Sub-Processor List and Management Policy

BMX Holdings Ltd ("Orcha") | Version 4.0 | As of: 12.04.2026

Legal Basis: Art. 28(2), (4) GDPR

Document ID: O3

1. Purpose and Scope

This sub-processor list documents all companies to which BMX Holdings Ltd ("Orcha") transfers the processing of personal data within the meaning of Art. 28 GDPR. The list is continuously updated and communicated to the controller in writing pursuant to Section 4.

The requirements for sub-processors described in this policy are aligned with the protection level of §203 StGB (German Criminal Code -- Professional Secrecy), to be suitable for controllers with special confidentiality obligations (e.g., tax advisors, lawyers). Pure ancillary services without access to personal data (e.g., telecommunications providers, postal services) do not constitute sub-processing.

Note: This document references §203 StGB (German professional secrecy) requirements. These provisions are specifically relevant for controllers with professional confidentiality obligations (e.g., tax advisors, lawyers). For general company customers, standard GDPR confidentiality protections apply. The §203 StGB measures represent an additional layer of security that benefits all customers.

2. Current Sub-Processors

#	Company	Registered Office	DC Location	Purpose	Data Categories	Third Country Safeguards
1	Amazon Web Services EMEA SARL	Luxembourg	EU (Frankfurt)	Hosting, database, storage, authentication, key management, email receiving and sending	All personal data	No third country transfer
2	Anthropic, Inc.	USA (San Francisco)	USA	AI document data extraction, classification, tax compliance review	Document contents (full text including financial data)	SCCs, UK Addendum to EU SCCs, DPA, TIA
3	Google LLC	USA (Mountain View)	EU for OCR and embeddings; global endpoint for Gemini AI	OCR, AI classification, email triage, post-processing, document matching, supplier verification, vision transcription, semantic search embeddings	Document contents (text and images), email metadata, supplier data	SCCs, UK Addendum to EU SCCs, DPA, EU-US DPF, TIA
4	Microsoft Corporation	USA (Redmond)	USA / EU (varies by service)	SSO authentication, email acquisition from Outlook mailboxes, Teams notification delivery	User identity, email contents and attachments, notification messages	SCCs, UK Addendum to EU SCCs, DPA, EU-US DPF, TIA
5	Slack Technologies, LLC (Salesforce)	USA (San Francisco)	USA	Notification delivery to customer-configured Slack channels	Notification messages (document status, supplier names)	SCCs, DPA, TIA
6	Maesn GmbH	Germany	EU	DATEV accounting system integration	Invoice structured data (names, addresses, IBANs, VAT IDs, amounts, line items)	No third country transfer

Notes on Data Processing Scope

Gmail and Outlook email acquisition: When a customer connects their Gmail or Outlook mailbox, Orcha accesses email data directly from Google/Microsoft servers using customer-granted OAuth tokens. Subscription mechanisms are maintained to receive push notifications of new emails.

Google Drive: When a customer connects Google Drive, Orcha reads files from a designated folder. Data flows from Google to Orcha; Orcha does not send personal data to Google in this context.

Notification channels: Slack and Microsoft Teams integrations are configured by the customer. Notification messages contain document processing status, which may include supplier names and document references.

3. Approval Procedure

The engagement of new sub-processors follows this standardized procedure:

Needs Assessment: Management reviews the business necessity for engaging a new sub-processor and documents the justification.
Data Protection Assessment: Comprehensive evaluation of the data protection level, including review of technical and organizational measures (TOMs), certifications and third country transfer safeguards.
§203 StGB Assessment: For sub-processors with access to customer data, an assessment of suitability with regard to professional secrecy requirements is conducted.
Transfer Impact Assessment (TIA): For third country transfers, a detailed TIA in accordance with EDPB recommendations is conducted and documented.
Contractual Safeguards: A data processing agreement (DPA) containing all required data protection guarantees is concluded before engagement.
Notification of Controllers: The controller is notified in writing pursuant to Section 4.

4. Notification Procedure

Orcha notifies the controller of all changes regarding the engagement or discontinuation of sub-processors.

Channel: Written notification by email to the contact person named in the DPA.

Notice Period: At least 45 calendar days before the planned engagement of a new or changed sub-processor.

Content of Notification:

Name and registered office of the new or changed sub-processor
Purpose and type of processing
Categories of affected data
Location of processing and data centers
Third country transfer safeguards (if applicable)
Summary of data protection assessment and equivalence evaluation
Relevant certifications of the sub-processor (e.g. ISO 27001, SOC 2, BSI C5)
For controllers with §203 StGB obligations: separate assessment of compatibility with confidentiality requirements

Additionally: update of this document (Section 2).

5. Right of Objection and Procedure

The controller has the right to object in writing to the engagement of a new sub-processor.

Objection Period: 45 calendar days after receipt of the notification.

Requirements for Objection: The objection must be in writing and substantiated. Substantive grounds exist in particular where the data protection level of the sub-processor is insufficient, relevant certifications are missing, concerns regarding compatibility with §203 StGB obligations exist, or third country transfer risks have not been adequately resolved.

Procedure upon Objection: Orcha endeavors to reach an amicable solution through additional protective measures, choice of an alternative provider, or other suitable remedial measures. While a substantiated objection remains unresolved, the new sub-processor will NOT be engaged. If no agreement can be reached, the affected controller has the right to terminate the DPA extraordinarily without penalty.

Deemed Consent: If no objection is raised within the objection period, the notification is deemed accepted.

6. Contractual Safeguards

Every data processing agreement (DPA) with a sub-processor must contain the following provisions:

Processing only on documented instructions
Appropriate TOMs (minimum protection level per O1)
Support for data subject rights and notification obligations
Deletion or return upon termination
Audit and inspection rights
Written confidentiality agreement with §203 StGB reference
Prohibition of use for own purposes (in particular AI model training)
Obligation for immediate notification of security incidents
Prohibition of further sub-processing without approval

7. Monitoring and Audit

Orcha conducts continuous monitoring of all sub-processors:

Regular review: at least annual review of compliance with data protection requirements
Certification review: verification of SOC 2, ISO 27001 and BSI C5
Ad-hoc audits: right to conduct audits at any time upon suspicion of violations
Deletion verification: confirmation of complete and contractually compliant data deletion
Data flow review: actual data transfers must match agreements
AI sub-processor review: verification that no customer data is used for model training
Renewed data protection assessment upon material changes

8. Data Minimization in AI Processing

Principle: Only the data fields necessary for the respective processing purpose are transmitted to AI sub-processors. This is essential for maintaining the protection level of §203 StGB.

Document Extraction (Anthropic): Document text is sent for structured data extraction, limited to the fields required for invoice processing.

Email Triage (Google): Email sender, subject, body text (truncated), attachment metadata, and low-resolution thumbnail images of document first pages.

Vision Transcription (Google): Document page images for text extraction from scanned or image-based documents.

OCR (Google Document AI): Raw document files for optical character recognition. Processing configured in the EU region.

Post-Processing (Google): Extracted structured data for cost center assignment, account mapping, validation, and tax compliance review.

Supplier Verification (Google): Supplier name, country, VAT ID, and address for verification via web search.

Document Matching (Google): Document summaries (numbers, dates, supplier details, totals, references) for cross-document matching.

Semantic Search Embeddings (Google Vertex AI): Derived text fields (supplier names, document numbers, line items -- explicitly excluding IBANs) for vector embedding generation. Processing configured in EU region.

DATEV Integration (Maesn): Full invoice structured data for booking proposal creation in DATEV.

No Storage by AI Sub-Processors: Anthropic and Google are contracted to not store input data beyond the processing duration and to not use data for model training.

Automated Processing: All AI processing is fully automated with no human review of document contents by sub-processor employees.

9. Transfer Impact Assessment (TIA)

A detailed TIA is conducted for each sub-processor processing data outside the EEA.

Assessment Criteria:

Legal framework of the third country
Government access rights
Contractual safeguards (SCCs)
Technical measures (encryption)
Practical experience with government access

Documentation: TIAs for Anthropic and Google are available as separate documents.

Review intervals: At least annually or upon relevant legal changes.

Supplementary Measures:

TLS encryption for all data in transit
Data minimization for AI processing (see Section 8)
Contractual challenge of government requests
Obligation for immediate notification of government access attempts

10. Pre-Approved AI Model Providers

The following AI/LLM providers are pre-approved for use as sub-processors, subject to the safeguards documented in this list and the Transfer Impact Assessments: Anthropic and Google (Cloud AI). The Provider may switch between these pre-approved AI providers, or activate a previously inactive provider, by giving written notice (email is sufficient) to the Controller at least 14 calendar days in advance. The full 45-day notification and objection procedure under Section 4 applies only to the engagement of AI providers not listed in this section.

If the Provider wishes to engage an AI provider not listed above, the standard procedure under Sections 3 through 5 applies in full, including a Transfer Impact Assessment and 45-day notification period. Upon completion of this process and the absence of an objection, the new provider shall be added to this pre-approved list automatically.

Change History

Version	Date	Description	Author
1.0	25.03.2026	Initial version	[Name]
2.0	09.04.2026	Extension: §203 StGB standards, data minimization, TIA procedures, audit rights, objection procedure	[Name]
3.0	09.04.2026	Entity correction: BMX Holdings Ltd ("Orcha") instead of Orcha GmbH. Terminology: Customer instead of Mandant.	[Name]
4.0	12.04.2026	Aligned sub-processor table with current integrations: removed OpenAI, added Microsoft, Slack, and Maesn; updated data processing descriptions	[Name]

This document was last reviewed and approved by the management of BMX Holdings Ltd ("Orcha").