Last updated: May 25, 2026
InvoHub uses the following sub-processors to deliver our invoice collection and processing service. A sub-processor is a third-party company that processes personal data on our behalf when you use InvoHub.
This page is the authoritative public list of our sub-processors. We commit to maintaining it accurately and to notifying you in advance whenever we add a new sub-processor.
Current sub-processors
| # | Sub-processor | Purpose | Personal data | Location | Vendor DPA |
|---|---|---|---|---|---|
| 1 | Anthropic | AI-assisted extraction of structured data from invoice PDFs (vendor name, amounts, dates, VAT IDs) | Invoice PDF content | United States | anthropic.com/legal/data-processing-addendum |
| 2 | Amazon Web Services (AWS) | Encrypted storage of invoice PDFs (S3 service) and encryption key custody (KMS service) | Invoice PDFs, encryption keys | European Union (EU regions selected) | aws.amazon.com/service-terms |
| 3 | Neon | Hosting of the PostgreSQL database that stores your account, your invoices, and audit logs | All structured platform data | European Union (EU regions selected) | neon.com/dpa |
| 4 | Gmail mailbox access (read-only), Cloud Pub/Sub webhook delivery, Google OAuth for user authentication, Gmail SMTP for outbound transactional email | OAuth tokens (encrypted), Gmail message content, user account data | EU + US | cloud.google.com/terms/data-processing-addendum | |
| 5 | Microsoft | Outlook mailbox access (read-only) via Microsoft Graph, Microsoft OAuth for user authentication | OAuth tokens (encrypted), Outlook message content, user account data | EU + US (EU Data Boundary commitment) | aka.ms/DPA |
| 6 | Replit | Hosting of the InvoHub application runtime (Node.js process serving the API, frontend, and background workers) | Application runtime data, in-memory request data | United States | replit.com/dpa |
Notes on specific sub-processors
Outbound email (Gmail SMTP)
Outbound transactional email from hello@invohub.eu (such as account notifications, export delivery, and similar) is sent through Gmail SMTP. Gmail SMTP is a feature of the Google Workspace account that operates hello@invohub.eu, and is covered by the Google Cloud Data Processing Addendum listed for Google above. No separate vendor contract or DPA is required.
Persistent storage versus runtime
The architecture deliberately separates persistent storage of your data (which lives in European Union regions through AWS and Neon) from the application runtime (which runs on Replit’s US infrastructure). The runtime only processes data in memory while a request is being served; persistent customer data does not reside on Replit infrastructure.
This separation limits the exposure of your data to US infrastructure to the duration of an individual request, and keeps your invoices and account records at rest within the EU.
International data transfers
Personal data transferred to sub-processors outside the European Economic Area (Anthropic, Replit, and certain Google and Microsoft processing locations) is protected by the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021). The applicable module — controller-to-processor or processor-to-processor — depends on the role our customer plays under GDPR. See Section 7 of our Privacy Policy for details.
How we notify you about changes
When we add a new sub-processor or replace an existing one, we provide notice in two ways.
In-app banner. Within the application, a banner notification appears at the top of every page for every signed-in user of every workspace. The banner describes the change (which sub-processor, what processing, when it takes effect) and links to a longer explanation. The banner remains visible until you click “I acknowledge”. Your acknowledgment is recorded with a timestamp in the audit log for accountability.
Public update of this page. This sub-processors page is updated with the change, and a row is added to the “Change history” section below describing what changed and when.
You have 30 days from the date you acknowledge the in-app banner to object to the change by writing to privacy@invohub.eu. Continued use of the service beyond 30 days constitutes acceptance.
If we cannot accommodate your objection — for example, because the sub-processor change is unavoidable for the operation of the service — you may terminate your use of InvoHub at any time. Self-service workspace deletion is available through the Settings page; on deletion, your data is exported on request and then erased within 30 days, in line with our standard retention policy.
Change history
| Date | Change | Sub-processor | Action by customers |
|---|---|---|---|
| May 25, 2026 | Initial publication of sub-processors page | All current sub-processors disclosed | None — initial disclosure |
When future changes are made, new rows are added to the top of this table.
Contact
For questions about our sub-processors, to object to a sub-processor change, or to discuss data processing arrangements:
Email: privacy@invohub.eu
Postal address: All Digital Group, UAB · Žalgirio g. 94 · LT-09300 Vilnius · Lithuania
For data protection authority contact information, see our Privacy Policy Section 9 or our Contact page.
Related documents
- Privacy Policy — how we use your personal data
- Terms of Service — the agreement under which you use InvoHub
- Data Processing Agreement — Appendix A to the Terms of Service, governing our role as your data processor for invoice content