Transmute · Legal
Sub-Processor List
Version 1.0 · Effective: July 14, 2026 · Last updated: July 14, 2026
This is the Sub-Processor List for Transmute, the SWIFT MT and ISO 20022 message conversion Service operated by 403 Finance, Inc. ("403 Finance"). Capitalized terms have the meanings given to them in the Terms and the DPA.
1. Purpose and Versioning
(a) Incorporation. This Sub-Processor List is incorporated into the DPA as Annex III and is the living record of the sub-processors that 403 Finance engages to process personal data in connection with the Service.
(b) Advance notice of changes. Before 403 Finance adds or replaces a sub-processor, 403 Finance gives at least fifteen (15) days' advance notice by updating this list and by notifying subscribers to the legal-updates notification mechanism (an email notification to subscribers of 403 Finance's legal-updates mailing list; subscribe by emailing legal@403fin.io). Customers are responsible for subscribing to receive notice. Where a sub-processor must be replaced urgently — including where it terminates or suspends its service to 403 Finance, becomes insolvent, or gives rise to a security concern — 403 Finance may appoint the replacement before giving that advance notice and will instead notify Customers without undue delay and in any event no later than five (5) business days after the appointment, as provided in Section 6 of the DPA; the Customer's objection right is preserved and runs from that notice.
(c) Objection. A Customer may object to a new sub-processor on the terms set out in Section 6 of the DPA, which include a termination-and-refund right for an unresolved, good-faith data-protection objection.
(d) Changelog. 403 Finance maintains a changelog of additions, replacements, and removals to this list. The current version and effective date appear in the line beneath the title above.
2. Content-Path Sub-Processors
The following sub-processors may process or transit Message Content in the course of providing the Service. Both are located in the European Union. In each case, processing is EU-located; day-to-day administrative access occurs from the United Kingdom under the European Commission's adequacy decision for the United Kingdom, and the EU SCCs incorporated in the DPA cover any residual administrative access from the United States (see DPA Section 12).
Table 1 — Content-path sub-processors
| Sub-processor | Service provided | Data involved | Location | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | Edge network, TLS termination, web application firewall, and container compute | Message Content in transit and in request-scoped memory during processing | Frankfurt, Germany (Western Europe / WEUR) | EU-located; UK admin access under adequacy; SCCs cover any residual US access (DPA §12) |
| Neon, Inc. | Managed PostgreSQL database | Usage Metadata, credential hashes, and AES-256-GCM-encrypted batch ciphertext retained for no more than 24 hours | Amazon Web Services, eu-central-1 (Frankfurt) | EU-located; UK admin access under adequacy; SCCs cover any residual US access (DPA §12) |
3. Account-Path Processors
The following processors handle only portal-account and billing personal data and never receive Message Content.
Table 2 — Account-path processors
| Processor | Service provided | Data involved | Location | Transfer mechanism |
|---|---|---|---|---|
| Emailit | Transactional email delivery (magic-link sign-in, receipts, usage alerts) | Recipient email address and message templates | European Union | EU-located; UK admin access under adequacy; SCCs cover any residual US access (DPA §12) |
| Reoon | Signup email validation (anti-abuse) | Email addresses only | European Union | EU-located; UK admin access under adequacy; SCCs cover any residual US access (DPA §12) |
4. Stripe as an Independent Controller
(a) Payment processing. 403 Finance uses Stripe, Inc. to process payments and to hold billing identity. 403 Finance's own systems retain only Stripe customer and subscription identifiers; full payment card and bank-account numbers are handled by Stripe and are not received or stored by 403 Finance. Stripe never receives Message Content.
(b) Controller classification. For payment processing, Stripe acts as an independent controller of the personal data it processes for its own regulatory, fraud-prevention, and financial-services purposes, rather than as a sub-processor of 403 Finance. Stripe's processing of that data is governed by Stripe's own terms and privacy notice.
5. Customer-Authorized Integrations
(a) Customer-directed transmission. Where a Customer instructs the Service to deliver Output to a third-party integration the Customer has authorized — for example, delivery of a converted file to the Customer's Xero account — that third party acts solely on the Customer's instruction, under the Customer's own vendor relationship with that third party. Such third parties are not 403 Finance sub-processors, and 403 Finance does not control or contract with them on the Customer's behalf. The Customer is responsible for its relationship with, and the data-protection terms applicable to, any such integration.
6. Non-Production Vendors
(a) No customer data. The following vendors support 403 Finance's development and operations and never receive Message Content or Customer personal data: GitHub (source-code hosting and continuous integration) and 403 Finance's load-testing tooling (synthetic load generation against test data). Because these vendors never process Customer personal data, they are not sub-processors and are listed here only for transparency.
Change History
| Version | Date | Summary |
|---|---|---|
| 1.0 | July 14, 2026 | Initial release |