Sub-processor Register
Last updated: 01/01/2026
1. Purpose
This document identifies the third-party sub-processors engaged by GlobeID Limited
(“GlobeID”) to process Personal Data on behalf of Customers in connection with the
PassportScan services, in accordance with Article 28(2) and 28(4) of the GDPR.
This Sub-Processor List forms an integral part of the Data Processing Agreement (DPA).
2. General Principles
- Sub-processors are engaged only where strictly necessary to provide the Services
- All sub-processors are bound by written data protection agreements imposing obligations no less protective than those in the DPA
- GlobeID remains fully liable for the acts and omissions of its sub-processors
- Sensitive identity document processing (OCR) is performed locally on the end-user device and not by third parties
3. Authorized Sub-Processors (Unified Table)
| Sub-Processor | Service Category | Purpose/Function | Data Categories Processed | Processing Location |
|---|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud Infrastructure & Hosting | Hosting, encrypted storage, backups, infrastructure security | Encrypted personal data, service metadata | EU (Irelan…) |
| External DevOps Service Provider(s) | Infrastructure Operations | Infrastructure management, monitoring, deployment, maintenance | Limited system-level data strictly necessary for operations | EU / Rem… |
| Vanta, Inc. | Security & Compliance | ISO 27001 / SOC 2 compliance monitoring and evidence collection | Organisational security data, limited employee/user metadata | United St… |
| Clerk, Inc. | Identity & Authentication | Authentication and access management for platform users (staff, admins) | User identifiers, authentication metadata | United St… |
| Datadog, Inc. | Logging & Monitoring | Application monitoring, logging, performance and error tracking | Technical logs, pseudonymised identifiers | United St… |
| Google LLC | Website Analytics (Non-Production) | Website analytics and performance measurement | Online identifiers, usage data | United St… |
4. Explicit Exclusions
- No sub-processor processes raw identity documents, MRZ images, or biometric data
- OCR and document extraction are performed entirely on the end-user’s mobile device
- Analytics and website tools are used only on public, non-production systems
5. International Data Transfers
Where sub-processors process data outside the European Economic Area, GlobeID ensures
that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs)
or equivalent lawful transfer mechanisms.
6. Updates and Notifications
GlobeID may update this Sub-Processor List from time to time.
Where required by applicable law or the DPA, Customers will be notified of material changes
and may object in accordance with the DPA.
The most recent version of this document will always be published with the updated date.
