Sub-Processor Register
All third-party processors that handle personal data on behalf of Standard Intelligence Limited. Customers are notified of changes to this list at least thirty days before a new sub-processor is engaged, unless the change is required by law or to address an active security incident.
The data controller (the customer) authorises the use of these sub-processors under the terms of our Data Processing Agreement.
Active sub-processors
| Processor | Role | Data categories processed | Legal basis | Hosting region | DPA / SCCs |
|---|---|---|---|---|---|
| Vercel Inc. | Application hosting + edge runtime + Web Analytics + Speed Insights | Application: request metadata, IP at edge, user-agent. Web Analytics: hash-based per-request visitor ID, page views (no cookies, no cross-request stitching). Speed Insights: Real User Monitoring Web Vitals + page load timings. | Legitimate interest (service delivery) | EU (Frankfurt fra1, London lhr1) for compute; Web Analytics + Speed Insights data plane EU-US Data Privacy Framework certified | Vercel DPA (executed) |
| Neon Inc. | Managed PostgreSQL | All application data including pseudonymised audit events | Legitimate interest (service delivery) | EU (London aws-eu-west-2) | Neon DPA (executed) |
| Zitadel (CAOS AG) | OIDC identity, hosted login | Email, name, session tokens, login events | Legitimate interest (authentication) | EU (Switzerland) | Zitadel DPA (executed); SCCs N/A (adequacy decision) |
| Sentry (Functional Software Inc.) | Error tracking | Stack traces, request IDs, no PII (Pino redaction in src/lib/logger) | Legitimate interest (service reliability) | EU | Sentry DPA (executed) |
| Stripe Inc. | Payment processing, billing portal | Email, name, billing address, payment method (held by Stripe, not SI) | Contract performance (Art 6(1)(b)) | EU (Dublin) | Stripe DPA (executed) |
| Sanity.io (Sanity AS) | Headless CMS (marketing content) | No customer data; SI staff editor accounts only | Legitimate interest (content management) | EU | Sanity DPA (executed) |
| Resend (Resend Inc.) | Transactional email | Recipient email, transactional message bodies | Contract performance (Art 6(1)(b)) | EU | Resend DPA (executed) |
| Anthropic PBC | LLM classification (Claude) | User-authored free-text AI-system descriptions; may contain personal data as free-text under customer control. No SI account identifiers (user / email / tenant) are sent to the provider. | Legitimate interest (core service) | EU-hosted. All customer-data AI inference is processed within the EU; no customer personal data is transferred outside the EU on the inference path. Inputs are user-authored free-text AI-system descriptions — not intended to contain personal data, but as free-text under customer control they may include it; any personal data present is covered by SI's DPA + SCCs and processed under zero-retention. The inference sub-processor is one of: Mistral AI (EU, France) or Anthropic Claude served from an EU region via a cloud provider (AWS Bedrock or Google Vertex). | Anthropic DPA + SCCs (executed); zero-retention enabled on every call. Where inference is served from an EU cloud region (AWS Bedrock or Google Vertex) or via Mistral, the corresponding processor DPA applies. Provider selection finalised in #930. |
| Mistral AI | Text embeddings (vector search) | User-authored free-text AI-system descriptions (embedded for retrieval); may contain personal data as free-text under customer control. No SI account identifiers (user / email / tenant) are sent to the provider. | Legitimate interest (core service) | EU (France, La Plaine-Saint-Denis) | Mistral DPA (executed) |
| Neo4j Aura (Neo4j Inc.) | Regulatory corpus graph database | No customer data; SI-owned regulatory text and embeddings | Legitimate interest (core service) | EU (Frankfurt eu-central-1) | Neo4j DPA (executed) |
| Inngest Inc. | Background-job orchestration | Job metadata only; no customer payload bodies | Legitimate interest (service delivery) | EU | Inngest DPA (executed) |
| HubSpot Inc. | Marketing CRM, contact forms | Contact name, email, company, consent records, message bodies | Legitimate interest / Consent (marketing) | EU (Frankfurt) | HubSpot DPA (executed) |
| Plausible Analytics OÜ | Cookieless web analytics | Page URL, country (from IP), referrer, custom event props (no PII) | Legitimate interest (service analytics) | EU (Estonia / Frankfurt) | Plausible DPA (executed) |
| LinkedIn Marketing Solutions Ireland UC | LinkedIn Ads CAPI conversion attribution (server-side only) | SHA-256 hashed email + conversion type + timestamp; no UTMs, no cookies, no Insight Tag on the site | Consent (extends form-submit consent for marketing) | EU (Ireland) — see controller-to-controller note below | LinkedIn Ads MSA + DPA (executed via account terms) |
LinkedIn controller-to-controller note. LinkedIn Marketing Solutions Ireland UC is the data controller for the LinkedIn Ads platform; SI's use of LinkedIn Conversions API is a controller-to-controller transfer of hashed conversion data for ad attribution rather than a strict Art 28 processor relationship. We include it in this register for full transparency about every external recipient of personal data, even where the recipient is itself a controller of the receiving system.
Data residency invariant. Every sub-processor in the production data path is EU/UK hosted. One position to call out:
AI inference (LLM classification) — EU-hosted. All customer-data AI inference is processed within the EU; no customer personal data is transferred outside the EU on the inference path. Inputs are user-authored free-text AI-system descriptions — not intended to contain personal data, but as free-text under customer control they may include it; any personal data present is covered by SI's DPA + SCCs and processed under zero-retention. The inference sub-processor is one of: Mistral AI (EU, France — already engaged for embeddings) or Anthropic Claude served from an EU region via a cloud provider (AWS Bedrock or Google Vertex). The inference payload contains only the AI-system profile fields; SI account identifiers (user, email, tenant) are not sent to the inference provider. Customers can elect to disable LLM features at the tenant level.
Internal tools (not sub-processors)
These services hold Standard Intelligence's own data only (staff accounts, source code, CI artefacts, or SI-authored content) and do not act on customer personal data. They are listed for transparency.
| Service | Use | Hosting region |
|---|---|---|
| 1Password (AgileBits Inc.) | Credential vault for SI staff | EU |
| Google Workspace | Email, calendar, drive for SI staff | EU / global |
| GitHub | Source-code repository | US (no production data) |
| Slack | Internal communication | US |
| Depot (Depot Inc.) | CI build runners (GitHub Actions-compatible) | EU runners; build logs only — no customer production data |
| Checkly GmbH | Scheduled synthetic monitoring (uptime, Playwright specs, alerts) — synthetic traffic to SI's own URLs; no customer personal data | EU (Berlin HQ; Dublin AWS eu-west-1 storage); EU-only check locations (eu-west-1 / eu-central-1 / eu-west-2) |
DSAR cascade (GDPR Article 17)
Erasure requests cascade to every sub-processor holding identifiable personal data. The handler for each:
Neon — soft-delete users row, pseudonymise audit_events via erasure_salt (docs/system/database.md §GDPR erasure pattern).
Zitadel — user deletion via Zitadel Admin API; ID-token claims invalidated on next request.
Stripe — customer object deletion via API; payment-method tokens revoked.
HubSpot — contact deletion via DELETE /crm/v3/objects/contacts/{contactId}.
Resend — no contact store; transactional logs auto-expire per Resend retention.
Sentry — events keyed by request ID (no PII); user-scoped events purged via Sentry API where applicable.
LinkedIn Marketing Solutions Ireland UC — LinkedIn Conversions API events sent via POST /rest/conversionEvents are stored by LinkedIn for attribution and reporting; LinkedIn does not currently expose a public per-event delete API on the conversion data. The hashed email used as the conversion key ages out per LinkedIn Marketing Solutions retention. When SI receives an erasure request we (a) stop sending further LinkedIn CAPI events keyed to that email (so no new attribution rows are written), and (b) record the erasure in our DSAR audit trail. Visitors may exercise their LinkedIn-side rights directly via LinkedIn Privacy Center; we surface that route in our DSAR response when the requester also has a LinkedIn account.
Mistral, Anthropic, Neo4j Aura, Sanity, Vercel (analytics is a per-request hash with no persistent identifier — nothing to purge), Plausible (cookieless analytics with no PII), and Inngest do not store identifiable personal data in the production data path and therefore are not in the cascade chain. The DSAR runbook covering these handlers is tracked separately (see docs/system/observability.md and the open follow-up issue on the customer-trust workstream).
Review cadence
This register is reviewed at each release-planning gate and whenever a new sub-processor is added or a region change is announced by an existing one. The next scheduled review aligns with the R3 gate.
Change log
| Date | Change |
|---|---|
| 2026-04-02 | Initial register (#506). |
| 2026-05-11 | #25: corrected Neon region (London, not Frankfurt); added Sanity, Resend, Mistral, Neo4j Aura, Inngest; split internal-tools list; documented Anthropic SCC + zero-retention posture; expanded DSAR cascade with negative entries for processors that hold no personal data. |
| 2026-06-18 | #1880 + #1881: added LinkedIn Marketing Solutions Ireland UC (LinkedIn Ads CAPI, server-side only, EU controller) with DSAR cascade entry; expanded Vercel row to call out Web Analytics + Speed Insights distinctly with their EU-US DPF certification. |
| 2026-06-19 | agent-cms future-state audit (per coord 2026-06-19T02:25Z): Anthropic row updated to EU-direct endpoint with explicit Bedrock + Vertex exclusion; added ElevenLabs (LMS V1.5 narration generation); added Depot to internal tools (EU CI runners); revised data residency invariant to reflect Anthropic EU-direct + ElevenLabs voice-data US transfer with SCCs. |
| 2026-07-03 | #2849: **removed ElevenLabs entirely — it was a fictional entry.** The LMS narration pathway is not built and ElevenLabs has never been engaged or contracted (no executed DPA; the register's "ElevenLabs Enterprise DPA + SCCs (executed)" claim was false). Unwired code scaffolding exists (src/lib/lms/elevenlabs.ts, the lms-tts-module Inngest function, the ELEVENLABS_API_KEY optional env with graceful-degrade), but nothing runs in production and no customer or SI data reaches ElevenLabs. A sub-processor register must describe reality, not intent: ElevenLabs will be added only when the narration pathway is actually built and the vendor contracted, with the 30-day customer notice this register promises. Same root cause as the phantom Anthropic EU endpoint — the 2026-06-19 "future-state audit" recorded intended future state as present fact. |
| 2026-07-03 | #2849: corrected the AI-inference entry to the launch position — the customer-data inference path is EU-hosted at launch (target 2026-07-31), either Mistral AI (EU, France) or Anthropic Claude served from an EU cloud region; provider being finalised in #930. Interim (pre-launch) US position via api.anthropic.com under DPA + SCCs + zero-retention stated honestly. **Removed the erroneous "migration to Anthropic's EU endpoint is on the V1 roadmap" claim** — the eu.anthropic.com endpoint does not exist (it was added in error on 2026-06-19 and identified as a hallucination on 2026-06-25). Ties to ADR-065 (EU-inference residency ship constraint). |