Companion to POL-CONTENT-001
Sub-Processor Register
The list of authorised sub-processors that participate in the processing of personal information under Project Content. Updated whenever the provider stack changes.
Plain summary
When you subscribe to Herbst Group content, your information is processed by Herbst Group and by a small set of carefully selected service providers (sub-processors) that help us deliver the emails, host the pages you read, and keep the data secure. The list below names each provider, what they do, where they operate, and the legal basis for any cross-border transfer.
We update this Register and the public privacy policy within ten business days of any change. If you object to a change, you can withdraw your consent at any time using the one-click unsubscribe in any email or through the preference centre.
Authorised sub-processors
| Sub-processor | Role | Jurisdiction | POPIA s.72 basis | Data Processing Agreement |
|---|---|---|---|---|
| Resend | Primary email delivery | United States | s.72(1)(b) - consent of the data subject | Yes |
| Microsoft (Graph API) | Fallback email delivery and statutory mailbox | United States / European Union | s.72(1)(b) - consent of the data subject | Yes (Microsoft 365 enterprise agreement) |
| Vercel | Hosting of the public pages and the API routes | United States | s.72(1)(b) - consent of the data subject | Yes |
| Cloudflare | Domain Name System, Web Application Firewall, and Content Delivery Network for the herbstgroup.io domain | United States (anycast network) | s.72(1)(b) - consent of the data subject | Yes |
| VPS sqld (Vultr, herbst-jhb-01) | Primary personal-information storage for the consent platform; full-disk encryption at rest (LUKS) | Republic of South Africa (Johannesburg data centre) | Not applicable (storage in the Republic) | Internal infrastructure |
| Replicate | Generation of the welcome-email artwork (no personal information processed) | United States | Not applicable (no personal information processed) | Yes |
| DocRaptor | Rendering of the Data Subject Access Request access-pack PDF on demand (personal information in transit during the render only) | Canada | s.72(1)(a) - adequate protection (PIPEDA, Canadian federal privacy law) | Yes |
| 1Password | Operator-internal custody of platform secrets (encryption keys, service-account credentials, webhook signing tokens). No subject personal information held | United States / Canada | Not applicable (no subject personal information processed) | Yes |
How this Register changes
- The Information Officer drafts the proposed change with rationale, jurisdiction, the POPIA s.72 basis, and the Data Processing Agreement reference.
- The Information Officer reviews the proposal against the current Register and against POL-CONTENT-001 to confirm whether the change is administrative or requires a substantive policy amendment.
- The Information Officer signs the new version. The new version supersedes the prior version. Both are retained for the standard retention period in our policy audit trail.
- The public privacy policy at herbstgroup.io/privacy-policy is updated to reflect the new version within ten business days.
- For Phase 2 pharma operator-mode tenants, each tenant Data Processing Agreement incorporates this Register by reference. A new entry triggers a 30-day notice-and-objection window to the tenant controller.
- Within five business days of issuance, the Information Officer notifies the Information Regulator of South Africa of any material change to the cross-border transfer position per POPIA s.72(2).
Phase 2 (operator-mode) note
For Phase 2 streams, the pharma controller is the responsible party under POPIA s.20-21 and Herbst Group is the operator. Each tenant Data Processing Agreement records the Herbst-side sub-processor inventory by reference to this Register. Where a pharma tenant contributes its own sub-processors, those are recorded in the tenant Data Processing Agreement and not in this Register; the tenant remains the responsible party for those sub-processors.
Change history
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0 | 3 May 2026 SAST | Information Officer | Initial issue. Companion to POL-CONTENT-001 v2.0. Eight authorised sub-processors for Phase 1 (Herbst controller). Registered jurisdictions: Republic of South Africa (primary storage), United States, European Union, Canada. Two cross-border bases used: POPIA s.72(1)(b) consent and POPIA s.72(1)(a) adequate-protection (PIPEDA, Canada). |