Subprocessors

Provider: Microsoft Corporation

Location: European Union (primarily Germany/West Europe) 🇪🇺

Purpose: Cloud Infrastructure Hosting

Services:

• Azure Container Apps (Application Hosting)
• Azure Database for PostgreSQL (Database)
• Azure Redis Cache (Caching & Queue Management)
• Azure Blob Storage (File Storage)
• Azure Monitor (System Monitoring & Alerts)

Data Types Processed: All data processed by the Sourcera platform, including user access data, supplier information, transaction data, RFP/tender content, and procurement initiative details.

Legal Basis: Microsoft Azure Standard Contractual Clauses (EU Model Clauses), DPA available at microsoft.com Link

Provider: Pinecone Systems, Inc.

Location: European Union 🇪🇺

Purpose: Vector Database

Services:

• Document RAG (Retrieval-Augmented Generation)
• Semantic Search across procurement documents
• Supplier capability matching
• Historical tender similarity search

Data Types Processed: Vector embeddings (numerical representations) of document content, supplier descriptions, and RFP/RFQ content. Metadata includes document IDs, namespaces, and tags.

Important: Only mathematical embeddings are stored, not the original full-text documents with complete PII.

Legal Basis: Pinecone DPA, AWS-backed infrastructure (EU-Region) with Standard Contractual Clauses

Provider: Langfuse GmbH

Location: Germany (European Union) 🇩🇪

Purpose: LLM Observability & Monitoring

Services:

• LLM call tracing and debugging
• Performance monitoring
• Cost tracking
• Quality assurance

Data Types Processed: LLM prompts and responses (may contain PII in context), metadata (timestamps, model names, token counts), user IDs for tracking, error logs.

Legal Basis: Langfuse DPA (EU-based provider), GDPR-compliant, German data hosting

Provider: Microsoft Corporation (Azure OpenAI)

Location: European Union (primarily Sweden, Switzerland) 🇪🇺

Purpose: AI-based processing

Services:

• Tender Content Generation (Automated RFX creation)
• Spend Analysis & Opportunity Identification
• Document Understanding & Extraction
• Supplier Intelligence & Categorization
• Natural Language Processing
• Text Embeddings for semantic search

Data Types Processed: Supplier contact information, purchase order details, invoice data (with buyer/approver names), RFP/RFQ content (with bidder contacts), contract metadata, procurement initiative descriptions, user queries and prompts.

Data Protection: Customer data is not used for training general AI models. Azure OpenAI guarantees data isolation and GDPR compliance.

Legal Basis: Azure OpenAI DPA, EU Data Boundary Commitment

Provider: OpenAI, L.L.C.

Location: European Union 🇪🇺

Purpose: Text embeddings generation

Services:

• Text embedding generation (text-embedding-3-large)
• Document vectorization for semantic search

Data Types Processed: Document content, supplier descriptions, procurement text data converted to vector embeddings.

Data Protection: OpenAI API with EU data processing. Data is not used for model training per OpenAI's API data usage policy.

Legal Basis: OpenAI DPA, Standard Contractual Clauses

Provider: Anthropic PBC

Location: European Union 🇪🇺

Purpose: AI-based text processing and analysis

Services:

• Advanced language understanding
• Document analysis and extraction
• Contextual processing of procurement data

Data Types Processed: Procurement documents, supplier information, RFP/RFQ content, user queries.

Data Protection: Data is not used for model training. Anthropic provides data isolation and GDPR compliance.

Legal Basis: Anthropic DPA, Standard Contractual Clauses

Provider: Talonic GmbH

Location: European Union 🇪🇺

Purpose: OCR and document extraction

Services:

• Optical Character Recognition (OCR)
• PDF document processing
• Image-based document extraction
• Spreadsheet data extraction
• Multi-format document conversion

Data Types Processed: Uploaded procurement documents (PDFs, images, spreadsheets) containing supplier information, purchase orders, invoices, contracts, and RFP/RFQ documents.

Legal Basis: Talonic DPA, Standard Contractual Clauses, GDPR-compliant

Provider: Sievo Oy

Location: European Union (Finland) 🇫🇮

Purpose: Spend analytics and opportunity identification

Services:

• Spend data analysis
• Supplier relationship data
• Procurement opportunity identification
• Historical spend insights
• Data import and synchronization

Data Types Processed: Spend transaction data, supplier information, purchase order history, invoice data, opportunity analysis results, user access credentials (OIDC).

Legal Basis: Sievo DPA, Standard Contractual Clauses, GDPR-compliant

Provider: Ivalua Inc.

Location: European Union 🇪🇺

Purpose: Sourcing project management

Services:

• RFP/RFQ project management
• Supplier information management
• Questionnaire management
• Sourcing event coordination
• Bid and tender management

Data Types Processed: Sourcing project details, supplier profiles, RFP/RFQ documents, questionnaire responses, bid information, project stakeholder data.

Legal Basis: Ivalua DPA, Standard Contractual Clauses, GDPR-compliant

Provider: Coupa Software Inc.

Location: European Union 🇪🇺

Purpose: Procurement management and spend management

Services:

• E-Procurement and order management
• Supplier management
• Contract management
• Spend analysis
• Invoice processing

Data Types Processed: Order data, supplier information, contract data, spend information, invoice data, user access data.

Legal Basis: Coupa DPA, Standard Contractual Clauses, GDPR-compliant

Provider: Market Dojo Ltd.

Location: United Kingdom 🇬🇧

Purpose: E-auctions and sourcing events

Services:

• Online auction platform
• RFP/RFQ management
• Supplier collaboration
• Event management
• Bid comparison

Data Types Processed: Tender data, supplier bids, auction results, supplier contacts, project data.

Legal Basis: MarketDojo DPA, Standard Contractual Clauses, GDPR-compliant

Provider: Jaggaer LLC

Location: European Union 🇪🇺

Purpose: Source-to-pay platform

Services:

• Strategic sourcing
• Supplier management
• Contract management
• E-Procurement
• Spend analysis

Data Types Processed: Sourcing data, supplier profiles, contract information, order data, spend analytics, user data.

Legal Basis: Jaggaer DPA, Standard Contractual Clauses, GDPR-compliant

Provider: SAP SE

Location: Germany (European Union) 🇩🇪

Purpose: Procurement network and spend management

Services:

• Supplier network
• Sourcing and contracts
• Procurement and catalog management
• Supplier collaboration
• Spend visibility

Data Types Processed: Supplier master data, catalog data, purchase orders, contracts, spend data, user access data.

Legal Basis: SAP DPA, GDPR-compliant, German provider

Provider: SpendHQ Limited

Location: United Kingdom 🇬🇧

Purpose: Spend analysis and data management

Services:

• Spend data classification
• Spend cube analysis
• Supplier consolidation
• Data cleansing and enrichment
• Spend analytics

Data Types Processed: Spend transaction data, supplier information, classification data, cost center information, analysis results.

Legal Basis: SpendHQ DPA, Standard Contractual Clauses, GDPR-compliant

Provider: Microsoft Corporation

Location: European Union 🇪🇺

Purpose: Business communication and collaboration

Services:

• Email communication (Outlook) with customers
• Document creation and collaboration (Word, Excel, PowerPoint)
• File storage (OneDrive, SharePoint)
• Video conferencing (Teams)

Data Types Processed: Email correspondence with customers containing names, contact details, project information. Documents, spreadsheets, and presentations containing customer data, supplier information, and procurement details.

Legal Basis: Microsoft 365 DPA, EU Standard Contractual Clauses

Provider: ebuero AG

Location: Germany 🇩🇪

Purpose: Telephone service and call handling

Services:

• Inbound call reception
• Message taking and forwarding
• Basic customer service

Data Types Processed: Caller names, phone numbers, company names, message content that may include customer inquiries and contact details.

Legal Basis: ebuero DPA, GDPR-compliant, German provider

Provider: Atlassian Corporation Plc

Location: Germany (European Union) 🇩🇪

Purpose: Project management and collaboration with AI

Services:

• Issue tracking and project management (Jira)
• Documentation and knowledge base (Confluence)
• AI-powered insights and automation (Atlassian Intelligence)
• Team collaboration

Data Types Processed: Project documentation, customer project names, implementation details, tickets containing customer information, meeting notes, and collaboration content that may include customer data.

Legal Basis: Atlassian DPA, EU Cloud (Germany), GDPR-compliant

Provider: Vanta Inc.

Location: European Union 🇪🇺

Purpose: Security compliance monitoring and automation

Services:

• Compliance monitoring (ISO 27001, SOC 2, GDPR)
• Security posture management
• Vendor risk assessment
• Automated compliance reports
• Security controls monitoring

Data Types Processed: System access logs, employee information, security configurations, compliance evidence, vendor information.

Legal Basis: Vanta DPA, Standard Contractual Clauses, GDPR-compliant