Why transparency matters
Our customers entrust us with their most valuable data – projects, tasks, teams, and ideas.
That’s why we believe you should always know who processes your data and where it happens.
All sub-processors are carefully vetted, contractually bound under Art. 28 GDPR, and regularly audited.
Our current sub-processors
Provider | Purpose | Location of processing | Safeguards |
Microsoft Azure (Germany) | Hosting & infrastructure for awork | Germany (Frankfurt & Berlin) | DPA with Microsoft, ISO 27001 / SOC 2 / BSI C5 certified, encryption at rest & in transit |
Microsoft Azure Front Door / CDN | Global content delivery for performance & protection | EU; technically short-term worldwide for non-EU access | Data residency guarantee, SCC/DPF safeguards, no content storage |
Microsoft Azure OpenAI (EU) | Optional AI features (e.g. text generation & automation) | EU (Sweden Central) | No data transfer outside EU, no AI training on customer data, DPA with Microsoft |
Twilio Segment | Event forwarding / technical analytics for support | EU / USA | DPA + SCC + DPF certification, data minimization, encrypted transfer |
Intercom Inc. | In-app support, help center & system notifications | USA | DPA + SCC + DPF certification, ISO 27001 / SOC 2, TLS encryption |
Birdie (Philo Labs, France) | Bug-reporting tool for issue tracking | France (EU) | DPA with EU-only processing, no third-country transfer, automatic deletion after 90 days |
How we conduct audits and reviews
The audit approach depends on each sub-processor’s size and structure:
For large global cloud providers (e.g. Microsoft, Twilio, Intercom), traditional on-site audits aren’t feasible.
We rely on:
regularly published third-party audit reports (e.g. SOC 2, ISO 27001, BSI C5
contractual transparency and audit clauses in their DPAs
independent certifications renewed annually
For smaller or EU-based sub-processors (e.g. Birdie), we perform our own checks – including document reviews, questionnaires, and security attestations under Art. 28 (3) h GDPR.
This hybrid model provides realistic, risk-based assurance without compromising data protection or service reliability.
Vetting & approval process
Before engaging a new sub-processor, we perform a Privacy & Security Assessment covering:
review of technical and organizational measures,
verification of legal safeguards (DPA, SCC or DPF),
joint approval by COO and CTO,
annual review and re-assessment.
We update our list regularly and notify customers at least 6 weeks in advance of any changes, with a right to object under Art. 28 (2) GDPR.
Why customers can’t opt out of existing sub-processors
We understand this is a sensitive topic – that’s why we want to be transparent about it.
Some providers (e.g. Microsoft Azure or Intercom) are integral to our technical infrastructure.
Excluding individual sub-processors would affect core functionality or overall system security.
Under GDPR, customers are notified of new sub-processors and have the right to object within a defined timeframe.
This right does not apply to existing sub-processors, as they form part of the agreed service scope.
When we add new sub-processors, this is typically to enable or enhance a specific feature.
These providers process only strictly limited data necessary for that feature to function – such as technical metadata or communication-related information.
Instead of an individual opt-out, awork provides customers with a special termination right if they fundamentally disagree with the use of a new sub-processor.
This ensures full transparency and freedom of choice without compromising technical or security integrity.
All our sub-processors – whether new or long-standing – adhere to the same strict security and privacy standards, verified through our Information Security Management System (ISMS).
Data flow at a glance
All customer data is stored in Germany (Azure Germany).
Support and communication data may flow through Intercom (USA) when using chat or help features.
Event data may be relayed via Twilio Segment to Intercom for context.
Bug reports are sent voluntarily via Birdie (France).
The AI feature (Azure OpenAI) is optional, EU-only, and never uses customer data for training.