SUBPROCESSOR LIST
Version: 2026.04 Effective: April21, 2026
This document forms Annex III to the Twini DataProcessing Agreement (DPA) and lists the third parties (Subprocessors) engagedby Twini S.r.l. to Process Customer Personal Data when Twini acts as Processorunder the DPA. It is incorporated by reference into the DPA and prevails overany inconsistent snapshot set out in Annex III of the DPA itself, pursuant toSection 9.2 of the DPA.
1. PURPOSE AND SCOPE
This list identifies the Subprocessorsauthorized to Process Customer Personal Data on behalf of Twini S.r.l.("Twini") in connection with the Twini Service, in accordance withArticle 28 of Regulation (EU) 2016/679 ("GDPR"), the UK GDPR whereapplicable, and the Swiss FADP where applicable.
This list does not cover third parties thatTwini engages for activities in which Twini acts as an independent DataController (for example, its own accounting, banking, payroll, internalcollaboration, outbound sales, or recruitment tools). Information about thoserecipients is provided in the Twini Privacy Policy at twini.ai/privacy-policy.
Capitalized terms used but not defined inthis document have the meanings given in the Twini Terms of Service (attwini.ai/terms-conditions) or the DPA (at twini.ai/dpa).
2. NOTIFICATION OF CHANGES
Pursuant to Section 9.3 of the DPA, Twiniwill provide at least 15 days’ prior notice of any change to this list(including the addition or replacement of a Subprocessor) by email to theCustomer account administrator or by dashboard notification. A record ofchanges is maintained in Section 6 (Version History) of this document.
Under Section 9.4 of the DPA, the Customermay, on reasonable data-protection grounds, object to a new Subprocessor bywritten notice to Twini within 15 days of the notification. The Parties willthen cooperate in good faith as set out in the DPA.
Customers can subscribe to changes by sendingan email to davide@twini.ai with the subject "Subscribe:Subprocessors".
3. CATEGORIES OF CUSTOMER PERSONAL DATA PROCESSED
Subprocessors listed in Section 5 may Processone or more of the following categories of Customer Personal Data, in each caseonly to the extent strictly necessary to provide the Service:
• Account and authentication data (account administratorname, business email, role, authentication tokens).
• Billing and subscription metadata (company name, VATnumber, billing address, invoice amounts).
• End-User conversation content (messages exchangedbetween shoppers and the AI assistant on the Customer’s storefront).
• End-User technical identifiers (persistent chat_id,session tokens, IP address, user-agent, device identifiers).
• Product catalog and content data (which mayincidentally include end-user generated content such as reviews).
• Customer communications and onboarding materialsvoluntarily shared with Twini (for example, brand guidelines, product dataexports).
4. PROCESSING LOCATION OVERVIEW
Twini’s primary production environment,including the operational database and vector store that hold conversationcontent and embeddings, is hosted within the European Economic Area(Netherlands). Personal Data is transferred outside the EEA only for specificcomponents of the Service, principally Large Language Model inference andcertain operational tools, in accordance with Section 12 (InternationalTransfers) of the DPA.
Where Personal Data is transferred to a thirdcountry, Twini relies on (a) the EU-US Data Privacy Framework ("DPF")where the recipient is certified, and/or (b) the Standard Contractual Clausesadopted by the European Commission in Implementing Decision (EU) 2021/914, assupplemented by the UK Addendum and Swiss FADP modifications where relevant.The applicable mechanism is identified for each Subprocessor in Section 5.
5. CURRENT SUBPROCESSORS
The Subprocessors are grouped by function,consistent with Annex III of the DPA. Entity names and contracting entities arethose applicable to Twini’s engagement as of the effective date of thisversion.
5.1 Cloud Hosting and Infrastructure
Subprocessor
Service & Data Processed
Location
Transfer Mechanism
Railway Corp. (Delaware, USA)
Primary application hosting, PostgreSQL database with pgvector extension. Processes all categories of Customer Personal Data in transit and at rest.
Netherlands (EU)
Intra-EEA — no transfer mechanism required. Deployment region is Railway’s Netherlands zone (Amsterdam).
Cloudflare, Inc. (Delaware, USA)
Object storage (R2) for files and assets, content delivery network, and edge security. Processes Customer onboarding materials, exported files, and End-User technical identifiers (IP, user-agent) via the CDN.
Global CDN; R2 storage in EU region
DPF (Cloudflare is DPF-certified) with SCCs as a fallback via the Cloudflare Data Processing Addendum.
5.2 Large Language Model Providers andAggregators
Subprocessor
Service & Data Processed
Location
Transfer Mechanism
OpenAI, L.L.C. (Delaware, USA)
LLM inference for generating AI assistant responses. Processes End-User conversation content (prompts and outputs) and relevant product context at the moment of inference. Not used to train foundational models, per Section 4.4 of the Agreement and OpenAI’s zero-retention API terms where applicable.
United States
DPF (OpenAI, LLC is DPF-certified) with SCCs as a fallback via the OpenAI DPA.
OpenRouter, Inc. (Delaware, USA)
LLM aggregation and routing layer used to access multiple model families (including OpenAI, Meta Llama, and others as configured). Processes the same categories as the direct LLM providers above at the moment of inference. OpenRouter acts as an intermediary; downstream model hosts are treated as sub-subprocessors engaged by OpenRouter under its own data protection terms.
United States
SCCs via OpenRouter’s terms and data protection addendum, with DPF where applicable.
5.3 Payment Processing
Subprocessor
Service & Data Processed
Location
Transfer Mechanism
Stripe Payments Europe, Limited (Dublin, Ireland)
Subscription billing and card payment processing for Customer subscription fees. Processes Billing and subscription metadata, and payment method metadata (token, card brand, last four digits). Full card numbers are processed by Stripe directly and never stored by Twini.
Ireland (EU); onward transfers to Stripe, Inc. (USA) for fraud prevention
Intra-EEA for the principal contracting entity. Onward transfers to Stripe, Inc. are covered by SCCs and Stripe’s DPF self-certification.
5.4 Operational and Support Tools
Subprocessor
Service & Data Processed
Location
Transfer Mechanism
Functional Software, Inc. d/b/a Sentry (California, USA)
Application error monitoring and diagnostics. Processes technical telemetry including stack traces, request metadata, and End-User technical identifiers; may incidentally capture conversation fragments within error payloads.
United States
DPF (Sentry is DPF-certified) with SCCs as a fallback via the Sentry DPA.
Slack Technologies Limited (Dublin, Ireland; subsidiary of Salesforce, Inc.)
Communication channel used with a limited subset of Customers who choose to receive support and updates via Slack. Processes the business contact data of Customer representatives and any Customer Personal Data voluntarily shared through the channel.
Ireland (EU); onward processing in United States
Intra-EEA for the principal contracting entity. Onward transfers to Salesforce, Inc. (USA) are covered by SCCs and DPF self-certification.
Notion Labs, Inc. (Delaware, USA)
Internal knowledge base used to maintain Customer onboarding documentation and support notes. May process Customer representative contact data and Customer-provided onboarding materials.
United States
DPF (Notion is DPF-certified) with SCCs as a fallback via the Notion DPA.
Google Ireland Limited (Dublin, Ireland; Google Workspace / Google Drive)
Collaboration and document storage suite. Processes Customer-shared onboarding materials, technical configuration files, and counterpart-signed contracts containing business contact data of Customer representatives.
Ireland (EU); onward processing in United States
Intra-EEA for the principal contracting entity. Onward transfers to Google, LLC (USA) are covered by SCCs and Google’s DPF self-certification.
6. VERSION HISTORY
Version
Effective Date
Summary of Changes
2026.04
April 21, 2026
Initial public Subprocessor List, concurrent with publication of Twini Terms of Service v2026.08, DPA v2026.06, and Privacy Policy v2026.05.
7. CONTACT
For questions about this Subprocessor List,to subscribe to notifications of changes, or to object to a new Subprocessorunder Section 9.4 of the DPA:
• Email: davide@twini.ai
• Formal notices (PEC): twini@pec.it
• Postal address: Twini S.r.l., Via Pietro Paleocapa 7,20121 Milano (MI), Italy