Sub-processors
Last updated May 29, 2026
Cost+ Checkout is operated by Costplus OÜ ("Cost+"). To provide our services we engage the third-party sub-processors listed below to process personal data on behalf of our merchant customers, in accordance with our Data Processing Agreement and Privacy Policy.
This page is the authoritative, up-to-date list of our authorised sub-processors. In line with Section 7.2 of our DPA, we provide at least 30 days' notice of any intended addition or replacement, giving controllers the opportunity to object on reasonable grounds.
Authorised sub-processors
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| OVH SAS | Cloud infrastructure hosting (compute, storage, network) and encrypted off-site backups | France (EU) | Intra-EEA |
| SMTP2GO | Transactional and notification emails | EU | Intra-EEA |
| Cost+ payment infrastructure (Costplus OÜ) | Payment tokenisation, authorisation, capture, refund | EU | Intra-EEA |
| Ginger Payments | Payment gateway / transaction routing | Netherlands (EU) | Intra-EEA |
| FinteqHub | Payment gateway / orchestration | Cyprus and Lithuania (EU) | Intra-EEA |
| ComplyPay | Banking-as-a-Service (BaaS) provider | Denmark (EU) | Intra-EEA |
| Rapyd | Payment acquiring / processing | EU / United Kingdom | Intra-EEA; UK transfers under EU–UK adequacy decision |
| SHIFT4 | Payment acquiring / processing | EU / United Kingdom | Intra-EEA; UK transfers under EU–UK adequacy decision |
| Elavon | Payment acquiring / processing | EU / United Kingdom | Intra-EEA; UK transfers under EU–UK adequacy decision |
| Clearhaus | Payment acquiring / processing | Denmark (EU) | Intra-EEA |
| Paynetics | Payment acquiring / e-money issuance | Bulgaria (EU) | Intra-EEA |
| Didit | Identity verification, KYB / KYC / AML compliance | United States / Spain (EU) | Standard Contractual Clauses (Art. 46 GDPR) |
Where a sub-processor is located outside the European Economic Area (EEA), the transfer is protected by an adequacy decision under Article 45 GDPR or by the European Commission's Standard Contractual Clauses under Article 46 GDPR, together with any supplementary measures required.
A note on Shopify
Shopify acts as an independent controller in respect of the merchant store data it holds, not as a sub-processor of Cost+. Cost+ receives order data from, and returns Shopify-created order data to, Shopify under Shopify's own data-protection terms with the merchant. See Section 8.3 of our Data Processing Agreement.
Questions
Questions about our sub-processors can be sent to privacy@costplus.io, or by post to Costplus OÜ, Pärnu mnt. 139b, 11317 Tallinn, Estonia.
