Sub-processors
Last updated: 14 May 2026
This page lists the third-party service providers ("Sub-processors") that Medq engages to process personal data on behalf of its customers, in accordance with Article 28 GDPR and the Data Processing Agreement entered into between Medq and each customer.
Customers are notified of intended changes to this list at least 30 days before they take effect.
For questions or to object to a Sub-processor on reasonable data protection grounds, contact contact@medq.be.
Current sub-processors
| Sub-processor | Role | Country of processing | Transfer mechanism (if outside EEA) | Personal data categories |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud hosting and infrastructure (production servers, storage, networking) | Germany — Nuremberg (EEA) | N/A — processing within the EEA | All Customer Data stored on Medq infrastructure |
| Hetzner Online GmbH | Off-server backup storage (separate from production server, same provider, same EEA region) | Germany — Nuremberg (EEA) | N/A — processing within the EEA | Encrypted backups of all Customer Data |
| Resend, Inc. | Transactional email delivery (appointment confirmations, reminders, system notifications) | Ireland (EEA) — Resend EU region | N/A — processing remains within the EEA. Resend's DPA is in force | Recipient email address, message subject and content, delivery metadata |
| BudgetSMS.net | SMS reminder delivery (where enabled by the controller) | Netherlands (EEA) | N/A — processing within the EEA | Recipient phone number, message content, delivery metadata |
| Functional Software, Inc. (Sentry) | Application error and performance monitoring | European Union — Sentry EU data region | N/A — processing within the EEA. Sentry's DPA is in force | Diagnostic data including request metadata, stack traces, limited user identifiers (no patient health data is intentionally included) |
| Mollie B.V. | Subscription billing and payment processing | Netherlands (EEA) | N/A — processing within the EEA | Billing contact details, payment metadata; full card numbers are not stored on Medq systems |
Hetzner Online GmbH
Hetzner Online GmbH
Resend, Inc.
BudgetSMS.net
Functional Software, Inc. (Sentry)
Mollie B.V.
Categories of data shared
Different Sub-processors receive different categories of data depending on their role. We apply the principle of data minimisation: each Sub-processor receives only the data necessary for its function. The payment processor does not receive patient data, the email provider does not receive billing data.
How transfers are protected
All Sub-processors listed above process data within the European Economic Area at the date of this page. If a future Sub-processor introduces a transfer outside the EEA, we will rely on Standard Contractual Clauses adopted by the European Commission, supplemented by additional technical and organisational measures where required following a Transfer Impact Assessment, or on EU Commission adequacy decisions where they apply. A summary of any Transfer Impact Assessment is available to controllers on request.
How to object
Customers (as controllers) may object to a Sub-processor on reasonable data protection grounds within 30 days of notification of an addition. If Medq cannot accommodate the objection, the customer may terminate the affected portion of the subscription without penalty, with pro-rata refund of pre-paid fees for the unused portion of the term.
Change log
| Date | Change | Affected Sub-processor |
|---|---|---|
| 2026-05-14 | Initial publication | (all) |