Fiskl Subprocessors
This page lists the third parties Fiskl Limited engages to process Customer Data on its behalf in connection with the Fiskl Platforms (“Subprocessors”).
It applies to Customer Data processed by Fiskl as a Processor on behalf of the Customer (Controller). Defined terms used in this page have the meaning given in the Customer Terms of Service, the Privacy Policy, and the Data Processing Addendum (DPA).
1. How Fiskl manages Subprocessors
Before engaging any Subprocessor, Fiskl conducts due diligence on the Subprocessor’s privacy, security, and confidentiality practices. Fiskl enters into a written contract with each Subprocessor that:
- requires the Subprocessor to process Customer Data only on Fiskl’s documented instructions;
- imposes confidentiality, security, and data protection obligations no less protective than those Fiskl owes to the Customer;
- restricts onward transfers and engagement of further sub-processors;
- supports the lawful cross-border transfer mechanisms set out in the Privacy Policy and DPA;
- includes audit cooperation and incident notification obligations;
- where the Subprocessor is an AI infrastructure or model provider (“AI Provider”), explicitly prohibits the AI Provider from using Customer Data to train its own general-purpose AI models, prohibits unnecessary retention, and prohibits onward disclosure, in line with section 8.2 of the Customer Terms of Service.
Fiskl maintains an internal vendor risk register and reviews Subprocessors regularly.
2. Notification of changes
Fiskl will publish updates to this page when adding, removing, or replacing a Subprocessor.
Subscription notifications. Customers can subscribe to Subprocessor change notifications by emailing dpo@fiskl.com with the subject line “Subprocessor notifications.” Subscribed Customers receive notice of new Subprocessors at least 30 days before the new Subprocessor begins processing Customer Data, except where the addition is necessary to address a security or operational emergency, in which case notice will be provided as soon as reasonably practicable.
Customer right to object. A Customer may object to a new Subprocessor on reasonable data protection grounds by notifying Fiskl within the 30-day notice period. Fiskl will work in good faith to resolve the objection. If the objection cannot be resolved, the Customer may terminate the affected Subscription on the terms set out in the DPA and receive a pro-rata refund of unused fees.
3. Subprocessors
The current list of Subprocessors is set out below, grouped by category. Locations indicate the country of incorporation of the Subprocessor and, where different, the principal location at which Customer Data is processed.
3.1 Infrastructure and hosting
| Subprocessor | Processing activities | Location |
| Amazon Web Services, Inc. (AWS) | Cloud infrastructure, compute, storage, database hosting | United States; with regional deployments including EU, UK, UAE as applicable |
| Google LLC (Google Cloud) | Cloud infrastructure, compute, storage, supporting services | United States; with regional deployments including EU, UK as applicable |
3.2 Banking and financial data integrations
| Subprocessor | Processing activities | Location | Data residency |
| Yodlee, Inc. (Envestnet | Yodlee) | Bank account aggregation; transaction and balance data ingestion | United States | US, with regional infrastructure for non-US customers |
| Salt Edge Inc. | Open Banking aggregation; PSD2-compliant transaction and balance data ingestion across EEA, UK, Asia, and Middle East. Bank coverage list: https://www.saltedge.com/products/account_information/coverage | Canada (HQ); EU and other regional infrastructure | EU/UK regional residency for EEA/UK customers |
| Stripe, Inc. | Payment processing; banking feed for Stripe transaction data; payouts; reconciliation; Atlas firm billing under the Charge Us model | United States; with regional infrastructure | EU regional infrastructure available |
| WIO Bank PJSC | Direct UAE banking integration; transaction and balance data | United Arab Emirates | UAE residency for UAE customers |
3.3 Payment processing for invoice payments
| Subprocessor | Processing activities | Location |
| Stripe, Inc. | Customer-side payment acceptance for invoices issued to a Customer’s clients; card and digital wallet payments | United States; with regional infrastructure |
| GoCardless Ltd | Direct debit and bank-debit payment processing | United Kingdom; with regional infrastructure |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | PayPal payment processing | Luxembourg; with regional infrastructure |
3.4 AI infrastructure and model providers
Fiskl engages AI Providers to deliver Fi (Fiskl’s conversational AI and orchestration system) and other AI-driven features. Each AI Provider is contractually prohibited from using Customer Data to train its own general-purpose AI models, from retaining Customer Data beyond the period necessary to deliver the contracted service, and from disclosing Customer Data to any further third party except as required by law.
| Subprocessor | Processing activities | Location |
| Anthropic, PBC | Large language model inference (Claude models) for Fi and related AI-driven features | United States; with regional infrastructure |
| Google LLC (Gemini, Vertex AI) | Large language model inference (Gemini models) for Fi and related AI-driven features | United States; with regional infrastructure |
| Amazon Web Services, Inc. (AWS Bedrock) | Hosted model orchestration and inference infrastructure | United States; with regional deployments including EU, UK as applicable |
Fiskl-built models. In addition to third-party model providers, Fiskl operates proprietary, self-built AI models trained and operated by Fiskl using its own infrastructure (provided by the cloud infrastructure providers listed in section 3.1). Self-built models are not third-party Subprocessors of Customer Data — Fiskl is the sole party processing Customer Data for those models. The licence to train, fine-tune, evaluate, and improve Fiskl-built models is granted in section 8.3 of the Customer Terms of Service.
3.5 Communications
| Subprocessor | Processing activities | Location |
| Twilio Inc. (SendGrid) | Transactional and notification email delivery | United States; with regional infrastructure |
| Twilio Inc. | SMS and voice notifications where used | United States; with regional infrastructure |
3.6 Customer support and engagement
Fiskl operates its in-app chat, support ticketing, and customer engagement tooling on open-source software self-hosted by Fiskl on the cloud infrastructure providers listed in section 3.1. There is no third-party Subprocessor of Customer Data in this layer. Communications you send to Fiskl support are processed within Fiskl’s own infrastructure.
3.7 Analytics and product telemetry
| Subprocessor | Processing activities | Location |
| Google LLC (Google Analytics) | Website analytics on fiskl.com (subject to cookie consent) | United States |
In-product usage analytics and telemetry are processed using open-source software self-hosted by Fiskl on the cloud infrastructure providers listed in section 3.1. There is no third-party Subprocessor of in-product telemetry data.
3.8 Security, identity and authentication, fraud detection, and abuse prevention
| Subprocessor | Processing activities | Location |
| Cloudflare, Inc. | DDoS protection, web application firewall, CDN, bot protection | United States; global edge network |
| Amazon Web Services, Inc. (AWS Cognito) | Identity and authentication services for the Atlas accountant portal — user pool storage, sign-up and sign-in flows, password handling, multi-factor authentication, and session token management for Atlas firm users (Super Admin, Billing Admin, Viewer at organisation level; Owner, Admin, Member at branch level) | United States; with regional deployments aligned to the cloud infrastructure listed in section 3.1 |
Fraud and abuse detection. Fiskl does not engage a dedicated third-party identity verification or KYC provider. Fraud signals and abuse detection are derived from: – security and risk features provided by Amazon Web Services, Inc. as part of the cloud infrastructure listed in section 3.1; and – payment-side fraud signals provided by Stripe, Inc. in connection with the payment-processing services listed in sections 3.2 and 3.3.
No additional Subprocessor of Customer Data is engaged for KYC or sanctions screening at this time.
3.9 Practice and partner management
| Subprocessor | Processing activities | Location |
| Partnero, Inc. | Partner and Ambassador program tracking, referral attribution, and commission management for Fiskl’s Global Partner Program and Global Ambassador Program | United States (New York) |
3.10 Other
| Subprocessor | Processing activities | Location |
| Professional services firms (auditors, lawyers, accountants) under confidentiality | Legal, audit, compliance, and corporate matters | UK and other jurisdictions |
4. Fiskl Group affiliates
Members of the Fiskl Group (Fiskl Limited and its current and future Affiliates) may process Customer Data as Sub-processors of the Contracting Fiskl Entity, on the same contractual terms that apply to third-party Sub-processors.
Current members of the Fiskl Group:
| Entity | Jurisdiction | Role |
| Fiskl Limited | United Kingdom | Primary Contracting Fiskl Entity for all regions; Data Importer under cross-border transfer mechanisms |
| Fiskl, Inc. (target incorporation September 2026) | United States | Will be the Contracting Fiskl Entity for US-domiciled customers once incorporated; Sub-processor for other regions |
The current list is also published at https://fiskl.com/legal/fiskl-group/ once available. Customers will be notified of new Fiskl Group entities through the same notification mechanism described in section 2.
Fiskl Group entities are bound by intra-group data processing agreements and the security obligations set out in the Subprocessor terms of this DPA.
5. Cross-border transfers and residency
Subprocessors are located in multiple jurisdictions. Fiskl uses lawful cross-border transfer mechanisms appropriate to the source jurisdiction, as set out in section 7 of the Privacy Policy. Banking-source-of-record residency (such as UAE residency for WIO Bank-sourced data) is preserved where required.
6. Aggregated Data and Data Products
Aggregated Data — irreversibly de-identified, anonymised, or statistical data derived from Customer Data — is not Customer Data and is owned by Fiskl. Where Fiskl licenses or shares Aggregated Data with third parties as part of Data Products, those third parties are not Subprocessors of Customer Data because they do not receive Customer Data. The recipients of Aggregated Data are governed by separate contractual terms.
7. Change history
| Version | Date | Summary |
| 2022.1 | 4 March 2022 | Initial public version |
| 2026.1 | [Effective Date] | Full refresh: added Yodlee, WIO Bank, Stripe (banking and payments), AI Providers, GoCardless, PayPal, Twilio/SMS, Cloudflare, Partnero. Added AI training prohibition contractual term. Added change-notification mechanism. Added cross-border transfer language. |
8. Contact
| Topic | |
| Subscribe to Subprocessor change notifications | dpo@fiskl.com (subject: Subprocessor notifications) |
| Object to a Subprocessor | dpo@fiskl.com |
| Data protection and DPO matters | dpo@fiskl.com |
| Legal notices | legal@fiskl.com |
Fiskl Limited 6A Thirlmere Road London, N10 2DN United Kingdom Company number: 09330290
Effective: 15 March 2026