Lex Partis

Subprocessors

Last updated on April 27, 2026

This page contains the updated list of providers that Dextra Transaction Services S.L. (Lex Partis) uses as Data Processors or Subprocessors under Article 28 of Regulation (EU) 2016/679 (GDPR). For each provider, the company name, the service provided, the location of processing, the categories of personal data processed, and the applicable legal guarantees (Standard Contractual Clauses, Data Processing Agreement, and, where applicable, adherence to the EU-US Data Privacy Framework) are identified.

List of authorised subprocessors

Provider	Service provided	Location of processing	Categories of data	Applicable guarantees	Documentation
Hetzner Online GmbH	Cloud infrastructure, databases, and object storage where the platform is hosted.	Germany (EU/EEA).	All data of the platform: user accounts, case file content, documents, logs, and backups.	Full processing within the EEA. Data Processing Agreement (Auftragsverarbeitungsvertrag) signed in accordance with Article 28 GDPR.	Website DPA
Stripe Payments Europe, Ltd.	Payment processing, invoicing, subscription management, and customer portal.	Ireland (EU/EEA) and the United States.	Customer identity and contact, billing address, NIF/VAT, billed amounts, and tokenised reference of the payment method. Stripe acts as an independent controller regarding the complete card data (PAN/CVV), which is not processed or stored by {company}.	Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.	Website DPA
OpenAI Ireland Ltd	Generative language models (LLM) that support the conversational assistant SofIA.	Ireland (EU) and the United States.	Messages exchanged by the User with SofIA and strictly necessary context of the session. Conversations are not used to train OpenAI models in accordance with the signed DPA.	Standard Contractual Clauses (Decision 2021/914), Data Processing Agreement and Zero Data Retention policy in contractually applicable cases.	Website DPA
Signaturit Solutions, S.L.	Platform for advanced and qualified electronic signature in accordance with Regulation (EU) 910/2014 (eIDAS) and Law 6/2020.	Spain (EU/EEA).	Identification of the signer (name, NIF, email, phone when applicable), content of the document to be signed and evidence of signature (certificate, timestamp, IP, event log).	Processing within the EEA. Data Processing Agreement in accordance with Article 28 GDPR. Qualified trust service provider.	Website DPA
Resend, Inc.	Sending of transactional email: account verification, system notifications, invoices and invitations.	United States.	Recipient's email address, name, technical identifiers of the sending and content of the transactional message itself.	Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.	Website DPA
Functional Software, Inc. d/b/a Sentry	Detection, diagnosis and monitoring of runtime errors (error tracking and performance).	United States.	Error traces that may contain internal user identifier, IP address, user agent and technical metadata of the request. The content data of files is subject to automatic scrubbing.	Standard Contractual Clauses (Decision 2021/914), signed DPA and policies for minimisation and scrubbing of sensitive data configured at the project level.	Website DPA
Cloudflare, Inc.	Content Delivery Network (CDN), managed DNS and perimeter security (DDoS mitigation and application firewall).	United States, with global presence through points of presence (POPs).	IP addresses, HTTP headers, technical session identifiers and traffic metadata. The content of files is not stored at the edge.	Standard Contractual Clauses (Decision 2021/914), adherence to the EU-US Data Privacy Framework and signed DPA.	Website DPA

Hetzner Online GmbH
Service provided
Cloud infrastructure, databases, and object storage where the platform is hosted.
Location of processing
Germany (EU/EEA).
Categories of data
All data of the platform: user accounts, case file content, documents, logs, and backups.
Applicable guarantees
Full processing within the EEA. Data Processing Agreement (Auftragsverarbeitungsvertrag) signed in accordance with Article 28 GDPR.
Website DPA
Stripe Payments Europe, Ltd.
Service provided
Payment processing, invoicing, subscription management, and customer portal.
Location of processing
Ireland (EU/EEA) and the United States.
Categories of data
Customer identity and contact, billing address, NIF/VAT, billed amounts, and tokenised reference of the payment method. Stripe acts as an independent controller regarding the complete card data (PAN/CVV), which is not processed or stored by {company}.
Applicable guarantees
Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.
Website DPA
OpenAI Ireland Ltd
Service provided
Generative language models (LLM) that support the conversational assistant SofIA.
Location of processing
Ireland (EU) and the United States.
Categories of data
Messages exchanged by the User with SofIA and strictly necessary context of the session. Conversations are not used to train OpenAI models in accordance with the signed DPA.
Applicable guarantees
Standard Contractual Clauses (Decision 2021/914), Data Processing Agreement and Zero Data Retention policy in contractually applicable cases.
Website DPA
Signaturit Solutions, S.L.
Service provided
Platform for advanced and qualified electronic signature in accordance with Regulation (EU) 910/2014 (eIDAS) and Law 6/2020.
Location of processing
Spain (EU/EEA).
Categories of data
Identification of the signer (name, NIF, email, phone when applicable), content of the document to be signed and evidence of signature (certificate, timestamp, IP, event log).
Applicable guarantees
Processing within the EEA. Data Processing Agreement in accordance with Article 28 GDPR. Qualified trust service provider.
Website DPA
Resend, Inc.
Service provided
Sending of transactional email: account verification, system notifications, invoices and invitations.
Location of processing
United States.
Categories of data
Recipient's email address, name, technical identifiers of the sending and content of the transactional message itself.
Applicable guarantees
Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.
Website DPA
Functional Software, Inc. d/b/a Sentry
Service provided
Detection, diagnosis and monitoring of runtime errors (error tracking and performance).
Location of processing
United States.
Categories of data
Error traces that may contain internal user identifier, IP address, user agent and technical metadata of the request. The content data of files is subject to automatic scrubbing.
Applicable guarantees
Standard Contractual Clauses (Decision 2021/914), signed DPA and policies for minimisation and scrubbing of sensitive data configured at the project level.
Website DPA
Cloudflare, Inc.
Service provided
Content Delivery Network (CDN), managed DNS and perimeter security (DDoS mitigation and application firewall).
Location of processing
United States, with global presence through points of presence (POPs).
Categories of data
IP addresses, HTTP headers, technical session identifiers and traffic metadata. The content of files is not stored at the edge.
Applicable guarantees
Standard Contractual Clauses (Decision 2021/914), adherence to the EU-US Data Privacy Framework and signed DPA.
Website DPA

Notification of changes

Any substantial addition, removal or replacement of a subprocesser will be reflected on this page. When the change significantly affects the processing of the Client's personal data, Dextra Transaction Services S.L. will notify it at least fifteen (15) calendar days in advance via notice on the platform or by email, in accordance with the procedure set out in the Data Processing Agreement.

Grounds for objection

The Client may object reasoned to the incorporation of a new sub-processor when there are objective and justified reasons relating to data protection. Such objection must be communicated to dpo@lexpartis.com within a maximum period of fifteen (15) calendar days from the notification of the change. Dextra Transaction Services S.L. will assess the objection and, if it is not possible to reach a satisfactory solution, the Client may terminate the contract without penalty in accordance with the Terms.

List of authorised subprocessors

Provider	Service provided	Location of processing	Categories of data	Applicable guarantees	Documentation
Hetzner Online GmbH	Cloud infrastructure, databases, and object storage where the platform is hosted.	Germany (EU/EEA).	All data of the platform: user accounts, case file content, documents, logs, and backups.	Full processing within the EEA. Data Processing Agreement (Auftragsverarbeitungsvertrag) signed in accordance with Article 28 GDPR.	Website DPA
Stripe Payments Europe, Ltd.	Payment processing, invoicing, subscription management, and customer portal.	Ireland (EU/EEA) and the United States.	Customer identity and contact, billing address, NIF/VAT, billed amounts, and tokenised reference of the payment method. Stripe acts as an independent controller regarding the complete card data (PAN/CVV), which is not processed or stored by {company}.	Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.	Website DPA
OpenAI Ireland Ltd	Generative language models (LLM) that support the conversational assistant SofIA.	Ireland (EU) and the United States.	Messages exchanged by the User with SofIA and strictly necessary context of the session. Conversations are not used to train OpenAI models in accordance with the signed DPA.	Standard Contractual Clauses (Decision 2021/914), Data Processing Agreement and Zero Data Retention policy in contractually applicable cases.	Website DPA
Signaturit Solutions, S.L.	Platform for advanced and qualified electronic signature in accordance with Regulation (EU) 910/2014 (eIDAS) and Law 6/2020.	Spain (EU/EEA).	Identification of the signer (name, NIF, email, phone when applicable), content of the document to be signed and evidence of signature (certificate, timestamp, IP, event log).	Processing within the EEA. Data Processing Agreement in accordance with Article 28 GDPR. Qualified trust service provider.	Website DPA
Resend, Inc.	Sending of transactional email: account verification, system notifications, invoices and invitations.	United States.	Recipient's email address, name, technical identifiers of the sending and content of the transactional message itself.	Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.	Website DPA
Functional Software, Inc. d/b/a Sentry	Detection, diagnosis and monitoring of runtime errors (error tracking and performance).	United States.	Error traces that may contain internal user identifier, IP address, user agent and technical metadata of the request. The content data of files is subject to automatic scrubbing.	Standard Contractual Clauses (Decision 2021/914), signed DPA and policies for minimisation and scrubbing of sensitive data configured at the project level.	Website DPA
Cloudflare, Inc.	Content Delivery Network (CDN), managed DNS and perimeter security (DDoS mitigation and application firewall).	United States, with global presence through points of presence (POPs).	IP addresses, HTTP headers, technical session identifiers and traffic metadata. The content of files is not stored at the edge.	Standard Contractual Clauses (Decision 2021/914), adherence to the EU-US Data Privacy Framework and signed DPA.	Website DPA

Hetzner Online GmbH

Service provided: Cloud infrastructure, databases, and object storage where the platform is hosted.
Location of processing: Germany (EU/EEA).
Categories of data: All data of the platform: user accounts, case file content, documents, logs, and backups.
Applicable guarantees: Full processing within the EEA. Data Processing Agreement (Auftragsverarbeitungsvertrag) signed in accordance with Article 28 GDPR.

Stripe Payments Europe, Ltd.

Service provided: Payment processing, invoicing, subscription management, and customer portal.
Location of processing: Ireland (EU/EEA) and the United States.
Categories of data: Customer identity and contact, billing address, NIF/VAT, billed amounts, and tokenised reference of the payment method. Stripe acts as an independent controller regarding the complete card data (PAN/CVV), which is not processed or stored by {company}.
Applicable guarantees: Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.

OpenAI Ireland Ltd

Service provided: Generative language models (LLM) that support the conversational assistant SofIA.
Location of processing: Ireland (EU) and the United States.
Categories of data: Messages exchanged by the User with SofIA and strictly necessary context of the session. Conversations are not used to train OpenAI models in accordance with the signed DPA.
Applicable guarantees: Standard Contractual Clauses (Decision 2021/914), Data Processing Agreement and Zero Data Retention policy in contractually applicable cases.

Signaturit Solutions, S.L.

Service provided: Platform for advanced and qualified electronic signature in accordance with Regulation (EU) 910/2014 (eIDAS) and Law 6/2020.
Location of processing: Spain (EU/EEA).
Categories of data: Identification of the signer (name, NIF, email, phone when applicable), content of the document to be signed and evidence of signature (certificate, timestamp, IP, event log).
Applicable guarantees: Processing within the EEA. Data Processing Agreement in accordance with Article 28 GDPR. Qualified trust service provider.

Resend, Inc.

Service provided: Sending of transactional email: account verification, system notifications, invoices and invitations.
Location of processing: United States.
Categories of data: Recipient's email address, name, technical identifiers of the sending and content of the transactional message itself.
Applicable guarantees: Standard Contractual Clauses (Decision 2021/914) and adherence to the EU-US Data Privacy Framework. DPA available.

Functional Software, Inc. d/b/a Sentry

Service provided: Detection, diagnosis and monitoring of runtime errors (error tracking and performance).
Location of processing: United States.
Categories of data: Error traces that may contain internal user identifier, IP address, user agent and technical metadata of the request. The content data of files is subject to automatic scrubbing.
Applicable guarantees: Standard Contractual Clauses (Decision 2021/914), signed DPA and policies for minimisation and scrubbing of sensitive data configured at the project level.

Cloudflare, Inc.

Service provided: Content Delivery Network (CDN), managed DNS and perimeter security (DDoS mitigation and application firewall).
Location of processing: United States, with global presence through points of presence (POPs).
Categories of data: IP addresses, HTTP headers, technical session identifiers and traffic metadata. The content of files is not stored at the edge.
Applicable guarantees: Standard Contractual Clauses (Decision 2021/914), adherence to the EU-US Data Privacy Framework and signed DPA.

Notification of changes

Grounds for objection