A) Public list of subprocessors

Category	Processor (legal entity)	Location	Purpose	Typical data	Retention
AI processing	OpenAI, L.L.C.	USA/EU	Model inference (GPT‑5, GPT‑5‑mini)	prompts, outputs, metadata	Short‑term logs (e.g., ~30 days) for abuse/security
Authentication	Google LLC (OAuth)	Global	Sign‑in & identity	name, email, Google ID, avatar	Per Google policy
Payments	Stripe, Inc. & affiliates	Global	Billing & payments	name, email, billing info, last‑4, invoices	Per Stripe policy
Hosting	[Vercel/AWS/OVH]	[region]	App & data hosting	account data, content, logs	Per provider policy
Analytics/Support	[Plausible/GA4, Zendesk/HelpScout]	[region]	Usage analytics / ticketing	pseudonymous events / ticket content	[x] months / per provider

We will update this list before adding or replacing a subprocessor and provide customers with a notification mechanism (email or dashboard).

B) Data Processing Addendum (Controller → Processor)

This DPA applies where Customer is the controller and Specsor is the processor of Personal Data.

Subject matter & duration. Processing Personal Data to provide the Service, for the subscription term plus deletion/archival periods.
Roles. Customer = controller; Specsor = processor. Customer instructs processing to provide, secure, and support the Service, including transfers to approved subprocessors.
Nature & purpose. Hosting, storage, retrieval, transmission, and transformation necessary for the Service (including AI inference via subprocessors).
Data subjects. Customer's end users, personnel, contractors, and other individuals whose data is submitted to the Service.
Personal Data. Account identifiers (name, email), authentication tokens, usage logs, prompts/outputs (to the extent Personal Data is included), billing metadata.
Special categories. Not intended for special categories; Customer will not submit such data unless agreed in writing with additional safeguards.
Processor obligations. (a) Process on documented instructions; (b) confidentiality; (c) technical & organizational security (Annex II); (d) assist with data subject requests and DPIAs; (e) breach notice without undue delay; (f) deletion/return at termination, subject to legal holds.
Subprocessors. Authorized as listed above and their affiliates. Specsor will impose data protection terms and remain responsible for their performance. Changes will be notified with an opportunity to object where reasonable.
International transfers. Valid transfer mechanisms (e.g., EU Standard Contractual Clauses and UK addendum) and supplementary measures as appropriate.
Audits. On request, Specsor will provide information necessary to demonstrate compliance and allow audits once annually under confidentiality, with reasonable notice and minimal disruption.
Liability. Subject to the limitation of liability in the main agreement, except where prohibited by law.
Governing law. French law and the courts specified in the main agreement.

Annex I – Processing details

See items 1–6 above.

Annex II – Security measures

Encryption in transit (TLS) and at rest where supported.
Access controls (RBAC), least‑privilege, and credential rotation.
Audit logging for administrative actions.
Vulnerability management and secure development practices.
Backups with segregation and rolling deletion windows.
Incident response and breach notification procedures.

Annex III – Subprocessors

See table in Section A.

Execution

To execute this DPA, countersign the version provided in your account or email [email protected] for a copy. By continuing to use the Service after notice of subprocessor changes, you authorize the updated list.