Subprocessors
As of: May 30, 2026 · Last change: 2026-05-30
This page lists all subcontractors used by Steinbui UG (haftungsbeschränkt) ("KMUPIM") that qualify as subprocessors within the meaning of Art. 28 para. 4 GDPR. It represents the current version of Annex 2 to the Data Processing Agreement (DPA) and is binding for all existing customers.
A contract pursuant to Art. 28 GDPR has been concluded with each of the companies listed below. All transfers to third countries are carried out exclusively on the basis of appropriate safeguards (adequacy decision or standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR).
Change Notification (§ 7.1 DPA)
KMUPIM notifies all customers at least 30 days before engaging or replacing a subprocessor. Customers may object to a change within 14 days of notification on important data-protection grounds (details see DPA § 7).
If you would like to be notified by email as soon as this list changes, send us a short message at info@kmupim.com with the subject line "Subscribe to Subprocessors-Notification".
Current Subprocessors
| Provider | Function | Data Categories | Processing Location | Third Country | Guarantees / DPA |
|---|---|---|---|---|---|
|
Contabo GmbH Aschauer Straße 32a 81549 Munich, Germany Privacy |
VPS hosting (Backend, Frontend, Landingpage, PostgreSQL) | All data processed within the platform | Germany (DE data center) | no | DPA pursuant to Art. 28 GDPR |
|
Contabo GmbH – Object Storage Region EU2, Nuremberg Privacy |
S3-compatible object storage for asset files | Media files (images, videos, logos, avatars) and any associated metadata | Germany (Nuremberg, EU2) | no | DPA pursuant to Art. 28 GDPR |
|
BunnyWay d.o.o. (Bunny.net) Cesta komandanta Staneta 4A 4000 Kranj, Slovenia Privacy · DPA |
Content Delivery Network, DDoS protection, edge caching of static assets | IP address, User-Agent, URL, timestamp | EU (edge locations prioritized) | no | DPA pursuant to Art. 28 GDPR |
|
Lettermint B.V. Netherlands Privacy · DPA |
Transactional emails (confirmation, password reset, security and system notifications) | Email address, name, email content | Netherlands | no | DPA pursuant to Art. 28 GDPR |
|
Mollie B.V. Keizersgracht 126 1015 CW Amsterdam, Netherlands Privacy · DPA |
Payment processing for paid subscriptions | Name, email, billing address, payment metadata (amount, status, payment ID). No credit card or IBAN data stored at KMUPIM. | Netherlands | no | DPA pursuant to Art. 28 GDPR |
Group and Ancillary Service Providers
KMUPIM itself is an LLC (UG) under German law with no group affiliations; no data is transferred to affiliated companies.
Pure ancillary service providers that do not receive any personal customer or end-user data in the ordinary course of business (e.g., tax advisory, accounting software, domain registrar) are not listed as subprocessors, provided they do not systematically access customer data.
Recipients that are not subprocessors
The following recipients are triggered by the customer themselves when using the platform or act as independent controllers. They are not subprocessors of KMUPIM; the legal relationship exists directly between the customer and the respective provider.
| Provider | Trigger | Data Categories | Status |
|---|---|---|---|
| Shopify International Ltd. / Shopify Inc. | Customer connects their own Shopify store and triggers sync | Product, inventory, media, and configuration data | Independent controller (customer = store owner) |
| Mistral AI SAS (Paris, FR) | Customer activates AI feature with their own API key (BYOK) | Text/content submitted by the customer for the AI request | Independent controller |
| OpenRouter, Inc. (USA) | BYOK AI activated by customer | Content submitted by the customer for the AI request | Independent controller |
| Runware AI, Inc. | BYOK image generation activated by customer | Prompts and reference images entered by the customer | Independent controller |
Since the customer provides the provider and API key themselves for BYOK features, the processing at the respective provider is initiated by the customer; the privacy and contractual terms of the direct relationship between the customer and the provider apply.
Change History
| Date | Change |
|---|---|
| 2026-05-30 | Email delivery provider switched: Resend, Inc. (USA) removed, Lettermint B.V. (Netherlands) added. This eliminates any third-country transfer for transactional emails. |
| 2026-05-26 | Initial publication of the Subprocessors page. Initial list: Contabo (Hosting + Object Storage), Bunny.net (CDN), Resend (Email), Mollie (Payments). |
Contact
Questions about this list, applicable guarantees, or the DPA: info@kmupim.com.