Sub-processor List
Effective date: 29 June 2026
This list constitutes the official, standalone register of the third-party sub-processors (the "Sub-processors") engaged by "Tabb Pay Private Company" (trade name "TabbPay"), with its seat in the Municipality of Galatsi, Attica, 39 Farron Street, 11147, email privacy@tabbpay.com.
1. Subject Matter and Legal Basis
In respect of the personal data of Guests, Staff and venues, TabbPay acts as Processor on behalf of its Business Customers (who are the Controllers). The Sub-processors below are engaged pursuant to Article 28(2) and (4) of Regulation (EU) 2016/679 (the "GDPR").
This list is published so that Business Customers can consult it and, in accordance with the Data Processing Agreement (DPA), be notified before any change to it. Each Sub-processor is bound by written data-processing terms that impose data-protection obligations at least equivalent to those borne by TabbPay (Article 28(4) GDPR). TabbPay remains liable to its Business Customers for the performance of each Sub-processor's obligations.
2. Sub-processor List
| Sub-processor | Service / processing activity | Processing location | Transfer mechanism (non-EEA) |
|---|---|---|---|
| Clerk, Inc. | Authentication / identity & organisation management | USA | Standard Contractual Clauses (Decision 2021/914) and EU-US Data Privacy Framework (DPF), where applicable |
| Vercel Inc. | Hosting of the Next.js applications | EU (Frankfurt) with US fallback | Standard Contractual Clauses (Decision 2021/914) |
| Amazon Web Services EMEA SARL | Cloud infrastructure & data storage (RDS, S3, CloudFront) | EU — Frankfurt (eu-central-1); primary processing region | — (within the EU) |
| Amazon Web Services — End User Messaging | Delivery of one-time SMS verification codes; used only where the Business Customer enables guest mobile-number verification | EU — Frankfurt (eu-central-1); onward delivery via mobile network operator | — (within the EU) |
| Functional Software, Inc. (Sentry) | Error monitoring (PII disabled, sendDefaultPii: false) | USA | Standard Contractual Clauses (Decision 2021/914) |
| Google Ireland Limited (Firebase Cloud Messaging) | Push notifications to Staff devices | EU & global | Standard Contractual Clauses (Decision 2021/914) |
| Resend Labs, Inc. | Delivery of transactional/operational email | USA | Standard Contractual Clauses (Decision 2021/914) |
| symPOSium / HIT (POS providers) | Forwarding order content to the Business Customer's own POS system, where the Business Customer has enabled the integration | EU | — (within the EU) |
| Viva Payments Single Member S.A. (settlement via Vivabank Single Member Banking S.A.) | Payment institution (guest payments & subscription billing) (see the note on Viva below) | Greece / EU | — (within the EU) |
Fallback (inactive) Sub-processor:
| Sub-processor | Service / processing activity | Processing location | Transfer mechanism (non-EEA) |
|---|---|---|---|
| Stripe Payments Europe Ltd | Payment processing — fallback Sub-processor engaged only if expressly requested by the Business Customer | EU — Ireland | — (within the EU) |
Note on Viva. With respect to card/payment data, Viva Payments Single Member S.A. (and, in respect of settlement accounts, Vivabank Single Member Banking S.A.) acts as an independent Controller under payments law (PSD2) and the PCI-DSS standard, and not as a sub-processor of TabbPay. TabbPay does not store card numbers, card-verification codes, bank account numbers or IBANs.
3. International Transfers and EU Data Residency
Personal data is primarily processed within the European Economic Area (EEA). Primary storage and processing takes place on Amazon Web Services infrastructure in the eu-central-1 (Frankfurt) region.
Where a Sub-processor's processing occurs in a third country, the transfer is supported by an appropriate safeguard under Article 46 GDPR — in particular the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework (DPF) — and, where appropriate, supplementary measures. TabbPay assesses the equivalence of the destination jurisdiction's data-protection regime prior to engagement and re-assesses the position upon any material change of circumstance.
4. Notification of Changes
In accordance with the Data Processing Agreement (DPA), TabbPay informs Business Customers at least fourteen (14) days in advance of any intended addition or replacement of a Sub-processor. The Business Customer may object on reasonable, documented data-protection grounds; where an objection cannot be resolved, the Business Customer may terminate the affected part of the services.
To subscribe to updates regarding changes to this list, send a request to privacy@tabbpay.com.
5. Language
The Greek version of this list is the legally binding one; the English is provided for convenience and is an exact translation. In the event of any conflict or divergence between the two versions, the Greek prevails.