Subprocessor List

Last Updated: February 2026

Overview

This document lists the third-party subprocessors that Coax ApS ("Coax") engages to process personal data on behalf of our customers. This list is maintained pursuant to our Data Processing Agreement and GDPR Article 28.

Notification of Changes

Customers will be notified at least 14 days in advance of any intended changes to our subprocessors. To receive notifications:

Subscribe to updates via your account settings
Contact privacy@coaxsecurity.com to be added to the notification list

Current Subprocessors

Infrastructure & Hosting

Subprocessor	Purpose	Location	Data Processed
Google Cloud Platform (Google LLC)	Cloud infrastructure, application hosting (frontend & backend), database hosting, file storage, AI-powered invoice parsing (Vertex AI / Gemini)	EU (Belgium - europe-west1)	All application data, user accounts, organization data, invoice attachments, logs, invoice PDF/image content (AI processing)

Identity & Integration

Subprocessor	Purpose	Location	Data Processed
Microsoft Corporation	OAuth authentication, Microsoft Graph API for directory access, email metadata, SSO activity	Global (varies by customer tenant)	User identity, OAuth tokens, organization directory, email metadata, sign-in activity logs

Analytics

Subprocessor	Purpose	Location	Data Processed
Mixpanel Inc.	Product analytics, usage tracking, feature adoption analysis	EU (Frankfurt, Germany)	Hashed user ID, email address, organization ID, product usage events, session data, device information

Detailed Subprocessor Information

Google Cloud Platform (Google LLC)

Entity: Google LLC Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice DPA: https://cloud.google.com/terms/data-processing-addendum

Services Used:

Cloud Run (application hosting)
Cloud SQL (PostgreSQL database)
Cloud Storage (file storage)
Cloud Scheduler (job scheduling)
Secret Manager (credentials storage)
Vertex AI / Gemini 2.0 Flash (AI-powered invoice PDF parsing and data extraction)

Data Center Location: europe-west1 (Belgium, EU)

Data Processed:

User account information
Organization directory data
SaaS application records
Invoice attachments
Invoice PDF/image content (processed by Vertex AI for billing data extraction, not retained)
Application logs
Session data

Transfer Mechanism: Data processed within EU; Google complies with GDPR and EU SCCs

Microsoft Corporation

Entity: Microsoft Corporation Address: One Microsoft Way, Redmond, WA 98052, USA Privacy Policy: https://privacy.microsoft.com/ DPA: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Services Used:

Microsoft Entra ID (OAuth authentication)
Microsoft Graph API (directory, email, SSO)

Data Center Location: Varies by customer's Microsoft 365 tenant location

Data Processed:

User identity and profile information
OAuth access and refresh tokens
Organization directory (users, groups, structure)
Email metadata (subject, sender, date - NOT body content)
Sign-in activity logs (timestamps, IP, device, location)

Transfer Mechanism: Microsoft DPA includes EU SCCs; data location depends on customer tenant

Mixpanel Inc.

Entity: Mixpanel Inc. Address: 1 Front Street, 28th Floor, San Francisco, CA 94111, USA Privacy Policy: https://mixpanel.com/legal/privacy-policy/ DPA: https://mixpanel.com/legal/dpa/

Services Used:

Product analytics
Event tracking
User behavior analysis

Data Center Location: EU (Frankfurt, Germany) - EU data residency enabled

Data Processed:

User ID (hashed internal identifier)
Email address
Organization ID
Product usage events (page views, feature interactions)
Session information
Device and browser information
Geographic location (derived from IP)

Transfer Mechanism: EU data residency; data stored and processed in Frankfurt

Data Flow Summary

User Authentication
    └─> Microsoft Entra ID (OAuth)
            └─> Coax (GCP - Belgium)
                    └─> User Session Created

Directory & Email Access
    └─> Microsoft Graph API
            └─> Coax Processing (GCP - Belgium)
                    └─> Database (Cloud SQL - Belgium)

Invoice Processing
    └─> Email Attachment (PDF)
            └─> Cloud Storage (Belgium)
                    └─> Vertex AI Gemini (Belgium, EU)
                            └─> Extracted Data to Database (Belgium)

Analytics
    └─> User Activity
            └─> Mixpanel (Frankfurt, EU)

Frontend
    └─> User Browser
            └─> Coax Frontend (GCP Cloud Run - Belgium)
                    └─> Coax API (GCP - Belgium)

Previous Subprocessors

Subprocessor	Purpose	Removed	Reason
OpenAI, LLC	AI-powered invoice parsing (GPT-4 Vision API)	February 2026	Invoice parsing migrated to Google Vertex AI (Gemini) — processing now stays within EU (europe-west1)

How to Object

If you object to a new subprocessor, please contact us within 14 days of notification:

Email: privacy@coaxsecurity.com

Include:

Your organization name
The specific subprocessor you object to
The basis for your objection

We will work with you in good faith to address your concerns. If we cannot resolve the objection, you may have the right to terminate the service agreement.

Contact

For questions about our subprocessors:

Email: privacy@coaxsecurity.com

Legal Inquiries: legal@coaxsecurity.com

This Subprocessor List is also available at: https://coaxsecurity.com/legal/subprocessors