KomplAI
EU AI Act Risk check Features Methodology FAQ Pricing Log in Try for free ENDE

List of sub-processors

DRAFT — have this legally reviewed before go-live. This document is not a substitute for legal advice and is not warranted to be legally reviewed, sufficient or binding.

As of 6 July 2026. This list forms part of the Data Processing Agreement (DPA) between the customer (controller) and Tippel — Lukas Friedrich (processor), Kampweg 4, 34369 Hofgeismar, Germany (info@tippel.ai). It concerns the processing of the analysis content uploaded by the customer within KomplAI, for which Tippel acts as the customer's processor. For account and usage data (name, email, password hash, session/log data) Tippel is itself the controller; see the privacy policy for this.

General authorisation and announcement/objection procedure

By concluding the DPA the customer grants general authorisation to engage the sub-processors listed below (Art. 28(2) first sentence GDPR). Tippel ensures that each sub-processor is subject to the same data-protection obligations as agreed in the DPA (Art. 28(4) GDPR).

Where Tippel intends to add a further sub-processor or replace an existing one, Tippel announces this in advance (Art. 28(2) second sentence GDPR) — generally by email to the contact address on file and/or by updating this list. The customer may object to a change on reasonable, data-protection-related grounds within 14 days of the announcement. If no objection is raised within that period, the change is deemed authorised. In the event of a justified objection, the parties will seek an amicable solution; if none is reached, an extraordinary right of termination exists for the affected service.

A data processing agreement under Art. 28 GDPR (or an equivalent contractual basis) is in place, or will be concluded, with each of the sub-processors below. [Evidence on request / to be concluded].

Sub-processorPurposePlace of processing Categories of transmitted data Basis for third-country transfer DPA
IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany Hosting (servers), database, email delivery (verification/reset mails). Always used to operate the service. Germany (EU) Account and usage data (name, email, password hash), uploaded analysis content (PDF/TXT/MD, source code/ZIP) and analysis results, server logs (IP, time, URL). Uploaded content may contain personal data. — (no third-country transfer) DPA under Art. 28 GDPR [Evidence on request / to be concluded]
OpenRouter, Inc., USA AI analysis: API gateway that forwards the analysis inputs to the model provider used. Provider routing “no retention / no training” (data_collection: deny). Only when an analysis is run. USA Content submitted by the customer for analysis (documents PDF/TXT/MD and source code/ZIP repositories), which may contain personal data. No account, payment or password data. EU Standard Contractual Clauses (Art. 46(2)(c) GDPR); additional measure data_collection: deny (no retention, no training). [to be checked whether the provider is certified under the EU-US Data Privacy Framework] DPA under Art. 28 GDPR [Evidence on request / to be concluded]
Model provider used — currently Anthropic (USA), via OpenRouter Runs the AI analysis on the transmitted content. Only when an analysis is run. USA Content submitted by the customer for analysis (documents PDF/TXT/MD and source code/ZIP repositories), which may contain personal data. No account, payment or password data. EU Standard Contractual Clauses (Art. 46(2)(c) GDPR); additional measure data_collection: deny (no retention, no training). [to be checked whether the provider is certified under the EU-US Data Privacy Framework] DPA under Art. 28 GDPR [Evidence on request / to be concluded]
Stripe Payments Europe, Ltd., Dublin, Ireland Payment processing. Only when buying credits/subscriptions; only Stripe receives full payment data. Ireland (EU) Payment and billing data (full payment data reside solely with Stripe). No analysis content. — (processing in the EU) DPA under Art. 28 GDPR [Evidence on request / to be concluded]

Scope: IONOS is always used to operate the service. The analysis sub-processors (OpenRouter and the model provider) are only engaged when you run an analysis; Stripe only on a purchase. Content transmitted for the AI analysis is processed there solely to produce the result and is not used for training. For purposes, legal bases and data-subject rights see the privacy policy.

The German version is authoritative.

KomplAI
AI compliance checks: EU AI Act · DORA · GDPR
A product by Tippel
Legal Imprint
Privacy
Terms
Cookie settings
Data processing DPA
Sub-processors
TOMs
All analyses are professional support results and do not constitute legal advice.
© 2026 Tippel — Lukas Friedrich