Sub-processors
The third-party service providers that Cension AB engages to process Customer Data when you use the Cension service.
Effective Date: 2026-04-18
Name: Cension AB
Organization Number: 559470-4768
Registered Address: Cension AB, Rådmansgatan 80A, 113 60 Stockholm
Contact Email: hello@cension.ai
1. What is a sub-processor?
A “sub-processor” is any third party that Cension engages to process Customer Personal Data on Cension’s behalf in order to deliver the Service. This page lists the external sub-processors that may receive Customer Data when the corresponding feature is used. It is an integral part of our Data Processing Addendum (DPA).
Internal components that Cension builds and operates itself inside our existing cloud environment — for example, internal search, data-acquisition, and ingestion services — are not sub-processors and therefore do not appear on this list, because Customer Data does not leave Cension’s own infrastructure when those components run.
This list also does not include third parties that Cension engages for its own internal business operations — for example, Cension’s own marketing, content-production, analytics, or recruitment tools — where the vendor does not receive Customer Data. Those vendors process Cension’s own business data and are therefore outside the scope of the DPA. This page focuses on external recipients of Customer Data.
2. Sub-processors of Customer Personal Data and Customer Content
The following third parties are engaged by Cension to process Customer Personal Data or Customer Content on Cension’s behalf in order to deliver the Service. Each vendor is bound by written terms that impose data-protection obligations substantially equivalent to those set out in our DPA.
| Sub-processor | Service | Category | Region | Transfer mechanism |
|---|---|---|---|---|
| Microsoft Corporation | Cloud infrastructure, hosting, managed databases, object storage, and transactional email | Cloud infrastructure & transactional email | European Union | Intra-EEA (primary); Microsoft EU Data Boundary commitments |
| Google LLC | Gmail SMTP | Transactional email fallback | United States | EU–US Data Privacy Framework (DPF) |
| Google LLC | Sign-in with Google (federated authentication) | End-user authentication | United States | EU–US Data Privacy Framework (DPF) |
| OpenAI OpCo, LLC | OpenAI API (GPT family) | AI / Large Language Model inference | United States | EU–US Data Privacy Framework (DPF); EU SCCs Module 2 as fallback |
| Google LLC | Gemini / Generative Language API | AI / Large Language Model inference | United States | EU–US Data Privacy Framework (DPF); EU SCCs Module 2 as fallback |
| xAI Corp. | xAI API (Grok family) | AI / Large Language Model inference | United States | EU SCCs Module 2 |
| Voyage AI, Inc. | Voyage embedding models | AI / Text embeddings | United States | EU SCCs Module 2 |
| Groq, Inc. | Groq API (LLM-assisted extraction from Customer-initiated web crawls) | AI / Large Language Model inference | United States | EU SCCs Module 2 |
| Google LLC | Google Drive API (read-only file lookup, Customer-authorized) | Customer-authorized file retrieval | United States | EU–US Data Privacy Framework (DPF) |
| Stripe | Subscription billing and payment processing | Payments | European Union and United States | Intra-EEA and EU–US Data Privacy Framework (DPF) / EU SCCs as applicable to the contracting Stripe entity |
3. Third-party infrastructure and data sources
The following third parties form part of Cension’s service delivery but, by design, do not receive Customer Personal Data or Customer Content in a form that would make them processors of Customer Personal Data on Cension’s behalf. They are listed here for transparency and are not sub-processors within the meaning of Section 7 of the DPA.
Where a Customer workflow builds a search query from Customer-provided inputs, the resulting query text may be transmitted to a public search engine to retrieve publicly available results. No Customer account identifier, end-user identifier, or session identifier is attached to such queries. Customers should not include Personal Data in search-driven workflow inputs unless that processing is covered by the Customer’s own lawful basis. See Section 3 of the DPA.
| Provider | Role | Data received | Region | Transfer mechanism |
|---|---|---|---|---|
| Evomi SA | Residential forward proxy for outbound fetches to third-party websites | Request metadata only (destination host, SNI, timing, volume). Request and response bodies are encrypted TLS to the destination; no Customer Content is received by the proxy. | Switzerland | Swiss adequacy decision |
| Smartproxy UAB | Residential forward proxy (fallback) for outbound fetches to third-party websites | Request metadata only (destination host, SNI, timing, volume). Request and response bodies are encrypted TLS to the destination; no Customer Content is received by the proxy. | Lithuania (EU) | Intra-EEA |
| DuckDuckGo, Inc. | Public web search API | Query strings (which may be derived from Customer workflow inputs). No Customer account identifier, end-user identifier, or session identifier is transmitted. | United States | EU SCCs Module 2 |
| Google LLC | Google Ads API (keyword and search-volume lookup) | Query strings (which may be derived from Customer workflow inputs) plus Cension’s own Google Ads login-customer-id header, which identifies Cension AB rather than any Customer or end-user. | United States | EU–US Data Privacy Framework (DPF) |
| Apollo.io, Inc. | Demo scheduling on Cension’s marketing website | Contact details provided by a website visitor who voluntarily books a demo (such as name, email, company, and chosen time slot). This is website-visitor data, not Customer Account Data or Customer Content. | United States | EU SCCs Module 2 |
Cension also operates a self-hosted meta-search service (SearXNG) inside its own European cloud environment. This service is internal to Cension’s infrastructure and is not a third party; queries are fanned out from within Cension’s environment to the public search engines listed above.
4. Corporate vendors (out of scope)
In addition, Cension engages third-party vendors for its own internal business and marketing operations — for example, social-media and publishing platforms (such as YouTube, TikTok, Reddit, and dev.to) used to distribute Cension’s own marketing content, and general productivity and analytics tools used by Cension’s team. These vendors process Cension’s own corporate data, not Customer Personal Data or Customer Content, and are therefore outside the scope of this page and of the DPA. Where such vendors process personal data of website visitors, that processing is described in the Privacy Policy.
5. Notice of changes
Cension may update this list from time to time. Customers are encouraged to review the list periodically. The procedure for objecting to a new sub-processor, and the Customer’s exclusive remedy if a reasonable objection cannot be resolved, is set out in Section 7 of the DPA. Customers with bespoke notification requirements may negotiate such terms under a separately signed Enterprise Service Agreement.
6. International transfers
Cension’s primary application, database, and file storage are operated within the European Union at an enterprise cloud infrastructure provider. Transfers of Customer Data to sub-processors established outside the EU / EEA rely on one of the following mechanisms: the EU–US Data Privacy Framework where the recipient is DPF-certified; the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) approved by the European Commission; the UK International Data Transfer Addendum; or the Swiss FADP equivalents. For additional context, see Section 8 of the DPA.
7. Contact
For any question regarding sub-processors, international data transfers, or to submit an objection, contact Cension AB at hello@cension.ai.