10 Days Free · No Credit CardBook My Call
Back to home
Legal

Subprocessors

Effective date: January 1, 2026Last updated: April 15, 2026

This page lists the third-party service providers ("subprocessors") that Gixodia engages to help deliver its software and services. It is maintained as a living document and forms part of our Data Processing Agreement (DPA). Gixodia is a software company. We are not a broker, fund, custodian, or financial advisor.

Gixodia is a software company. We sell licensed trading bot software — we are not a broker, custodian, fund, financial advisor, or investment manager. We do not hold client funds, do not give financial advice, and do not guarantee profits. All trading is conducted by the customer on their own broker account, and 100% of trading results (positive or negative) belong to the customer.

1. Purpose of This Page

To be fully transparent with our customers, especially business and enterprise customers who have signed a Data Processing Agreement with us, we publish and keep up-to-date the full list of subprocessors that may Process Personal Data on our behalf. This page is the authoritative, canonical version of that list. Where our DPA refers to "the subprocessors list", it refers to this page.

We apply strict criteria when selecting subprocessors:

  • Demonstrated security posture (SOC 2 Type II, ISO/IEC 27001, or equivalent where available).
  • GDPR-grade contractual commitments (signed DPA and — where relevant — the 2021/914 Standard Contractual Clauses).
  • Minimum data footprint: we share only what is strictly necessary.
  • Clear legal basis for any international transfers.
  • Industry reputation and incident history.

2. Current Subprocessors

The following subprocessors are currently engaged by Gixodia. "Data categories" shows the maximum categories that may be processed; in most cases the actual processing is more limited.

| # | Subprocessor | Purpose | Data Categories | Location / Region | Certifications | DPA / Legal Basis | |---|---|---|---|---|---|---| | 1 | Cloudflare, Inc. | Hosting (Pages, Workers), CDN, DDoS mitigation, WAF, bot management, DNS, web analytics | IP address, request metadata, HTTP headers, basic usage telemetry | USA / Global edge network | SOC 2 Type II, ISO 27001, ISO 27701, ISO 27018, PCI DSS, HIPAA, FedRAMP Moderate | https://www.cloudflare.com/cloudflare-customer-dpa/ — 2021/914 SCCs incorporated | | 2 | Groq, Inc. | Low-latency LLM inference for the in-site chat assistant (when used) | Chat message content, session ID, language | USA | SOC 2 Type II (in progress / as published) | https://groq.com/privacy-policy — DPA available on request | | 3 | FormSubmit (formsubmit.co) | Relay of contact-form submissions to our support inbox | Name, email, message content, IP, User-Agent | USA | Operator relies on AWS infrastructure (SOC 2, ISO 27001) | https://formsubmit.co/terms — zero-retention mode used | | 4 | Cal.com, Inc. | Scheduling and booking of strategy calls | Name, email, booking time, optional notes, time zone | USA + EU (self-hosted EU option used where applicable) | SOC 2 Type II, ISO 27001 (as published), GDPR-ready | https://cal.com/dpa — 2021/914 SCCs incorporated | | 5 | Binance public market-data API | Read-only market data (prices, candles, tick data) for bot research and display — no PII transmitted | None (public market data only) | Global | N/A — public data endpoint | N/A — no personal data processed | | 6 | Google Fonts (Google Ireland Limited) | Web typography (where used) | IP address, User-Agent (on font-file requests) | EU / Global | ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3 | https://policies.google.com/privacy — self-hosted fallback available on request | | 7 | Vercel, Inc. (where used for preview deployments) | Edge hosting and preview environments for staging branches | IP address, request metadata | USA / Global edge | SOC 2 Type II, ISO 27001, GDPR-ready | https://vercel.com/legal/dpa — 2021/914 SCCs incorporated | | 8 | Stripe, Inc. (where payment processing is used) | Payment processing, invoicing, tax calculation | Billing name, email, country, VAT ID, card data handled directly by Stripe (never by Gixodia) | USA / EU / UK | PCI DSS Level 1, SOC 1 / SOC 2, ISO 27001 | https://stripe.com/legal/dpa — 2021/914 SCCs incorporated |

Note on Binance: only public market-data endpoints are used and no customer credentials, personal data, or account information are sent. Individual customers independently connect their own broker accounts under their own terms; those broker relationships are not subprocessing on behalf of Gixodia.

Note on payment processing: card numbers and CVVs never reach Gixodia systems. Stripe acts as an independent data controller for certain processing (fraud prevention, regulatory KYC) and as our processor for the rest.

3. Sub-subprocessors

Some of the subprocessors above themselves use sub-subprocessors (for example, cloud infrastructure providers). Each subprocessor is contractually required to maintain an equivalent level of protection, impose flow-down data-protection obligations on its own sub-processors, and make its own subprocessor list publicly available.

4. Infrastructure and Internal Tools

The following providers are used for internal operations that may incidentally involve Personal Data of customer contacts (for example, an email address appearing in a support thread). They are listed for full transparency:

  • Email (support@gixodia.com) — hosted on a privacy-focused mail provider with GDPR-compliant DPA. Used for customer support and legal notices.
  • Code hosting — version-control platform used only for source code, not for customer Personal Data.
  • Error monitoring — error and performance monitoring provider, configured to scrub PII from stack traces and logs.

5. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland to a subprocessor in a third country, the transfer is safeguarded by one or more of the following mechanisms:

  • European Commission adequacy decisions (where the destination country benefits from one).
  • Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914, Module Two or Module Three as appropriate.
  • The UK International Data Transfer Addendum (IDTA) for transfers out of the UK.
  • The Swiss FDPIC-compliant version of the SCCs for transfers out of Switzerland.
  • Supplementary technical and organisational measures (encryption in transit and at rest, access controls, pseudonymisation where feasible) in line with EDPB Recommendations 01/2020.

6. Notification of Changes

We will update this page whenever we:

  • Add a new subprocessor.
  • Replace an existing subprocessor.
  • Materially change the purpose or data categories of an existing subprocessor.

We aim to provide at least 30 days' advance notice of any such change before the new subprocessor begins Processing Personal Data. Business and enterprise customers who have subscribed to change notifications will also receive an email. If you are a customer and would like to subscribe, please email support@gixodia.com with the subject line "Subprocessor notifications — subscribe".

7. Right to Object

If you are a business or enterprise customer and you have a reasonable data-protection ground to object to a new or replaced subprocessor, you may notify us within 15 days of the notification described in Section 6. We will work with you in good faith to resolve the objection. If we are unable to do so, you may terminate the affected services in accordance with your DPA without penalty as your sole and exclusive remedy, and receive a pro-rated refund of any prepaid fees for the unused portion of the term.

8. How We Evaluate New Subprocessors

Before engaging any new subprocessor that will Process Personal Data, we perform a due-diligence review that includes:

  • Review of the provider's security certifications and audit reports.
  • Review of the provider's privacy policy and DPA.
  • Assessment of the international-transfer mechanism.
  • Data-minimisation review (what is strictly necessary to share).
  • Risk assessment of the impact on data subjects.
  • Executive approval before onboarding.

Providers that cannot meet our standards are not engaged.

9. Contact

For questions about this subprocessors list, to subscribe to change notifications, or to object to a specific subprocessor, please contact:

Email: support@gixodia.com Subject line: Subprocessors — [topic]

Version History

  • v1.0 — 2026-04-15 — Initial publication. Baseline list of 8 subprocessors plus internal tooling disclosure.

Other legal documents

Privacy Policy
Terms and Conditions
Risk Disclaimer
End User License Agreement
Cookie Policy
Data Processing Agreement
Accessibility Statement
Anti-Money Laundering & Counter-Terrorism Financing Policy