Sanity as Cloud Service Provider vs Google Cloud in EU procurement?

For EU procurement processes, the classification depends on your contractual relationship and how you're using Sanity:

In most cases, Sanity is the Cloud Service Provider (CSP), not Google Cloud. Here's why:

• Sanity is the data controller/processor you contract with directly for content management services
• Google Cloud Platform is Sanity's subprocessor - they provide the underlying infrastructure where Sanity hosts your data
• From a procurement perspective, your contract is with Sanity, and Sanity is responsible for the service delivery

Key points for EU procurement:

1. Data Residency: Sanity offers EU data residency with Belgium as a primary location for the Content Lake. You can configure your project to store data in EU regions.

2. GDPR Compliance: Sanity is GDPR-compliant and provides:

   • A Data Processing Agreement (DPA)
   • Standard Contractual Clauses for data transfers
   • A list of subprocessors (which includes Google Cloud Platform)

3. Security & Compliance: Sanity maintains security certifications including ISO and SOC 2, which are often required for procurement.

4. Subprocessor Transparency: In your procurement documentation, you should note:

   • Primary CSP: Sanity AS (Norwegian entity) / Sanity US Inc.
   • Infrastructure subprocessor: Google Cloud Platform
   • Data location: EU (Belgium) when configured

For procurement documentation, classify it as:

• Main vendor/CSP: Sanity
• Infrastructure provider: Google Cloud (as subprocessor)
• Data processing location: EU/Belgium (when configured)

This is the standard model for SaaS platforms - similar to how you'd classify Salesforce as the CSP even though they use AWS/their own infrastructure underneath.