Subprocessor List
1. About this document
This Subprocessor List identifies the third-party service providers ("Subprocessors") that Toolum engages to process Personal Data on behalf of its users. We publish this list to give Builders — the people who create digital products with Toolum — clear visibility into where their data travels and under what protections.
This document is a companion to our Privacy Policy and our Data Processing Addendum (the "DPA"). Where definitions in this list overlap with those documents, the Privacy Policy and DPA prevail for binding legal interpretation; this list serves as the authoritative inventory of currently engaged Subprocessors.
Service. "Toolum" or "the Service" refers to the Toolum platform operated by Kirill Maximenko (Cyprus self-employed entity, TIN 60056031S), accessible at https://toolum.ai. Toolum is an AI-powered no-code builder for digital products, enabling users ("Builders") to design and generate application mockups, design systems, content, and exportable code through natural-language prompts and visual editing.
2. What is a Subprocessor
Under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), a "Subprocessor" is a third party engaged by the data controller (Toolum) or a primary processor to carry out specific processing activities on behalf of the controller. Subprocessors process Personal Data only on documented instructions from Toolum and under contractual safeguards that include the GDPR Article 28 obligations.
In plain terms: when you use Toolum, your data passes through services we rely on to deliver the platform — for example, the database that stores your projects, the AI providers that generate code, and the payment processor that handles your subscription. Each of these is a Subprocessor. We pick them carefully, contract with them on terms that protect you, and disclose them here.
3. General authorization for Subprocessor engagement
By using Toolum, you provide a general written authorization for Toolum to engage the Subprocessors listed in Section 5 below, and to add or replace Subprocessors as the Service evolves. This authorization is recorded in our Terms of Service and DPA and is consistent with GDPR Article 28(2).
We commit to:
-
Keeping this list current. When we add a new Subprocessor that processes Personal Data, or replace an existing one, we will update this page and revise the "Last Updated" date at the top.
-
Notifying you of material changes. For Subprocessors handling sensitive categories of data (for example, payment processing or AI inference involving your prompts and content), we will provide notice through one of the following channels at least fourteen (14) days before the change takes effect:
- An update to this page (recommended: subscribe via RSS or check this page periodically)
- An email to the address on your Toolum account
- An in-product notification
-
Respecting your objection right. If you object to a Subprocessor change on reasonable grounds, you may terminate your Toolum subscription before the change takes effect and request a pro-rata refund of unused credits per our Refund Policy.
We have chosen general written authorization rather than a fixed thirty-day approval window because:
- It allows Toolum to respond promptly to operational requirements (for example, switching an AI provider during an outage)
- It avoids creating per-customer notification friction that would slow our ability to deliver the Service reliably
- It mirrors the industry-standard approach used by Automattic (WordPress.com), GitHub, and other comparable EU-serving SaaS platforms
4. How we evaluate Subprocessors
Before engaging a Subprocessor that processes Personal Data, we review:
- Data protection commitments. The Subprocessor must offer a Data Processing Agreement compatible with GDPR Article 28, including obligations on confidentiality, security, sub-processing notifications, and assistance with data subject rights requests.
- International transfer safeguards. Where the Subprocessor processes data outside the European Economic Area, the transfer must rely on a valid mechanism: an adequacy decision, EU-US Data Privacy Framework certification, or Standard Contractual Clauses (SCCs).
- Security posture. We look for evidence of independent security audits (SOC 2, ISO 27001), encryption practices for data at rest and in transit, and a clear vulnerability disclosure process.
- Track record. Documented service reliability, incident history transparency, and reputation within the EU SaaS ecosystem.
We maintain records of each Subprocessor's DPA and applicable transfer safeguards. These are available to enterprise customers under NDA on request to info@toolum.ai.
5. Current Subprocessors
The following ten (10) Subprocessors are currently engaged by Toolum. Each entry lists the Subprocessor's identity, the processing activity it performs, its primary processing location, and the transfer mechanism that applies when data leaves the EEA.
5.1 AI inference providers
Toolum routes user prompts and content to AI inference providers through a fallback chain to maintain Service availability. Anthropic is the primary provider for most Builder interactions; OpenAI and Google serve as fallbacks during Anthropic outages or rate-limit events. All three providers are engaged from the date this list is first published, regardless of fallback activation frequency in any given period.
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 1 | Anthropic, Inc. | AI inference (Claude models — primary) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses. DPA incorporated by reference in Anthropic's Commercial Terms (Privacy Center article 7996862). |
| 2 | OpenAI, Inc. | AI inference (GPT models — fallback) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses. Toolum-executed DPA on file (dated 2026-05-19). |
| 3 | Google LLC (Google Cloud / Gemini API) | AI inference (Gemini models — fallback) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses. Google Cloud DPA at https://cloud.google.com/terms/data-processing-addendum (Toolum-executed copy dated 2026-05-19). |
About AI processing of your data. When you submit a prompt or content to Toolum, the relevant portions are transmitted to the active AI inference provider for that request. Toolum has configured each provider to:
- Disable use of your data for model training or fine-tuning
- Disable feedback-based learning where the provider offers that option
- Retain inference data only for the minimum operational period (typically 30 days for abuse detection, after which it is purged)
Detailed AI processing behavior is described in our AI Transparency Statement and our Privacy Policy.
5.2 Infrastructure and platform services
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 4 | Supabase, Inc. | Database, authentication, file storage | Ireland (EU-West-1) | EU-internal — no third-country transfer. |
| 5 | MVPS.net | Application hosting (virtual private server) | Germany | EU-internal — no third-country transfer. |
| 6 | Cloudflare, Inc. | Content delivery, DDoS protection, DNS | Global edge network (EU edge for EU users) | EU-US Data Privacy Framework + Standard Contractual Clauses. |
| 7 | Hostinger International Ltd. | Domain registrar | Cyprus | EU-internal — no third-country transfer. |
5.3 Communications and operations
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 8 | Resend, Inc. | Transactional email delivery | United States | EU-US Data Privacy Framework + Standard Contractual Clauses. |
| 9 | Stripe Payments Europe Ltd. | Payment processing, subscription billing | Ireland | EU-internal — no third-country transfer. (Stripe's parent group includes US entities; payment data handling complies with Stripe's published DPA at https://stripe.com/legal/dpa) |
Note on Stripe: Payment processing is not yet active. Stripe is listed here in advance of our payment system launch; until billing goes live, Toolum does not transmit any payment data to Stripe. We will update the Effective Date of this list when payment processing activates.
5.4 Analytics and observability
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 10 | PostHog Inc. (PostHog UK Ltd. for EU customers) | Product analytics, error tracking | Ireland (EU instance: eu.posthog.com) | EU-internal — no third-country transfer for EU-served data. |
6. What each Subprocessor receives
Different Subprocessors receive different categories of data. The following summary indicates the typical scope; the Privacy Policy describes data flows in full detail.
- AI inference providers (Anthropic, OpenAI, Google): The prompt content and conversation context you submit, plus the project context Toolum constructs (industry references, design system definitions, prior generated content). Account identifiers are not transmitted unless you explicitly include them in a prompt.
- Supabase: Your account credentials (hashed passwords), project data, generated code, AI usage logs, and uploaded assets.
- MVPS.net: Application server hosting — Personal Data is contained within encrypted Supabase storage; the hosting layer processes traffic only.
- Cloudflare: Network-level metadata (IP addresses, request headers, timing data). No payload content is decrypted by Cloudflare under our configuration.
- Hostinger: Domain registration metadata (the Toolum administrator's contact information, not Builder Personal Data).
- Resend: Recipient email address and message content for transactional emails (welcome, password reset, invoice notifications, usage warnings).
- Stripe: Payment method details, billing address, transaction history. Stripe acts as an independent controller for payment data; Toolum receives only summary records for accounting.
- PostHog: Anonymized product usage events (page views, feature interactions, errors). Where event payloads would otherwise contain Personal Data, Toolum's instrumentation excludes or hashes those fields before sending.
7. Data Subject Rights and Subprocessors
Under GDPR Articles 15-22, you have rights to access, rectify, erase, restrict, port, and object to processing of your Personal Data. When you exercise these rights with Toolum, we forward applicable requests to relevant Subprocessors and obtain confirmation of their action.
For data held by AI inference providers specifically: due to the technical nature of large language model APIs, individual prompt deletion within retention windows is generally automatic at the end of each provider's retention period (typically 30 days). Toolum will confirm to you when the retention window has elapsed for any specific request.
To exercise any data subject right, contact info@toolum.ai. We respond within thirty (30) days under GDPR Article 12(3).
8. Changes to this list
The Subprocessor List is a living document. We update it whenever we engage, replace, or remove a Subprocessor.
- Effective date at the top reflects when this version of the list took effect.
- Last updated date reflects when this page was most recently revised, even for non-material edits (typos, link updates, clarifications).
- Historic versions of this list are available at their dated URLs under
/legal/subprocessors/<date>and preserved in our public repository at https://github.com/Maximenko88/AppBuilder. (Note: historical archive published from the date of first formal publication onward.)
For material changes affecting your data, see Section 3 above on our notification commitments.
9. Contact
For questions about this list, our Subprocessors, or your data rights:
- Email: info@toolum.ai
- Address: 3 Evagora Pitali, 4040 Germasogeia, Limassol, Cyprus
For enterprise customers requiring a custom DPA review, evidence of specific Subprocessor agreements, or audit documentation, please indicate the request type in your email subject line.
This Subprocessor List is published by Toolum (Kirill Maximenko, Cyprus self-employed entity). It is informational and forms part of the contractual framework defined in the Toolum Terms of Service, Privacy Policy, and DPA. Where this list and any of those documents conflict, the Privacy Policy and DPA prevail.
Document version 1.0. Effective June 5, 2026.