Sub-Processor Register
Pursuant to GDPR Art. 28(2) | Version 1 | April 2026
This register lists all third-party sub-processors engaged by PeerDesk (Lennart Sieden & Stefan Bechtel GbR) to process personal data on behalf of PeerDesk and the journals using the platform. Sub-processors are engaged only via written contracts that bind them to the same data protection obligations as PeerDesk.
| Name | Location | Purpose | Data Categories Processed | Transfer Mechanism (non-EEA) |
|---|---|---|---|---|
| Stripe, Inc. | San Francisco, CA, USA (EU operations: Dublin, Ireland) | Payment processing, reviewer compensation, KYC/AML compliance | Reviewer name and email; banking details (account number, sort code, IBAN) for payout KYC; transaction amounts; invoice references | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs, Commission Decision 2021/914) |
| ORCID, Inc. | Bethesda, Maryland, USA | Researcher identity verification and publication record import (optional, user-initiated) | ORCID iD (persistent digital identifier); publicly shared profile data (employment, publication list) authorized by the researcher | Standard Contractual Clauses (SCCs) |
| Hetzner Online GmbH | Nuremberg, Germany (EU) | Infrastructure and data storage — all platform data is hosted on Hetzner servers | All personal data processed by the platform (account profiles, manuscripts, reviews, payment records, audit logs, file storage) | N/A — Germany/EU-based, no transfer outside EEA |
| united-domains AG | Starnberg, Germany (EU) | Transactional email delivery (invitations, notifications, receipts, password resets) | Recipient email address; email subject and body content (which may include name, notification details) | N/A — Germany/EU-based, no transfer outside EEA |
| Google Ireland Limited | Dublin, Ireland (EU) — data processed in EU/EEA | Website analytics — Google Analytics (planned; will be activated in a future release with appropriate consent gate) | Page views, session data, anonymized IP addresses, device/browser information, user interactions. No cross-site tracking or advertising data. | N/A for EU processing. If any data is transferred to the USA: EU-US DPF + SCCs. Activation will be accompanied by an updated consent banner. |
Notes
- Elasticsearch (search index): PeerDesk currently operates Elasticsearch as a self-hosted service within its own Hetzner infrastructure. Self-hosted components are not sub-processors under GDPR Art. 28. If PeerDesk migrates to a managed Elasticsearch service in the future, this register will be updated accordingly.
- Google Analytics: Not yet active. The Google Analytics entry is listed in preparation for a planned future activation. Processing will only commence after a GDPR-compliant consent mechanism is in place and this register is updated with the effective date.
Sub-Processor Changes
If PeerDesk intends to add a new sub-processor or replace an existing one, registered journals (as Controllers) will be notified by email at least 30 days in advance. You may object to a new sub-processor within 30 days by contacting us at mail@peerdesk.org. If your objection cannot be resolved, you may terminate the agreement without penalty pursuant to the termination provisions in the Journal Terms of Service.
Version: 1 | Last updated: April 2026