over sub-processors |
6. DORA Register of Information¶
For customers subject to DORA (Regulation EU 2022/2554), the following information is provided for each sub-processor to support the customer's Register of Information (Article 28(3)):
| Field | Microsoft Azure | GitHub | DigiCert | Let's Encrypt | I.CA | GCP |
|---|---|---|---|---|---|---|
| Service type | Cloud infrastructure | DevOps platform | CA services | CA services | CA services | License hosting |
| Criticality | Critical | Critical (dev only) | Significant | Significant | Significant | Significant |
| Substitutability | Medium (AWS/GCP) | Medium (GitLab) | High (other CAs) | High (other CAs) | Medium (other QTSPs) | High (Azure/AWS) |
| Data location | EU | USA/EU | USA | USA | CZ | EU |
| Subcontracting | Yes (Azure supply chain) | Yes (GitHub supply chain) | No | No | No | Yes (GCP supply chain) |
| Exit feasibility | 6-12 months | 1-3 months | Immediate | Immediate | 1-3 months | 1-3 months |
7. Document History¶
| Version | Date | Change | Author |
|---|---|---|---|
| 1.0.0 | 2026-05-01 | Initial release | DPO |
Related¶
- Third-party Risk Management — Supplier assessment and governance
- Data Processing Agreement (available on request from info@mazevault.com) — Art. 28 GDPR template
- DORA Compliance Mapping — Register of information requirements
- Security Annex (available on request from info@mazevault.com) — Sub-processing contractual provisions