In plain English. To run EasyMark, SZTek Inc. relies on a small number of third-party service providers (called "sub-processors"). This page lists every sub-processor we use today, what each one does, what data it handles, and where that data lives. We keep this list short on purpose: fewer vendors means a smaller surface area for your personal information. Most of our processing stays inside Canada. Two flows leave Canada by design: (1) a quick anti-bot check at sign-up sends your IP address to Cloudflare (a global provider) for a few seconds; and (2) if you choose Managed AI (where EasyMark runs your marketing content through our own AI provider keys instead of you supplying your own), the text we generate for you is sent to the AI provider that handles that request. Both flows are described in full below, so the Canada-residency picture is accurate rather than oversold. If you stay on bring-your-own AI (your own API key), the AI flow stays under your own agreement with that provider and the providers below are not our sub-processors for your account. If we add, remove, or substitute a sub-processor, we update this page and publish a new version row in our legal-document register; you can always check the current list here.
1. Why this page exists
Quebec Law 25 (Article 7) and PIPEDA both require SZTek to be transparent about the third parties that handle personal information on our behalf. Our Privacy Policy (Clause 7) cross-references this page as the canonical, current list. This page is a versioned legal document in its own right — it is stored, versioned, and published through the same legal_documents register that holds the Terms of Service, Privacy Policy, and Cookie Policy. Each material change to the list triggers republication and a new version row.
2. Current sub-processors
As of the effective date above, SZTek uses the following sub-processors to deliver EasyMark. The first four are always engaged. The last three (Anthropic, OpenAI, Fal.ai) are engaged only when you choose Managed AI; under bring-your-own AI they are not SZTek sub-processors (see section 4).
| Sub-processor | Purpose | Data categories | Trans-border posture | Legal basis |
|---|---|---|---|---|
| Oracle Cloud Infrastructure (OCI), Canada Region (Toronto) | Compute (Container Instances), Database (PostgreSQL), Object Storage, Email Delivery SMTP, Vault (secrets management) | All Customer data plus the categories of personal information listed in Privacy Policy Clause 5 | Canada-region OCI; the bulk of the Service's personal-information processing stays within Canada in the ordinary course (the deliberate exceptions are the Cloudflare Turnstile sign-up check and the Managed-AI flow described below) | Data Processing Addendum between SZTek and Oracle Corporation |
| Stripe Payments Canada, Ltd. | Payment processing, billing, metered AI-usage tracking | Billing and tax data (Privacy Policy Clause 5(c)); cardholder data is Stripe-tokenized — SZTek never receives or stores full card numbers, CVV, or bank-account credentials | Canada-based entity; limited cross-border to the United States for fraud monitoring at Stripe's discretion | Stripe Data Processing Addendum; PCI-DSS Level 1 |
| Cloudflare, Inc. | Bot and abuse protection at sign-up via Cloudflare Turnstile; edge routing and DDoS protection for the public website | Your IP address and the Turnstile challenge token, transmitted to Cloudflare at the moment the sign-up anti-bot check runs. No account content, documents, or marketing data is sent to Cloudflare. | Deliberate, narrow cross-border flow. Cloudflare is a US-headquartered global-edge provider. The Turnstile verification call sends your IP to Cloudflare's global siteverify endpoint for the duration of the check. |
Cloudflare Data Processing Addendum, incorporating the EU Standard Contractual Clauses; legitimate interest in preventing automated abuse and trial fraud |
Plausible Analytics (self-hosted on SZTek-controlled OCI A1 Flex instance at analytics.easymark.ca) |
Privacy-first pageview analytics (cookie-less by design) | Aggregated pageview counts only — no IP retention, no cookies, no user-level identifiers | Self-hosted in Canada-region OCI; no cross-border transfer; Plausible Analytics is a software-only vendor in this configuration, not a data processor receiving personal information about Service users | Software-only license; no DPA required because no personal information is shared with the vendor (the software runs entirely on SZTek infrastructure) |
| Anthropic, PBC (Managed AI only) | Generates marketing text (strategy, captions, copy) when a workspace uses Managed AI for text/reasoning | The prompt content EasyMark sends to generate your content — your brand profile excerpts, business documents excerpts, and the instructions for the piece. No billing data, no passwords, no full document store. | Cross-border (Managed AI only). Anthropic is US-headquartered; prompt content is transmitted to Anthropic's API for the duration of the generation request. Engaged only if you opt into Managed AI; never engaged under bring-your-own AI. | Anthropic Commercial Terms / Data Processing Addendum; Anthropic does not train on commercial API data by default |
| OpenAI, L.L.C. (Managed AI only) | Generates marketing text and/or images when a workspace uses Managed AI and the request routes to an OpenAI model | The prompt content EasyMark sends to generate your content, as above | Cross-border (Managed AI only). OpenAI is US-headquartered; prompt content is transmitted to OpenAI's API for the duration of the request. Engaged only under Managed AI. | OpenAI Business Terms / Data Processing Addendum; OpenAI does not train on API business data by default |
| Fal.ai (Features & Labels, Inc.) (Managed AI only) | Generates images and video (e.g. FLUX, Kling routed via Fal) when a workspace uses Managed AI for the image/video modality | The image/video generation prompt EasyMark sends — text instructions and any reference asset you provide for the piece | Cross-border (Managed AI only). Fal.ai is US-headquartered; the generation prompt is transmitted to Fal.ai's API for the duration of the request. Engaged only under Managed AI. | Fal.ai Terms of Service / Data Processing Addendum |
3. What each sub-processor does, in detail
(a) Oracle Cloud Infrastructure (OCI) — Toronto region. OCI hosts the bulk of the EasyMark service infrastructure inside SZTek's Canadian tenancy: compute (Container Instances), database (PostgreSQL with the pgvector extension), object storage (uploaded documents, generated media), transactional and (where consented) marketing email via OCI Email Delivery SMTP, and secrets management via OCI Vault. OCI processes personal information at SZTek's direction for the sole purpose of providing the underlying compute, storage, networking, transactional e-mail, and secrets management. OCI is a Canada-region sub-processor; the bulk of the Service's personal-information processing remains within Canada in the ordinary course, subject only to the narrow Cloudflare Turnstile flow described in paragraph (d) and the Managed-AI flow described in paragraph (e).
(b) Stripe Payments Canada, Ltd. Stripe handles all payment processing for EasyMark subscriptions, 5-Year Access deals, AI Credit packages, and pay-as-you-go billing. Stripe receives billing and tax data (your billing name, address, tax-registration number, and payment-method metadata) and processes payments under its own terms and PCI-DSS Level 1 compliance posture. Full payment-card numbers, security codes (CVV), and bank-account credentials are collected directly by Stripe and are never received or stored by SZTek. Stripe Payments Canada is a Canada-based entity; limited cross-border data flow to the United States may occur at Stripe's discretion for fraud-monitoring purposes under Stripe's Data Processing Addendum.
(c) Plausible Analytics — self-hosted on OCI A1 Flex. EasyMark uses Plausible Analytics, a privacy-first pageview-analytics software, deployed by SZTek on its own OCI A1 Flex instance at analytics.easymark.ca. In this self-hosted configuration, Plausible Analytics receives no IP addresses, no cookies, and no user-level identifiers; aggregated pageview counts are stored entirely within SZTek's OCI Canada-region tenancy. Plausible Analytics (the company) is a software vendor in this configuration, not a data processor with respect to Service users' personal information. No Plausible cloud endpoint receives EasyMark traffic; the script and analytics endpoints both resolve to SZTek-controlled OCI infrastructure.
(d) Cloudflare, Inc. EasyMark uses Cloudflare Turnstile, a privacy-respecting "are you human?" check, on the sign-up and account-creation flow to prevent automated abuse and trial-credit fraud. When you complete the check, EasyMark sends your IP address and the one-time challenge token to Cloudflare's verification endpoint (https://challenges.cloudflare.com/turnstile/v0/siteverify) so Cloudflare can confirm the token is genuine. This transmits your IP address to Cloudflare, a US-headquartered global-edge provider, for the few seconds the check takes. A server-side bot check needs the requester's IP to do its job. Cloudflare acts as SZTek's sub-processor for this purpose under the Cloudflare Data Processing Addendum, which incorporates the EU Standard Contractual Clauses as its cross-border transfer mechanism. SZTek does not send Cloudflare any account content, uploaded documents, brand data, or marketing data — only the IP and token needed for the verification. Internally, SZTek hashes the IP before writing it to its own logs (so the raw IP is not retained in SZTek's records), but the verification call to Cloudflare itself necessarily uses the real IP. Cloudflare also provides edge routing and DDoS protection for the public easymark.ca website; in that capacity it processes the standard connection metadata (including IP) that any reverse proxy sees in order to route and protect web traffic.
(e) Managed-AI providers — Anthropic, OpenAI, Fal.ai. EasyMark offers two ways to power the AI that writes your marketing: bring-your-own AI (you supply your own API key — see section 4(a)) and Managed AI (EasyMark runs the request through SZTek's own provider keys and bills you for the usage). When, and only when, you choose Managed AI for a given task, EasyMark transmits the prompt for that task — the brand-profile and business-document excerpts plus the generation instructions that the task needs — to the AI provider that handles it: Anthropic (text and reasoning), OpenAI (text and some images), and/or Fal.ai (images and video). These providers are US-headquartered, so the Managed-AI flow sends prompt content outside Canada for the duration of each generation request. SZTek engages each provider under its own commercial terms and Data Processing Addendum; Anthropic and OpenAI do not train on commercial/business API data by default. SZTek sends only the content needed to generate the requested piece — never your billing data, your password, your full document store, or another workspace's data. If you never enable Managed AI, none of these three providers is engaged on your behalf and none is a SZTek sub-processor for your account.
4. What is NOT a sub-processor of SZTek
Several third parties commonly assumed to be sub-processors are not, because EasyMark either (i) does not share personal information with them, (ii) treats you as the data controller for that integration, or (iii) does not use them in the configurations described below:
(a) AI providers you configure under bring-your-own AI (OpenAI, Anthropic, Fal.ai, Kling AI, ElevenLabs, Stability AI, and any other AI provider for which you supply your own API credentials). When you use bring-your-own AI, prompts and outputs are transmitted to the AI provider whose credentials you configured, under your own agreement with that provider. SZTek is not the data controller for that processing and is not responsible for that provider's handling of personal information. This carve-out applies to the bring-your-own-AI path only. Where you instead choose Managed AI, the same providers act as SZTek's sub-processors and are listed in section 2 and described in section 3(e).
(b) Publishing channels you connect (Meta / Facebook / Instagram, Google, LinkedIn, X / Twitter, TikTok, Pinterest, YouTube, and any e-mail-delivery providers you connect under bring-your-own email). When you connect a channel, you authorize the channel platform under its own terms; SZTek transmits channel-OAuth tokens and the content you instruct EasyMark to publish, but the channel platform is not SZTek's sub-processor for the personal information of your audience.
(c) Google Analytics 4, Google Tag Manager, Meta Pixel, and similar third-party analytics or advertising trackers. EasyMark deliberately does not use these on its marketing or in-product pages. Our Cookie Policy confirms zero advertising or marketing trackers.
5. How this list changes
The current sub-processor list is the version identified at the top of this page. SZTek may, in its sole discretion subject to applicable law, add, remove, or substitute sub-processors as the Service evolves. Each change triggers republication of this page and a new version row in SZTek's legal_documents register. Material additions or substitutions are communicated alongside the next Privacy Policy update or, where the change is operationally significant before then, by an in-product notice. Continued use of the Service after the update constitutes acceptance of the substitution to the extent permitted by applicable law.
How to be notified. If you operate in a regulated industry and require advance notice of sub-processor changes, write to privacy@easymark.ca and SZTek will, on request and subject to confidentiality, add you to a notification list maintained by the Privacy Officer.
6. Trans-border posture, in plain terms
SZTek's deliberate sub-processor design aims to keep your personal information inside Canada in the ordinary course of operating EasyMark. Hosting (OCI), database, object storage, transactional e-mail, secrets management, and pageview analytics are all Canada-region. Billing (Stripe Payments Canada) is a Canada-based entity, with limited fraud-monitoring cross-border flow under Stripe's own DPA. Two routine flows leave Canada: (1) the Cloudflare Turnstile anti-bot check at sign-up, which transmits your IP address to Cloudflare (a US-headquartered global provider) for a few seconds; and (2) the Managed-AI flow, which — only if you opt into Managed AI — transmits the generation prompt to a US-headquartered AI provider (Anthropic, OpenAI, or Fal.ai) for the duration of each request. The Cloudflare flow is governed by the Cloudflare Data Processing Addendum and its EU Standard Contractual Clauses and is limited to the IP and token. The Managed-AI flow is governed by each provider's commercial terms and DPA and is limited to the prompt content needed to generate your piece. If you stay on bring-your-own AI, the AI flow is under your own provider agreement and is not a SZTek sub-processor flow. The Privacy Policy Clause 8 sets out the full trans-border posture and the Article 17 privacy-impact-assessment framework applicable to these flows and to any further non-Canadian sub-processor SZTek may introduce in the future.
7. Contact
Questions about a sub-processor on this list, want advance notice before SZTek adds a new one, or believe a sub-processor relationship needs revisiting? Write to the Privacy Officer at privacy@easymark.ca. Postal address: SZTek Inc., Attention: Privacy Officer, Vaughan, Ontario, L6A 3A1, Canada.
Changes to this list. Each change to the sub-processor list triggers republication of this page and a new version row in SZTek's legal-document register. After Canadian counsel sign-off, the counsel-review status on this page is updated to a version-stamped "reviewed by Canadian legal counsel" state and a new document version is seeded.