AIRIA Systems GmbH

Legal · GDPR Art. 28 · Annex 4

Sub-Processors

Version 1.0 · 28 April 2026

Scope
Annex 4 / Annex D to the MSA and DPA between AIRIA Systems GmbH and Customer
Version
1.0 of 28 April 2026
Published at
airia.systems/legal/subprocessors

Language and scope

This list forms part of the Data Processing Agreement (DPA) and Master Services Agreement (MSA) concluded between AIRIA Systems GmbH and its customers. The German version is available at airia.systems/de/legal/subprocessors; in case of conflict, the German designation of the legal entity and its registered seat prevails.

1 · Active Sub-Processors

The following Sub-Processors process Customer Personal Data on behalf of the Controller within the meaning of Art. 4 (8) GDPR.

#Legal entityRegistered seatFunctionProcessing locationAdded
1 Hetzner Online GmbH (HRB 6089, Ansbach) Industriestr. 25, 91710 Gunzenhausen, Germany Compute, storage, network (virtualised cell infrastructure, PBS backups). Primary cell: Falkenstein DE; off-site encrypted backup target: Helsinki FI. Germany (DE) — primary; Finland (FI) — encrypted backup only. Both EU. Cross-border transfer DE→FI is an intra-EU transfer (no SCCs required). Go-live
2 LLM Inference Provider — to be confirmed before processing commences EU Member State (specific seat to be named per § 4) AI inference — LLM response generation EU only To be confirmed
3 Embedding Fallback Provider — to be confirmed before processing commences EU Member State (specific seat to be named per § 4) AI inference — degraded-mode embedding fallback (engaged only when the primary on-premises embedding service is unavailable) EU only To be confirmed
4 BioDec S.r.l. (P.I./C.F. 02327271207) Via Calzavecchio 20/2, 40033 Casalecchio di Reno (BO), Italy Linux & host-OS infrastructure — maintenance and 24×7 monitoring; no direct access to application-layer / tenant data Italy (EU) Go-live

EU-residency coverage. All Sub-Processors listed above are EU-incorporated and EU-operated and are not subject to US jurisdictions (in particular FISA 702 or CLOUD Act). No transfer within Art. 44 et seq. GDPR takes place; the intra-EU transfer DE→FI for encrypted backups is a transfer within the EEA and requires no SCCs.

The specific Sub-Processors named in rows 2 and 3 will be selected from providers meeting all of the following criteria:

  1. legal entity registered and headquartered in an EU Member State;
  2. data-plane operations and support performed exclusively from within the EU;
  3. structurally outside US extraterritorial jurisdiction — no US-incorporated parent, no US stock-exchange listing (CLOUD Act resilience);
  4. compliant with applicable EU AI Act obligations as in force from time to time.

The Controller will be notified of each specific Sub-Processor at least 30 days before processing commences, per the change-notice mechanism in § 4. Until the specific Sub-Processors are named, no Customer Personal Data flows to inference providers from Phase 0.

2 · AIRIA's internal observability — not processing on behalf of Customer; primary embedding inference — not a Sub-Processor

(1) AIRIA operates for its own operational purposes a self-hosted LGTM stack (Loki, Grafana, Tempo, Mimir) on the Hetzner DE infrastructure listed in § 1 line 1 of this Annex. The stack serves exclusively platform observability (logging, tracing, performance monitoring) for AIRIA's own operational responsibility.

(2) The data streams ingested by the stack consist exclusively of:

  1. obfuscated stack traces (without content data);
  2. system-level application identifiers (e.g. tenant IDs as opaque hashes, with no plaintext reference to the Controller or its users);
  3. system metrics (CPU, memory, latency, error rates).

(3) No Customer Personal Data flows into these tools. They are therefore not Sub-Processors within Art. 4 (8) GDPR and are not listed in § 1 of this Annex. Processing nevertheless remains subject to the TOMs in Annex 2 to the DPA (in particular access control and encryption).

(4) Should AIRIA in future process observability data containing Customer Personal Data, the relevant provider would become a Sub-Processor within Art. 4 (8) GDPR and would have to be added to § 1 of this Annex under the change mechanism in § 6 DPA / § 10 MSA.

(5) Primary embedding inference is not a Sub-Processor. Vector embedding inference is performed primarily by a self-hosted binary running on AIRIA-operated hardware listed in § 1 row 1 (Hetzner DE). The model weights are downloaded once during initial deployment from a public model repository; no Customer Personal Data is transmitted to that repository at inference time. Only the degraded-mode embedding fallback (row 3) involves a third-party Sub-Processor.

3 · Recipients of internal group functions

None — AIRIA Systems GmbH has no group companies to which Customer Personal Data is forwarded.

4 · Change mechanism

Changes to this list follow § 10 MSA and § 6 DPA: 30-day prior notice, 15-day Customer objection right, 30-day good-faith negotiation, then Customer's right of special termination with pro-rata refund as exclusive remedy.

5 · Confirmation of Sub-Processor TOMs

AIRIA holds, for each listed Sub-Processor, at least one of the following:

  1. ISO/IEC 27001 or ISO/IEC 27017/27018 certificate;
  2. SOC 2 Type II report (where issued);
  3. Provider's DPA with the contents required by Art. 28 (3) GDPR;
  4. Evidence of EU residency (commercial register extract, data centre location).

These records are made available to Customer on reasonable request.

Sub-Processor List · Version 1.0 of 28 April 2026 · AIRIA Systems GmbH · Grünberger Straße 54 · 10245 Berlin · [email protected]