This page is the authoritative live inventory of third-party sub-processors engaged by Banxs Technologies EOOD (trading as Skybyte), Blvd. Alexander Malinov 31, Sofia 1000, Bulgaria, EIK 206285017, VAT BG206285017, to deliver the Skybyte service. It is incorporated by reference into our Data Processing Agreement (Section 8 and Appendix 3) and into our Privacy Policy (Section 6). Where this page differs from a snapshot embedded in another document, this page prevails.
1. Introduction
A sub-processor is any third party engaged by Skybyte that processes personal data on Skybyte’s behalf in the course of providing the Skybyte service. This includes infrastructure providers (database, CDN, observability), service providers (payment processing, e-mail delivery, messaging), and connectivity providers (eSIM provisioning platforms and the underlying mobile network operators accessed through them).
We publish this list to (a) satisfy the transparency obligations of Articles 13 and 14 GDPR; (b) discharge our general-authorisation obligations under Article 28(2) and (4) GDPR; and (c) give business customers under our DPA the information they need to assess their own compliance.
2. Definitions and Scope
The terms controller, processor, personal data, and processing bear the meanings given in Article 4 GDPR. A “sub-processor engagement” in this document refers to any contract under which a third party processes personal data on Skybyte’s behalf, irrespective of the legal label used by the third party. Where the third party acts as an independent controller for some processing and as a processor for other processing (for example, Meta in respect of WhatsApp messaging), the entry below covers only the processing that is in scope as a sub-processor; the controller relationship is addressed in the Privacy Policy.
3. Sub-processor Inventory
| Sub-processor | Service | Location | Data categories | Safeguards | DPA reference | Last reviewed |
|---|---|---|---|---|---|---|
| Lovable Cloud / Supabase | Managed Postgres database, authentication, file storage, row-level security enforcement. | European Economic Area (EEA hosting region). | Account identifiers, profile data, order and invoice records, eSIM identifiers, support correspondence, audit logs, consent receipts. | EEA hosting; encryption in transit (TLS 1.3) and at rest (AES-256); RLS policies; managed secret vault; SOC 2 / ISO 27001 attested infrastructure. | Supabase Data Processing Addendum (incorporated by reference, public). | 5 May 2026 |
| PayNovus AD | Acquiring and card payment processing (Bulgarian electronic-money institution). | Sofia, Bulgaria, EU. | Tokenised PAN, transaction amount, currency, descriptor, 3-D Secure outcome, AVS / CVV result codes; billing name and country. | Licensed and supervised by the Bulgarian National Bank; PCI DSS Level 1; SCA / 3DS2; tokenisation removes raw PAN from Skybyte's environment (SAQ A scope). | PayNovus PSP services agreement and DPA addendum. | 5 May 2026 |
| eSIM Go Limited | Primary eSIM provisioning and IPX/roaming connectivity. | United Kingdom. | ICCID, country selection, plan metadata, data-consumption counters; limited carrier-generated traffic and location metadata necessary for the service. | UK adequacy decision (28 June 2021); ISO/IEC 27001 certified; carrier-grade signalling security. | eSIM Go master services agreement and DPA. | 5 May 2026 |
| Maya Mobile, Inc. | Alternate / fail-over eSIM provisioning and IPX connectivity. | United States, with operational presence in Hong Kong / Singapore. | ICCID, country selection, plan metadata, data-consumption counters; limited carrier-generated traffic and location metadata. | EU SCCs (controller-to-processor module) plus supplementary measures (encryption in transit, minimisation of identifiers, contractual prohibition on government-access disclosures beyond legal compulsion). | Maya Mobile reseller agreement and DPA addendum. | 5 May 2026 |
| Postmark / ActiveCampaign | Transactional and marketing e-mail delivery, bounce and complaint handling. | United States. | Recipient e-mail address, message metadata, message body, delivery and engagement events. | EU SCCs; DPF self-certification (where applicable); TLS-only delivery; suppression-list management. | Postmark / ActiveCampaign DPA (public). | 5 May 2026 |
| Meta Platforms Ireland Ltd | WhatsApp Business Cloud API for opt-in customer notifications. | Ireland, EU (with onward transfers to Meta US under SCCs). | Phone number, message template parameters, delivery status. | Controller-controller (Meta) plus contractual SCCs for onward US transfer; opt-in only with documented consent receipt. | Meta WhatsApp Business Solution Terms and Cloud API DPA. | 5 May 2026 |
| Cloudflare, Inc. | Content delivery network, DDoS mitigation, Web Application Firewall, edge security. | Global anycast edge network. | IP address, request metadata (URL, headers, response codes), bot signals. | EU SCCs; DPF self-certification; ISO/IEC 27001 / SOC 2; data-localisation controls where configured. | Cloudflare DPA (public). | 5 May 2026 |
| Better Stack | Application logging, uptime monitoring, on-call alerting. | European Union (primary) with US fail-over. | Server logs (PII scrubbed by safeAuditMeta() prior to emission), latency metrics, uptime probes. | EU SCCs for any US fail-over; encryption in transit; PII scrubbing in source application before egress. | Better Stack DPA (public). | 5 May 2026 |
| Umami | Privacy-friendly, cookie-less product analytics. | Self-hosted by Skybyte within the EEA. | Aggregated, non-identifying page-view counts; no cross-site tracking; no IP address persisted. | No third-country transfer; cookie-less; respects DNT and Sec-GPC. | Not applicable (self-hosted). | 5 May 2026 |
4. Safeguards and Transfer Mechanisms
Where a sub-processor is established outside the European Economic Area, Skybyte ensures that an appropriate transfer mechanism under Chapter V GDPR is in place. The mechanisms relied upon, by destination, are:
- EEA destinations — no transfer mechanism required (Lovable Cloud / Supabase, PayNovus AD, Meta Platforms Ireland for the EU-leg, Umami self-hosted).
- United Kingdom — European Commission adequacy decision of 28 June 2021 (eSIM Go).
- United States, recipient self-certified under the EU–US Data Privacy Framework — adequacy decision of 10 July 2023, supplemented by the technical and organisational measures described in our DPA Appendix 2.
- Other third countries — Standard Contractual Clauses (Implementing Decision (EU) 2021/914) in the relevant module, supplemented by encryption in transit and at rest, identifier minimisation, and contractual safeguards consistent with EDPB Recommendations 01/2020 following the Court of Justice ruling in Case C-311/18 (Schrems II).
Skybyte performs and documents a transfer impact assessment for each Restricted Transfer and reviews those assessments at the cadence described in Section 5.
5. Review Cycle
The sub-processor inventory is reviewed at least annually, and additionally on (a) onboarding of any new sub-processor; (b) any material change to a sub-processor’s service, location, or safeguards; (c) any Personal Data Breach notification received from a sub-processor; (d) any material change to the regulatory environment (for example, a new adequacy decision, the invalidation of an existing one, or a new Court of Justice ruling on international transfers); and (e) any reasonable request from a B2B customer under the DPA. The “last reviewed” column in Section 3 reflects the most recent review for each entry.
6. Change Notifications
B2B customers under our DPA receive at least thirty (30) days’ prior written notice of any intended addition or replacement of a sub-processor that processes Customer Personal Data, by e-mail to the notice address on file. Customers may subscribe to receive notifications by e-mailing contact@banxs.com with the subject line “Sub-processor notifications — subscribe”. End-user customers (B2C) are informed of changes through updates to this page, the date of which is shown above.
7. Right to Object
During the thirty-day notice period, a B2B customer may object to a proposed change on reasonable, GDPR-compliant grounds. If the parties cannot reach a mutually acceptable resolution within a further thirty (30) days, the customer may, as its sole and exclusive remedy, terminate the affected services on written notice without penalty, with a pro-rata refund of pre-paid fees attributable to the unused portion of the affected service, in line with DPA Section 8.
8. Contact
For questions about this list or about Skybyte’s use of sub-processors generally, contact contact@banxs.com.
8.1 Standing requests
A B2B customer may, at any time, request a written copy of the latest sub-processor inventory, the most recent transfer impact assessment for any specific sub-processor, the executed DPA addendum that governs Skybyte’s relationship with any specific sub-processor (subject to the sub-processor’s confidentiality requirements), and a description of the controls Skybyte applies to monitor the sub-processor’s ongoing compliance. Requests are handled within fifteen (15) business days where the requested material is already prepared, and within thirty (30) business days where new written work is required. We do not charge for the first such request in any twelve-month period; subsequent requests in the same period may attract a reasonable cost-recovery fee at our standard professional-services rate.
8.2 Notification preferences and locale
Notifications under Section 6 are sent in English by default. A B2B customer may request notifications in Bulgarian by writing to the same address. Where the customer maintains multiple notice addresses (for example, a procurement contact and a data-protection contact), we will send the notification to all addresses on file, marking each copy with the addressee’s role to avoid duplication of processing on the customer’s side.
8.3 Audit trail
Each material change to this page (addition or removal of a sub-processor, change of safeguard, change of location) generates an entry in our internal audit_log with the action subprocessor_inventory_change, including the before-and-after state and the identity of the operator who authorised the change. The audit-log entry is retained for seven (7) years in line with the retention windows described in Privacy Policy §7, providing a verifiable record of the inventory’s history.
8.4 Mobile network operators
The eSIM provisioning sub-processors listed above (eSIM Go Limited and Maya Mobile, Inc.) in turn rely on a global network of mobile network operators (MNOs) that provide radio access in each covered country. The MNO list is extensive (typically more than 500 networks across more than 190 countries) and changes frequently. Skybyte does not enumerate every MNO on this page; the operative list at any point in time is reflected in the partner agreements with eSIM Go and Maya, who in turn flow down GDPR-compatible data-protection terms to their MNO partners. The traffic and location metadata generated by an MNO during your use of the service is held by that MNO under its own retention rules and applicable national telecommunications law; Skybyte accesses such metadata only to the extent necessary to provide the service (for example, to compute remaining data allocation) or to comply with a binding lawful-disclosure request received by Skybyte directly.
8.5 Mapping to other documents
The entries in Section 3 of this page correspond to (a) the “Recipients” column of the GDPR Article 6 mapping table in Privacy Policy §4; (b) the sub-processor list in DPA Appendix 3; and (c) the disclosures in Payment Disclosures §§6–8 in respect of payment processing. We treat consistency across these four documents as a single source of truth: a change to a sub-processor in Section 3 is propagated to the other three documents in the same release.
8.6 No undisclosed sub-processors
Skybyte does not engage any sub-processor that is not listed in Section 3 of this page (or that is not within the scope of the MNO carve-out in Section 8.4). Internal tooling that processes Customer Personal Data only on infrastructure already listed in Section 3 (for example, an internal admin dashboard hosted on Lovable Cloud) does not constitute an additional sub-processor for the purposes of this page.
8.7 Effective date and version control
The effective date of the current version of this page is shown at the top. Earlier versions are retained internally for at least three (3) years after they cease to be current and are available on written request from B2B customers under the DPA in support of their own accountability documentation.