Subprocessors

Last updated: May 2026

In accordance with GDPR Art. 28.2, this page lists every third-party that processes personal data on behalf of MailMCP customers. We update this list when subprocessors change. To be notified of changes, email privacy@mailmcp.io with subject "subprocessor-notifications".

1. Infrastructure & hosting

Subprocessor	Purpose	Location	Coverage
LWS Ligne Web Services SAS	Web hosting (Laravel app), database (SQLite/MySQL), file storage, support email IMAP/SMTP.	🇫🇷 France Datacenters in France	ISO 27001 · HDS · GDPR-native DPA

2. AI inference (OpenRouter routing)

All AI calls go through OpenRouter, which routes inference to EU-resident providers. Fallback to non-EU providers is explicitly refused (provider.allow_fallbacks=false in config/ai.php). Provider training on our data is disabled (data_collection=deny). See the live routing dashboard in /admin/ai-rgpd (admin only).

Subprocessor	Purpose	Location	Coverage
OpenRouter OpenRouter, Inc.	AI inference gateway. Routes our calls to EU-resident model providers. Does not retain prompts or responses.	🇺🇸 USA Gateway only (no storage) — actual inference happens at downstream EU providers below	SCCs · Zero retention Privacy
Microsoft Azure OpenAI GPT-4o-mini	Chatbot, support reply assistance, outreach pitch generation.	🇸🇪 Sweden · 🇫🇷 France Sweden Central / France Central	ISO 27001 · SOC 2 · GDPR DPA
Amazon Bedrock (Anthropic Claude) Fallback for Claude models	Currently unused for end-user features; reserved for future support agent use.	🇮🇪 Ireland · 🇫🇷 France · 🇩🇪 Germany eu-west-1 / eu-west-3 / eu-central-1	ISO 27001 · SOC 2 · GDPR DPA
Google Vertex AI Fallback for Gemini models	Currently unused; available in routing config as fallback.	🇧🇪 Belgium · 🇳🇱 Netherlands europe-west1 / europe-west4	ISO 27001 · SOC 2 · GDPR DPA
Mistral AI Fallback for Mistral models	Currently unused; available in routing config as last-resort EU fallback.	🇫🇷 France HQ Paris, EU datacenters	GDPR · EU-native Terms

Explicitly NOT used: DeepSeek (China), Moonshot, Qwen, any non-EU-resident provider. Our OpenRouter routing config refuses them.

3. Payment (when activated)

Self-serve billing is being rolled out. The intended payment processor will be:

Subprocessor	Purpose	Location	Coverage
Stripe Stripe Payments Europe Ltd.	Card payments, recurring billing, invoicing. We never see or store card numbers.	🇮🇪 Ireland (EU) Stripe EU entity for European customers	PCI DSS L1 · ISO 27001 · GDPR DPA

4. What we do NOT use

No analytics tracker (no Google Analytics, no Plausible, no Matomo on the public site).
No advertising network, no behavioral tracking, no cookie consent banner needed (only strictly necessary cookies).
No US cloud (no AWS US, no GCP US, no Azure US — all our infrastructure is in the EU).
No AI training on your data. OpenRouter and downstream providers operate in zero-retention mode for our calls.

5. Need a signed DPA?

Business customers can request a signed Data Processing Agreement (GDPR Art. 28) covering personal data we process on their behalf. Our standard DPA references this subprocessor list as Annex 2.

Download DPA template (Markdown)

For a counter-signed PDF, send your countersigned version to privacy@mailmcp.io.