This page lists the third-party sub-processors engaged by Mariza Katsantoni / Messagio to process personal data on behalf of our customers. It is provided in compliance with Article 28(2) GDPR and Section 7 of our Data Processing Agreement.
We engage sub-processors only where necessary to provide the Service, and we impose on them data protection obligations no less protective than those in our DPA. Sub-processors marked "Core" are used for all customers; those marked "Optional" are only used when the corresponding feature or integration is enabled by the customer.
Infrastructure
| Sub-processor | Purpose | Location | Transfer safeguards |
|---|
| Google Cloud (Google Ireland Ltd.) Core |
Hosting of application servers, databases, backups, static assets |
EU (europe-west3, Frankfurt, Germany) |
EU-based, no transfer to third country for primary storage. DPF & SCCs for any ancillary Google services. |
| Let's Encrypt (ISRG) Core |
TLS certificate issuance |
USA |
DPF / SCCs. No personal data transferred; domain metadata only. |
Payments
| Sub-processor | Purpose | Location | Transfer safeguards |
|---|
| Stripe Payments Europe, Ltd. Core |
Payment processing, invoicing, tax ID validation, subscription management |
Ireland (EU); global processing |
EU entity; SCCs for onward transfers to Stripe, Inc. (USA). Stripe acts as independent controller for fraud/KYC. |
AI & Language Models
| Sub-processor | Purpose | Location | Transfer safeguards |
|---|
| OpenAI, L.L.C. Optional |
AI inference (chat completions, embeddings) when customer enables OpenAI-powered AI features |
USA |
SCCs + DPA; zero-retention / no-training commitment configured via API. Data not used to train models. |
| Anthropic, PBC Optional |
AI inference (Claude models) when customer enables Anthropic-powered AI features |
USA |
SCCs + DPA; no-training commitment. Data not used to train models. |
Communication Channels (activated by customer)
| Sub-processor | Purpose | Location | Transfer safeguards |
|---|
| Meta Platforms Ireland Ltd. (Facebook Messenger, Instagram DMs, FB/IG Comments, WhatsApp Business) Optional |
Delivery and receipt of messages on Meta channels the customer connects |
Ireland (EU); global processing |
EU entity; SCCs for onward transfers to Meta Platforms, Inc. (USA). Meta acts as independent controller on its own platforms. |
| Telegram FZ-LLC Optional |
Telegram bot API messaging |
UAE / global |
Adequate safeguards; Telegram acts as independent controller on its platform. |
| Rakuten Viber Optional |
Viber bot API messaging |
Cyprus / global |
Viber acts as independent controller on its platform. |
| Google LLC / Google Ireland Ltd. (Gmail API, OAuth) Optional |
Email sync and send via Gmail when customer connects a Google account |
EU / USA |
DPF + SCCs. Google acts as independent controller for the underlying Gmail service. |
| Mailgun Technologies, Inc. Core |
Transactional email delivery (account verification, notifications) |
EU region when available; USA |
DPF + SCCs. |
Analytics & Monitoring
| Sub-processor | Purpose | Location | Transfer safeguards |
|---|
| Google LLC (Google Analytics 4) Core |
Aggregate usage analytics on public pages; signup conversion tracking |
USA (with EU regional collection) |
DPF + SCCs. IP anonymisation enabled. Loaded only after cookie consent. |
E-commerce Bridges
| Sub-processor | Purpose | Location | Transfer safeguards |
|---|
| Customer-controlled Magento / e-commerce endpoints Optional |
Order and product lookup when the customer connects an AI bridge |
Customer-hosted |
Customer is responsible for its own endpoint; Messagio only calls the API with the customer's credentials. |
Notifications of Changes
We notify customers by email and in-app at least 30 days before adding or replacing a sub-processor that processes Customer Personal Data. You may object on reasonable data protection grounds per Section 7 of the DPA. To subscribe to change notifications, email hello@bigg.gr with subject "Subprocessor updates".
Contact
Questions about sub-processors: hello@bigg.gr