Sub-processor Register
Last updated: 23/02/2026
1. Purpose
This document identifies the third-party sub-processors engaged by GlobeID Limited
(“GlobeID”) to process Personal Data on behalf of Customers in connection with the
PassportScan Cloud services, in accordance with Article 28(2) and 28(4) of the GDPR.
This Sub-Processor List forms an integral part of the Data Processing Agreement (DPA).
2. General Principles
- Sub-processors are engaged only where strictly necessary to provide the Services
- All sub-processors are bound by written data protection agreements imposing obligations no less protective than those set out in the DPA
- GlobeID remains fully liable for the acts and omissions of its sub-processors in accordance with Article 28(4) GDPR
- Core platform databases are hosted exclusively within the European Union (AWS eu-west-1 – Ireland)
- Where regional S3 storage is enabled, document images are stored in the AWS region corresponding to the hotel’s operational jurisdiction
- No cross-region replication of core databases is configured
- PassportScan does not maintain a Cardholder Data Environment (CDE)
3. Authorized Sub-Processors (Unified Table)
| Sub-Processor | Service Category | Purpose / Function | Data Categories Processed | Processing Location |
|---|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud Infrastructure & Hosting | Hosting of application services, databases, encrypted object storage (S3), backups, infrastructure security | Identity data, reservation data, logs, document images (where enabled) | Core: EU (Ireland – eu-west-1). S3: Region aligned with hotel jurisdiction (may include non-EEA regions) |
| Clerk, Inc. | Identity & Authentication | User authentication, identity verification, session lifecycle management | Email address, IP address, device metadata, session tokens | As disclosed in Clerk documentation |
| Datadog, Inc. | Logging & Monitoring | Infrastructure monitoring, application performance monitoring, security logging, anomaly detection | Log metadata, IP addresses, authentication events, technical diagnostics | As disclosed in Datadog documentation |
| Google LLC (Google Workspace) | Corporate Productivity & Communication | Internal business communications, email, document management | Business contact data, limited operational communications | As disclosed by Google |
| Stripe, Inc. | Payment Processing | Credit purchase transactions and account activation | Processed by Stripe: payment card data, billing details, transaction identifiers. Received by PassportScan: transaction ID, payment status, amount, currency, billing email (if provided) |
As disclosed in Stripe documentation |
4. Explicit Exclusions
- No sub-processor has access to decrypted identity document data
- PassportScan does not store or process raw payment card numbers, CVV codes, or expiration dates
- Stripe processes cardholder data within its PCI-DSS compliant infrastructure
- No cross-region replication of primary production databases is enabled
5. International Data Transfers
Where sub-processors process data outside the European Economic Area (EEA),
GlobeID ensures that appropriate safeguards are implemented, including Standard
Contractual Clauses (SCCs) or other lawful transfer mechanisms in accordance with GDPR Chapter V.
For regional S3 storage outside the EEA, transfers are based on the AWS Data Processing Addendum and applicable SCCs.
6. Updates and Notifications
GlobeID may update this Sub-Processor List from time to time.
Customers will be informed of new sub-processors through publication of an updated
Sub-Processor Register.
Where required by applicable law or the DPA, Customers may object in accordance with
the contractual procedure set out in the DPA.
The most recent version of this document will always be published with the updated date.
