Effective date: 22 May 2026 Last updated: 22 May 2026 Document version: 1.0 Published at: https://vanillasteel.com/software/subprocessors
This list identifies the subprocessors that Vanilla Steel GmbH engages to process Customer Data in connection with its SaaS Services (RFQ Classifier, RFQ Extractor, and Quoting App). It forms part of the Vanilla Steel Privacy & Data Processing Notice and supports the data-processing commitments in the Vanilla Steel Terms of Service.
A "subprocessor" is a third party that Vanilla Steel authorises to process Customer Data on its behalf in order to deliver the Services. Customer-controlled identity providers (Microsoft Entra ID, Google Workspace) are not subprocessors of Vanilla Steel; they are listed separately under "Platform integrations" because Customers will encounter them through the Services.
Vanilla Steel will give Customers at least thirty (30) days' prior notice of any new subprocessor, or any material change to the role of an existing subprocessor, by updating this page (and, where required, by direct notice to the administrator email on record). Customers may object to a proposed change on reasonable data protection grounds as set out in Section 8 of the Terms of Service.
To receive notifications of changes by email, contact info@vanillasteel.com.
AI inference is performed in different configurations depending on the Service:
The open-source projects whose model weights Vanilla Steel uses (the ONNX Model Zoo, OpenAI as publisher of GPT-OSS, and the original authors of these models) do not receive Customer Data and are therefore not subprocessors of Vanilla Steel.
Where a third-party AI service provider is used by the RFQ Extractor, the following subprocessor applies:
| Subprocessor | Purpose | Categories of data processed | Processing location | Applies to |
|---|---|---|---|---|
| Anthropic PBC (Delaware, USA) | Large language model inference for extraction (when the third-party AI configuration is in use) | Mailbox content transmitted for the inference call (subject, body, sender, attachments where relevant); no persistent storage by the subprocessor | United States, with EU Standard Contractual Clauses and Anthropic's supplementary safeguards | RFQ Extractor |
Used to host the Vanilla Steel SaaS backend, process and store Customer Data at rest, monitor application health, and send transactional email.
| Subprocessor | Purpose | Categories of data processed | Processing location | Applies to |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL (Luxembourg) | Cloud hosting and storage of Vanilla Steel backend services and Customer Data at rest | Customer Data including RFQ-classified mailbox content, extracted RFQ records, quote records, and account/identity records | European Union (EU regions only) | RFQ Classifier, RFQ Extractor, Quoting App |
| Google Cloud EMEA Limited (Ireland) | Cloud hosting and storage of Vanilla Steel backend services and Customer Data at rest; also hosts the self-hosted open-source large language model used by the RFQ Extractor | Customer Data as above; mailbox content and extracted records also pass through the self-hosted model running on this provider's infrastructure | European Union (EU regions only) | RFQ Classifier, RFQ Extractor, Quoting App |
| Microsoft Ireland Operations Limited (Ireland) | Cloud hosting and storage of Vanilla Steel backend services and Customer Data at rest | Customer Data as above | European Union (EU regions only) | RFQ Classifier, RFQ Extractor, Quoting App |
| Twilio Ireland Limited (Ireland), operating SendGrid | Transactional email delivery (operational notifications, account messages) | Email addresses, names, and transactional message content (no mailbox content from connected accounts) | European Union and United States, with EU Standard Contractual Clauses | RFQ Classifier, RFQ Extractor, Quoting App |
| Functional Software, Inc. dba Sentry (California, USA) | Application error monitoring and stack-trace capture | Application diagnostic data (errors, stack traces, IP addresses, user identifiers); not configured to receive Customer Data | United States, with EU Standard Contractual Clauses | RFQ Classifier, RFQ Extractor, Quoting App |
| Web analytics provider | Aggregated usage analytics in the Quoting App web UI | To be confirmed; exact provider and data scope will be added to this list before the Quoting App enters general availability | To be confirmed | Quoting App (pending) |
These third parties are not Vanilla Steel's subprocessors; they are the Customer's own identity and mailbox providers. The Services connect to them only with the Customer's explicit authorisation, and the Customer's relationship with these providers is governed by the Customer's separate agreement with them.
| Provider | Role | Applies to |
|---|---|---|
| Microsoft Corporation / Microsoft Ireland Operations Limited (Microsoft 365, Microsoft Graph, Microsoft Entra ID) | Customer's mailbox host and identity provider; the Services access mailboxes and authenticate users only as authorised by the Customer's tenant administrator | RFQ Classifier, RFQ Extractor, Quoting App |
| Google LLC / Google Ireland Limited (Google Workspace, Gmail API, Google OAuth) | Customer's mailbox host and identity provider; the Services access mailboxes and authenticate users only as authorised by the Customer's Workspace administrator | RFQ Extractor |
For questions about this list or about how Vanilla Steel handles personal data:
Vanilla Steel GmbH Schönhauser Allee 36, 10435 Berlin, Germany info@vanillasteel.com