TabbPay
← Back to home

Sub-processor List

Effective date: 29 June 2026

This list constitutes the official, standalone register of the third-party sub-processors (the "Sub-processors") engaged by "Tabb Pay Private Company" (trade name "TabbPay"), with its seat in the Municipality of Galatsi, Attica, 39 Farron Street, 11147, email privacy@tabbpay.com.


1. Subject Matter and Legal Basis

In respect of the personal data of Guests, Staff and venues, TabbPay acts as Processor on behalf of its Business Customers (who are the Controllers). The Sub-processors below are engaged pursuant to Article 28(2) and (4) of Regulation (EU) 2016/679 (the "GDPR").

This list is published so that Business Customers can consult it and, in accordance with the Data Processing Agreement (DPA), be notified before any change to it. Each Sub-processor is bound by written data-processing terms that impose data-protection obligations at least equivalent to those borne by TabbPay (Article 28(4) GDPR). TabbPay remains liable to its Business Customers for the performance of each Sub-processor's obligations.


2. Sub-processor List

Sub-processorService / processing activityProcessing locationTransfer mechanism (non-EEA)
Clerk, Inc.Authentication / identity & organisation managementUSAStandard Contractual Clauses (Decision 2021/914) and EU-US Data Privacy Framework (DPF), where applicable
Vercel Inc.Hosting of the Next.js applicationsEU (Frankfurt) with US fallbackStandard Contractual Clauses (Decision 2021/914)
Amazon Web Services EMEA SARLCloud infrastructure & data storage (RDS, S3, CloudFront)EU — Frankfurt (eu-central-1); primary processing region— (within the EU)
Amazon Web Services — End User MessagingDelivery of one-time SMS verification codes; used only where the Business Customer enables guest mobile-number verificationEU — Frankfurt (eu-central-1); onward delivery via mobile network operator— (within the EU)
Functional Software, Inc. (Sentry)Error monitoring (PII disabled, sendDefaultPii: false)USAStandard Contractual Clauses (Decision 2021/914)
Google Ireland Limited (Firebase Cloud Messaging)Push notifications to Staff devicesEU & globalStandard Contractual Clauses (Decision 2021/914)
Resend Labs, Inc.Delivery of transactional/operational emailUSAStandard Contractual Clauses (Decision 2021/914)
symPOSium / HIT (POS providers)Forwarding order content to the Business Customer's own POS system, where the Business Customer has enabled the integrationEU— (within the EU)
Viva Payments Single Member S.A. (settlement via Vivabank Single Member Banking S.A.)Payment institution (guest payments & subscription billing) (see the note on Viva below)Greece / EU— (within the EU)

Fallback (inactive) Sub-processor:

Sub-processorService / processing activityProcessing locationTransfer mechanism (non-EEA)
Stripe Payments Europe LtdPayment processing — fallback Sub-processor engaged only if expressly requested by the Business CustomerEU — Ireland— (within the EU)

Note on Viva. With respect to card/payment data, Viva Payments Single Member S.A. (and, in respect of settlement accounts, Vivabank Single Member Banking S.A.) acts as an independent Controller under payments law (PSD2) and the PCI-DSS standard, and not as a sub-processor of TabbPay. TabbPay does not store card numbers, card-verification codes, bank account numbers or IBANs.


3. International Transfers and EU Data Residency

Personal data is primarily processed within the European Economic Area (EEA). Primary storage and processing takes place on Amazon Web Services infrastructure in the eu-central-1 (Frankfurt) region.

Where a Sub-processor's processing occurs in a third country, the transfer is supported by an appropriate safeguard under Article 46 GDPR — in particular the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework (DPF) — and, where appropriate, supplementary measures. TabbPay assesses the equivalence of the destination jurisdiction's data-protection regime prior to engagement and re-assesses the position upon any material change of circumstance.


4. Notification of Changes

In accordance with the Data Processing Agreement (DPA), TabbPay informs Business Customers at least fourteen (14) days in advance of any intended addition or replacement of a Sub-processor. The Business Customer may object on reasonable, documented data-protection grounds; where an objection cannot be resolved, the Business Customer may terminate the affected part of the services.

To subscribe to updates regarding changes to this list, send a request to privacy@tabbpay.com.


5. Language

The Greek version of this list is the legally binding one; the English is provided for convenience and is an exact translation. In the event of any conflict or divergence between the two versions, the Greek prevails.