Third Party Tools and Data Providers Annex
Author:
Soufiane Boudarraja
Date:
February 24, 2026
1. Purpose and scope
This Annex identifies the categories of third-party services, tools, and data providers that may be used across the Soufiane Boudarraja ecosystem (the "Ecosystem"). Its purpose is to provide transparency and to support compliance with GDPR, including Article 28 where Soufiane Boudarraja acts as a Processor under a Data Processing Agreement ("DPA").
This Annex uses a category-based approach so that it remains accurate even as specific vendors change over time. A current engagement-specific list of the specific entities used to process personal data for a particular Customer can be provided upon written request.
2. General principles
The engagement of third-party services is governed by the principles below:
Tool neutrality: We select tools based on the service context and, where relevant, the Customer’s existing stack and instructions.
Pass-through use: In some cases the Customer is the direct contractual partner of a provider. We may operate the Customer’s accounts as an authorised user to deliver the Services.
Subprocessor role: Third parties that process Customer Data on our behalf in connection with Services under a DPA are treated as Subprocessors. We require written agreements imposing data protection obligations at least as protective as the DPA.
Data separation: Customer Data is not shared with or reused for another customer. Logical separation is maintained even where the same tooling is used for multiple engagements.
Data minimisation: We seek to limit personal data processing to what is necessary for service delivery, security, and support.
3. Roles and applicability
This Annex covers third parties used in different legal roles:
Processor context (B2B Services under a DPA): third parties that process Customer Data on our behalf are Subprocessors.
Controller context (our own business operations): for example, visitors to our websites, direct customers purchasing digital products or POD items, or newsletter subscribers. In these cases, our Privacy Policy governs and third parties act as our processors or independent controllers depending on the tool.
Customer-controlled tools: where the Customer chooses and controls a tool, the Customer remains responsible for its configuration, terms acceptance, and lawful basis, with our support limited to executing documented instructions.
4. Categories of third-party tools and data providers
The table below describes the main categories of third-party tools and providers that may be used across the Ecosystem. Specific tools may vary by region, product, and engagement.
Category
Function
Typical data processed
Typical role
Website platform, hosting, and content delivery
Host and deliver websites, pages, and downloadable resources; manage site performance and security.
IP address, device/browser data, page interactions, account/admin access logs, form submissions where used.
Processor for us (controller context) or Subprocessor (processor context), depending on data and engagement.
Domain, DNS, and certificate services
Operate domains, DNS routing, and security certificates.
Domain registration data, DNS logs, security metadata.
Processor or independent controller depending on the provider.
Analytics and measurement
Measure site/app usage and performance; audience insights; conversion tracking.
Online identifiers, device/browser data, event data, approximate location, aggregated metrics; may include consent status.
Processor for us (controller context); may be Subprocessor where analytics is run within a Customer engagement.
Consent management and privacy controls
Cookie consent banners, preference storage, consent logs, tag control.
Consent choices, timestamps, device/browser data, anonymised identifiers.
Processor for us (controller context).
Email, messaging, and communications infrastructure
Send and receive transactional and business communications; newsletters; support communication.
Names, email addresses, message content, metadata, delivery logs.
Processor or Subprocessor depending on whether used for our operations or a Customer engagement.
Scheduling and meeting tools
Booking links, calendar scheduling, meeting invitations, conferencing.
Names, email addresses, time zone, meeting metadata, call details if recorded by the Customer.
Processor or Subprocessor depending on context; conferencing providers may be independent controllers for certain data.
Payment processing and billing
Process payments, refunds, invoices, fraud prevention.
Payment identifiers, billing address, transaction metadata; we do not store full card details where handled by payment providers.
Independent controller or processor depending on the provider; typically an independent controller for payment execution.
E-commerce, order management, and fulfilment (including POD)
Manage orders, shipping, and production through fulfilment partners.
Order details, shipping address, contact details, product configuration; limited customer service data.
Processor for us or independent controller depending on fulfilment model.
Customer relationship management and pipeline tools
Manage B2B leads, contacts, opportunities, and engagement history.
Business contact data, communication logs, notes, task history.
Processor for us (controller context) or Subprocessor in Customer engagements when instructed.
Data enrichment and external API services
Retrieve external datasets to enrich, validate, or contextualise customer-provided inputs (for example company data, public business signals).
Business contact data or company-level data as instructed; API request metadata; may include personal data depending on use case.
Subprocessor where used in Customer engagements; otherwise processor for us.
File storage, collaboration, and document tooling
Store and collaborate on documents, reports, deliverables, and configuration files.
Customer Data contained in documents; access logs; version history.
Subprocessor (processor context) or processor (controller context).
Application performance monitoring (APM), logging, and telemetry
Monitor stability, error logging, security, and service performance.
Error logs, device/app metadata, IP address, timestamps; may include limited identifiers.
Subprocessor where used for Customer-facing services; otherwise processor for us.
AI and machine learning platforms
Process inputs and generate outputs for specific features (summaries, drafts, analysis) where enabled.
Prompt inputs, content snippets, metadata necessary to generate outputs; may include personal data if provided by Customer/user.
Processor or Subprocessor depending on context; use is governed by the AI Statement and applicable agreements.
Media and distribution platforms
Host and distribute audio/video content (podcasts, video, embeds).
Playback data, device/browser data, IP address, analytics and engagement signals; account/admin data.
Typically independent controllers for platform analytics; may be processors for limited functions.
Professional advisors and administrative services
Legal, accounting, compliance, and administrative support.
Limited personal data incidental to invoicing, audits, disputes, or compliance tasks.
Independent controllers or processors depending on engagement.
5. Subprocessor management and updates
We maintain an internal record of the specific providers used for each engagement where we act as a Processor. The process includes:
Maintaining an engagement-specific list of Subprocessors including the service provided, processing location(s) where known, and the main transfer safeguard used when applicable.
Providing an up-to-date list of specific Subprocessors used for a Customer engagement upon written request.
Providing reasonable advance notice of intended changes concerning the addition or replacement of Subprocessors for ongoing engagements, where practicable.
Allowing Customers to object on reasonable data protection grounds, following the objection process in the DPA.
6. International data transfers
If a third-party provider processes personal data outside the European Economic Area (EEA), we aim to ensure an appropriate safeguard under GDPR Chapter V. Safeguards may include an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other lawful transfer mechanisms.
Where SCCs are required, the SCCs adopted by Commission Implementing Decision (EU) 2021/914 are typically used, with the appropriate module(s) depending on the relationship.
7. Customer responsibilities
Where the Customer instructs us to use specific tools, data sources, or third-party services, or where the Customer is the direct contractual partner of a provider, the Customer remains responsible for:
Accepting and complying with the provider’s terms and privacy notices, including any required end-user notices.
Ensuring instructions are lawful and consistent with data protection and e-privacy requirements.
Configuring retention, access controls, and permissions appropriately within Customer-controlled tools.
Informing us of any restrictions or prohibited configurations that apply to the Customer’s accounts or tooling.
8. How to request the current provider list
Customers may request the current list of specific Subprocessors used for their engagement by submitting a request through our contact page (https://www.soufianeboudarraja.com/contact) with the subject line "Subprocessor List Request". To process the request efficiently, include the engagement name, order reference, or statement of work reference.
9. Changes to this Annex
We may update this Annex to reflect changes in tool categories, supplier and platform changes, legal requirements, or the evolution of the Ecosystem. Material changes that affect processing under an active DPA will be communicated in accordance with the DPA notification procedures.
10. Contact
Questions about this Annex may be sent to Soufiane Boudarraja. To submit a question, use our contact page: https://www.soufianeboudarraja.com/contact.
For statutory legal entity and address details, see the Impressum / Legal Notice on our website.