What this page covers
This page lists third parties that may receive or process data in connection with the Vatidator service.
We distinguish between:
- Service sub-processors, vendors engaged by Vatidator to process data on Vatidator's behalf under applicable data protection terms.
- External validation registries, official registries or externally operated validation sources that Vatidator queries in order to perform the validation requested by the customer. These are not vendors engaged by Vatidator as sub-processors.
- Future / planned providers, providers that may be used for specific purchasing channels or future platform features, subject to prior customer notice where required.
Tax identifiers generally relate to business entities, but may qualify as personal data under GDPR where they identify sole traders or natural persons acting in a business capacity. The disclosure below applies to all such data regardless of classification.
Section A: Service sub-processors
These vendors process data on Vatidator's behalf to operate the service.
| Sub-processor | Role | Data processed | Hosting / processing location | Applicable data protection terms |
|---|---|---|---|---|
| Microsoft Azure | Cloud hosting, database, container registry, and operational monitoring (Application Insights / Azure Monitor) for Vatidator's API and audit backend | Tax identifiers, audit log entries, proof hashes, tenant identifiers, operational metadata | Customer data hosted in EU (West Europe); Microsoft support and security operations may be performed under Microsoft's applicable data protection terms | Microsoft Products and Services DPA |
| Microsoft 365 | Business email hosting and routing for vatidator.com (info@, security@, etc.) | Business contact details and support/security correspondence; no customer validation data unless a customer voluntarily includes it in an email | EU geography (Microsoft EU data residency commitments) | Microsoft Products and Services DPA |
| Cloudflare | DNS, DDoS protection, and CDN for the public marketing site (vatidator.com). Not used in front of the customer-facing API or audit backend. | Marketing-site visitor IP addresses and basic security logs; no customer validation data | Global anycast network | Cloudflare DPA |
| Formspree | Contact-form processing for the public marketing site (vatidator.com/contact), receives form submissions and forwards them to Vatidator. Not used in front of the customer-facing API or audit backend. | Contact-form submissions you choose to send us, name, business email, company name, and message content; no customer validation data | USA (EU Standard Contractual Clauses / EU-US Data Privacy Framework where applicable) | Formspree DPA |
Section B: External validation registries
External validation registries are not sub-processors engaged by Vatidator to process customer data on Vatidator's behalf. They are official public-sector registries or externally operated validation sources that Vatidator queries in order to perform the validations requested by the customer. They operate under their own legal framework, access terms, and data-protection responsibilities.
Vatidator transmits only the minimum information required for validation, typically the tax identifier and the country code, and no internal customer document references, invoice contents, or financial data.
| Registry | Jurisdiction | What we send | What we receive | Notes |
|---|---|---|---|---|
| VIES | EU / Member State VAT registry network (European Commission portal) | VAT number, country code | Validity status, company name and address where returned | Public EU VAT validation service |
| HMRC VAT number checker | United Kingdom | VAT number | Validity status, company name and address where returned | UK government public service |
| Brreg | Norway / EEA | Organization number | Company name, registration status | Norwegian government public registry |
| UID Register | Switzerland | UID | Company name, registration status | Swiss federal public registry |
| BrasilAPI | Brazil | CNPJ | Company name, registration status | Optional third-party API providing access to Brazilian public registry data; enabled only where configured by the customer; subject to its own terms |
Section C: Future / planned providers
The following providers are candidates or planned providers for specific purchasing channels or future platform features. They will apply only where that channel or feature is used by the customer, and the formal sub-processor classification will be determined when the corresponding contractual setup is in place. Customers will be notified before activation where required.
| Provider | Planned role | Data involved | Applies when |
|---|---|---|---|
| Stripe | Payment processing for direct card billing | Billing contact and payment metadata; no validation data | Direct card billing is enabled |
| FastSpring | Merchant of Record for online self-service subscriptions, including EU VAT collection | Billing contact, subscription, and tax/VAT information; no validation data | Online self-service subscriptions are enabled |
| Microsoft AppSource | Marketplace listing and billing | Marketplace transaction and billing information processed by Microsoft under Microsoft's applicable marketplace terms | Customer purchases via AppSource |
| Salesforce AppExchange | Marketplace listing and billing | Marketplace transaction and billing information processed by Salesforce under Salesforce's applicable marketplace terms | Customer purchases via AppExchange |
Secret management for Vatidator's own API keys is planned to migrate to Azure Key Vault. Azure Key Vault is a Microsoft Azure service component covered by the existing Microsoft Azure sub-processor entry and is not listed as a separate sub-processor.
Data residency summary
| Layer | Residency |
|---|---|
| Vatidator-managed storage (audit log, proof records, tenant mapping) | EU only |
| Microsoft 365 business email and contact data | EU geography |
| Validation queries to VIES (EU / Member State VAT registry network) | EU |
| Validation queries to HMRC (United Kingdom) | UK |
| Validation queries to Brreg (Norway / EEA) | EEA |
| Validation queries to UID Register (Switzerland) | Switzerland |
| Validation queries to BrasilAPI (Brazil) | Brazil |
| Public marketing-site visitor logs | Cloudflare global anycast network (no customer validation data) |
| Future marketplace billing data | Microsoft / Salesforce platforms under their respective marketplace terms |
Some non-EU/EEA jurisdictions benefit from adequacy decisions or other lawful transfer mechanisms; where applicable, Vatidator relies on the relevant legal basis described in the Data Processing Agreement.
Sub-processor change notification
We notify customers of material sub-processor changes by email and on this page at least 30 days before the change takes effect.
Where prior notice is not reasonably possible due to emergency security, legal, or service-continuity reasons, we will notify customers as soon as reasonably practicable.
Customer's right to object
If a customer objects to a sub-processor on legitimate data-protection grounds, they may notify us at [email protected] within the 30-day notice period. We will work in good faith to find a mutually acceptable solution, including, where reasonable, refraining from using that sub-processor for the objecting customer's data.
If we cannot reasonably provide the service without the objected-to sub-processor, and no commercially reasonable alternative is available, either party may terminate the affected service in accordance with the applicable service agreement.
Customers may also disable validation for specific non-EU jurisdictions in their Vatidator setup if they do not wish to transmit tax identifiers to non-EU registries.
Contact
For sub-processor questions or to request a Data Processing Agreement:
[email protected][email protected](for security-specific concerns)