SBOM Observer Subprocessors
SBOM Observer Subprocessors and Data Processing
Version 1.2 • Updated November 7, 2025
To deliver our SBOM Observer SaaS Platform services, SBOM Observer (Bitfront AB) uses third-party subprocessors to process personal information. Data retention and residency terms may be customized by written agreement for specific use cases.
Overview of Processing Activities
| Processing Activity | Purpose | Data | Retention Period | Termination |
|---|---|---|---|---|
| User account management | Create and manage user accounts and access permissions | Name, email address, organization, role | Active subscription period | Deleted within 90 days after termination |
| Audit and access logs | Security, traceability, service diagnostics | Username, IP address, action | 180 days | Deleted within 90 days after termination |
| Backups | Disaster recovery and business continuity | Encrypted service data | 30 days | Deleted within 90 days after termination |
| Support and issue tracking | Respond to customer requests | Contact details, ticket content | Active subscription period | Deleted within 90 days after termination |
| Product analytics | Service improvement and reliability | Aggregated usage metrics (no PII content) | 12 months | N/A (Aggregated or anonymized) |
| Billing and invoicing | Financial and compliance purposes | Company name, billing contact, payment info | 7 years (per Swedish law) | Deleted after retention period |
Data Residency
All customer data is stored and processed within the European Union (Germany). No personal data is transferred or stored outside the EU/EEA without explicit prior written consent.
- Data deletion: Within 90 days after contract termination
- Backup deletion: Automatically overwritten within 30 days
Subprocessors
| Subprocessor | Registered Entity / Country | Purpose | Location |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Luxembourg / Sweden (Nordic ops) | Cloud hosting and infrastructure | EU (Germany) |
| Vercel | United States | Frontend hosting | EU |
| Stripe Payments Europe | Ireland | Subscriptions management | EU (Ireland) |
| PostHog | United Kingdom | Product analytics, Onboarding automation | EU (Ireland) |
| Mailgun (Sinch) | United States | Email delivery | EU (Germany) |
| Sentry | United States | Error tracking and application performance monitoring | EU (Germany) |
Data Processing
All subprocessors operate under Data Processing Agreements (DPAs) in accordance with GDPR Article 28. These agreements ensure:
- Processing only on documented instructions
- Appropriate technical and organizational security measures
- Assistance with data subject rights requests
- Data deletion or return upon service termination
Our complete Data Processing Agreement is available online.
Changes
We may update our list of subprocessors. Material changes will be communicated via email with 15 days' notice. If you object to a new subprocessor, you may terminate your account per our Terms of Service.
For questions, contact support@sbom.observer or security@sbom.observer.