Who we work with
To run Office by Elevera we rely on a small, deliberately short list of vetted third-party service providers, our sub-processors. Each one handles a specific part of the service, such as hosting the database or sending account email, and only ever receives the data needed for that task.
Every sub-processor on this page operates under a GDPR-compliant Data Processing Agreement (DPA) and is located in the EU or processes personal data in line with EU data-protection law. Office stores and processes data in an EU region by default.
Office is the controller for your account data (administrator names, email addresses and billing details) and acts as a processor for the employee and HR records your organisation enters. For those employee records, your organisation is the controller and Office processes them on your instructions under our DPA.
Our sub-processors
The four providers below make up our full sub-processor list today. For each one we set out its purpose, the data involved and where it is processed.
Supabase
EU region- Purpose
- Hosts our Postgres database, handles authentication and stores uploaded files.
- Data involved
- Account data and the employee and HR records your organisation enters, including names, contact details, employment and absence data, and uploaded documents.
- Location and safeguards
- Processed in an EU region under a GDPR Data Processing Agreement, with encryption in transit and at rest.
Vercel
EU and CDN- Purpose
- Hosts the web application and serves it through a content delivery network.
- Data involved
- Technical request data needed to serve pages, such as IP address and browser information; the application itself reads and writes your data in the EU database.
- Location and safeguards
- Operates under a GDPR Data Processing Agreement, with EU Standard Contractual Clauses applied to any transfer outside the EU.
Stripe
EU and adequacy- Purpose
- Handles subscription billing and payment processing.
- Data involved
- Billing contact details and payment information needed to take subscription payments; we do not store full card numbers ourselves.
- Location and safeguards
- PCI-compliant processor under a GDPR Data Processing Agreement, with EU Standard Contractual Clauses for any transfer outside the EU.
Resend
EU and adequacy- Purpose
- Sends transactional email such as sign-in links, invitations and account notifications.
- Data involved
- Recipient email address and the content of the transactional message being sent.
- Location and safeguards
- Operates under a GDPR Data Processing Agreement, with EU Standard Contractual Clauses applied to any transfer outside the EU.
How we choose them
We keep the list short on purpose and add a provider only when it is genuinely needed to deliver the service. Before a sub-processor touches any personal data, we put three checks in place.
Data Processing Agreement. We sign a GDPR-compliant DPA with each provider that sets out the scope, security obligations and the basis for any data transfers.
Security review. We review the provider's security posture, certifications and track record, and we prefer providers with EU data residency and strong, audited controls.
EU and adequacy. We choose providers located in the EU or, where a provider operates outside the EU, those that process data under an adequacy decision or appropriate safeguards such as the EU Standard Contractual Clauses.
Request our DPA
If your organisation needs a signed Data Processing Agreement covering how Office handles the personal data you enter, we are happy to provide one. The DPA names our sub-processors and the safeguards that apply to international transfers.
To request our DPA, email us at hello@eleverastudio.com and we will send the current version for your review and signature.
Changes and notice
We keep this page current as the single source of truth for the sub-processors we use. When we plan to add a new sub-processor or replace an existing one, we update this page first.
We will give notice of a new or replacement sub-processor before it begins processing personal data, so you have a reasonable opportunity to review the change. If you have a signed DPA with us, the objection process set out in that agreement applies.
Contact
Questions about our sub-processors, data residency or a Data Processing Agreement can be sent to the provider and controller below.
Elevera Studio (obrt za računalno programiranje, vl. Petar Markota), Ulica Stjepana Draganića 9, 10000 Zagreb, Croatia.
Email: hello@eleverastudio.com. Phone: +385 99 833 4349.