ShadowCMO Legal Documentation
Effective Date: November 13, 2025
Last Updated: November 13, 2025
This page provides a current list of sub-processors engaged by ISW AI Venture (trading as ShadowCMO) to process personal data on behalf of our customers.
As described in our Data Processing Agreement, we engage trusted third-party service providers to help deliver the Services. All sub-processors are contractually bound to: - Implement appropriate technical and organisational security measures - Process personal data only as instructed by ShadowCMO - Comply with GDPR Article 28 obligations - Notify us of any data breaches within 72 hours
| Sub-Processor | Location | Processing Purpose | Data Categories | Security Certifications |
|---|---|---|---|---|
| Replit, Inc. | USA | Cloud infrastructure, hosting, compute, and networking services | Account data, Customer Data, usage logs, IP addresses | SOC 2 Type II, GDPR-compliant, EU-US Data Privacy Framework (DPF) |
| Neon (Neon Postgres) | USA | Managed PostgreSQL database services | All Customer Data, account information, campaign data, user profiles | SOC 2 Type II, GDPR-compliant, encryption at rest (AES-256) |
| Google Cloud Storage (Google LLC) | USA | Object storage for images, videos, and media files | Generated images, videos, logos, product photos, brand assets | ISO 27001, SOC 2 Type II, SOC 3, GDPR-compliant, EU-US Data Privacy Framework (DPF) |
| OpenAI, Inc. | USA | AI language models (GPT-4o-mini) for copywriting, content generation, and competitor analysis; Text-to-Speech (TTS-1-HD) for AI voiceover generation | Campaign briefs, brand guidelines, user prompts, generated copy, voiceover scripts | SOC 2 Type II, GDPR-compliant, EU-US Data Privacy Framework (DPF), Zero data retention (API inputs not used for training without opt-in) |
| Replicate, Inc. | USA | AI image generation (FLUX.1 model) for campaign visuals | Image generation prompts, creative briefs, style preferences | GDPR-compliant, encryption in transit (TLS 1.2+), EU-US Data Privacy Framework (DPF) |
| Luma AI, Inc. | USA | AI video generation (Ray2 model) for text-to-video and image-to-video creation | Video generation prompts, source images, campaign parameters | GDPR-compliant, encryption in transit and at rest, secure API access |
| Cloudinary, Inc. | Ireland / USA | Media transformation, image and video enrichment, overlay processing, CDN delivery | Campaign images, videos, logos, product images, text overlays, enriched media | ISO 27001, SOC 2 Type II, GDPR-compliant, EU-US Data Privacy Framework (DPF), encryption in transit and at rest |
| Firecrawl, Inc. | USA | Web scraping and data extraction for competitor analysis | Competitor URLs, publicly available web content, market research data | GDPR-compliant, encryption in transit (TLS 1.3), secure API access |
| Resend, Inc. | USA | Transactional email delivery (account notifications, password resets, billing emails) | Email addresses, names, transactional email content | GDPR-compliant, encryption in transit (TLS 1.2+), EU-US Data Privacy Framework (DPF) |
In accordance with GDPR Article 28(2) and our Data Processing Agreement, we will provide 30 days' advance notice before: - Adding a new sub-processor - Replacing an existing sub-processor - Making material changes to sub-processor arrangements
Notification Methods: - Email notification to all active customers - Updates to this page (with "Last Updated" date change) - Notice in the ShadowCMO platform dashboard
Your Right to Object: You have 14 days from notification to object to a new or replacement sub-processor based on justified data protection grounds. If we cannot accommodate a reasonable alternative, either party may terminate the affected Services upon 30 days' written notice.
All sub-processors listed above are located in the United States. Data transfers from the European Economic Area (EEA) and United Kingdom to these sub-processors are safeguarded by:
| Mechanism | Applicable Sub-Processors | Details |
|---|---|---|
| EU-US Data Privacy Framework (DPF) | Replit, OpenAI, Replicate, Google Cloud, Cloudinary, Resend | These sub-processors are certified under the EU-US DPF, which has been recognized by the European Commission as providing adequate protection |
| Standard Contractual Clauses (SCCs) | All sub-processors | We have entered into SCCs (Commission Implementing Decision EU 2021/914) with all sub-processors as a supplementary safeguard |
| Supplementary Technical Measures | All sub-processors | Encryption in transit (TLS 1.2+), encryption at rest (AES-256), access controls, audit logging, and contractual data processing restrictions |
For UK transfers: The UK International Data Transfer Addendum (IDTA) to the SCCs applies for transfers subject to UK-GDPR.
A copy of applicable safeguards is available upon request to dpo@shadowcmo.com
All sub-processors implement security measures aligned with GDPR Article 32, including:
Sub-processors retain personal data only for the duration necessary to provide the Services:
Upon request, we will provide written confirmation of data deletion from sub-processors.
We select sub-processors that maintain industry-standard certifications: - SOC 2 Type II: Independent audit of security, availability, and confidentiality controls - ISO 27001: International standard for information security management systems - GDPR Compliance: Contractual and technical compliance with GDPR requirements - EU-US Data Privacy Framework: Certification for adequate data protection
Before engaging a sub-processor, we: 1. Review their security certifications and compliance documentation 2. Execute Data Processing Agreements (Article 28 GDPR) 3. Verify encryption, access controls, and incident response capabilities 4. Assess data transfer safeguards and international compliance 5. Establish breach notification and audit rights
We continuously monitor sub-processors to ensure: - Certifications remain current (annual re-verification) - Security incidents are reported promptly - Data processing remains within agreed scope - GDPR obligations are maintained
This section tracks changes to our sub-processor list for transparency:
| Date | Change | Details |
|---|---|---|
| November 13, 2025 | Initial publication | First publication of sub-processors list with 9 services |
Note: Material changes (new sub-processors, replacements) will be logged here with 30 days' advance notice.
For questions about sub-processors, data transfers, or security measures, contact:
Data Protection Officer
Email: dpo@shadowcmo.com
Website: www.shadowcmo.com
Address: Roosbergsweg 12A, 4854PM Bavel, Netherlands
To object to a sub-processor change: Email dpo@shadowcmo.com within 14 days of notification with subject line "Sub-Processor Objection - [Sub-Processor Name]" and explain your data protection grounds for objection.
For additional information: - Data Processing Agreement - Full processor obligations and security measures - Privacy & Cookie Policy - How we process personal data as a controller - Terms & Conditions - Master services agreement
END OF SUB-PROCESSORS LIST