Sub-processors
The third-party service providers that Cension AB engages to process Customer Data when you use the Cension service.
Effective Date: 2026-04-18
Name: Cension AB
Organization Number: 559470-4768
Registered Address: Cension AB, Rådmansgatan 80A, 113 60 Stockholm
Contact Email: hello@cension.ai
1. What is a sub-processor?
A “sub-processor” is any third party that Cension engages to process Customer Personal Data on Cension’s behalf in order to deliver the Service. This page lists the external sub-processors that may receive Customer Data when the corresponding feature is used. It is an integral part of our Data Processing Addendum (DPA).
Internal components that Cension builds and operates itself inside our existing cloud environment — for example, internal search, data-acquisition, and ingestion services — are not sub-processors and therefore do not appear on this list, because Customer Data does not leave Cension’s own infrastructure when those components run.
This list also does not include third parties that Cension engages for its own internal business operations — for example, Cension’s own marketing, content-production, analytics, or recruitment tools — where the vendor does not receive Customer Data. Those vendors process Cension’s own business data and are therefore outside the scope of the DPA. This page focuses on external recipients of Customer Data.
2. Sub-processors of Customer Personal Data and Customer Content
The following third parties are engaged by Cension to process Customer Personal Data or Customer Content on Cension’s behalf in order to deliver the Service. Each vendor is bound by written terms that impose data-protection obligations substantially equivalent to those set out in our DPA.
| Sub-processor | Service | Category | Region | Transfer mechanism |
|---|---|---|---|---|
| Microsoft Corporation | Cloud infrastructure, hosting, managed databases, object storage, and transactional email (Azure Communication Services) | Cloud infrastructure & transactional email | European Union | Intra-EEA (primary); Microsoft EU Data Boundary commitments |
| Google LLC | Sign-in with Google; Gemini / Generative Language API; Google Drive API (customer-authorized file access), as applicable | Identity, AI inference, and file import | United States | EU–US Data Privacy Framework (DPF); EU SCCs Module 2 as fallback |
| OpenAI OpCo, LLC | OpenAI API (GPT family) | AI / Large Language Model inference | United States | EU–US Data Privacy Framework (DPF); EU SCCs Module 2 as fallback |
| xAI Corp. | xAI API (Grok family) | AI / Large Language Model inference | United States | EU SCCs Module 2 |
| Voyage AI, Inc. | Voyage embedding models | AI / Text embeddings | United States | EU SCCs Module 2 |
| Groq, Inc. | Groq API (LLM-assisted extraction from Customer-initiated web crawls) | AI / Large Language Model inference | United States | EU SCCs Module 2 |
| Stripe | Subscription billing and payment processing | Payments | European Union and United States | Intra-EEA and EU–US Data Privacy Framework (DPF) / EU SCCs as applicable to the contracting Stripe entity |
Customers are responsible for the lawfulness of the data they load into the Service. Cension’s commitments under the DPA apply to processing performed in line with that agreement, not to personal data that a Customer introduces into feeds or workflows without an appropriate lawful basis. Search- and acquisition-driven features may transmit derived query text to public systems as described under “Search-Driven Workflows” in Section 3 of the DPA.
3. Other vendors (not Art. 28 sub-processors for Customer Data)
Cension uses additional third parties for networking, public search, Cension’s own advertising accounts, demo scheduling on the marketing website, and similar purposes. Those vendors are not engaged to process Customer Personal Data or Customer Content on the Customer’s behalf in the sense of Article 28 GDPR, and therefore do not appear in the table above. Where they process personal data at all (for example, website visitors or Cension’s corporate accounts), that processing is described in the Privacy Policy or falls outside the DPA.
4. Corporate vendors (out of scope)
In addition, Cension engages third-party vendors for its own internal business and marketing operations — for example, social-media and publishing platforms (such as YouTube, TikTok, Reddit, and dev.to) used to distribute Cension’s own marketing content, and general productivity and analytics tools used by Cension’s team. These vendors process Cension’s own corporate data, not Customer Personal Data or Customer Content, and are therefore outside the scope of this page and of the DPA. Where such vendors process personal data of website visitors, that processing is described in the Privacy Policy.
5. Notice of changes
Cension may update this list from time to time. Customers are encouraged to review the list periodically. The procedure for objecting to a new sub-processor, and the Customer’s exclusive remedy if a reasonable objection cannot be resolved, is set out in Section 7 of the DPA. Customers with bespoke notification requirements may negotiate such terms under a separately signed Enterprise Service Agreement.
6. International transfers
Cension’s primary application, database, and file storage are operated within the European Union at an enterprise cloud infrastructure provider. Transfers of Customer Data to sub-processors established outside the EU / EEA rely on one of the following mechanisms: the EU–US Data Privacy Framework where the recipient is DPF-certified; the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) approved by the European Commission; the UK International Data Transfer Addendum; or the Swiss FADP equivalents. For additional context, see Section 8 of the DPA.
7. Contact
For any question regarding sub-processors, international data transfers, or to submit an objection, contact Cension AB at hello@cension.ai.