Sub-processors

Auto-generated from deploy/config/sub-processors.yaml. Required under GDPR Art. 28 and POPIA. Customers receive 30 days' notice of any addition.

Currently engaged sub-processors

Name	Purpose	Region	Data categories	DPA	Tier	Added
Amazon Web Services EMEA SARL	Cloud infrastructure (EKS, RDS, S3, KMS, Route53, ECR) hosting the tenant plane and model plane.	af-south-1 (tenant plane); eu-central-1 (model plane)	Tenant data at rest (encrypted via AWS KMS) Encrypted backups Operational metrics	View	Critical	2026-06-01
Together AI, Inc.	Engaged ONLY when a customer explicitly enables BYO-Together on a specific collection. The customer's own Together API key is used. Disabled by default; never engaged on a customer's behalf without per-collection opt-in. The console surfaces a warning at opt-in time that the prompt leaves the feder8d boundary.	United States	Inference prompts (only for collections where customer opted in) Inference completions (only for collections where customer opted in)	View	Optional	2026-06-01
Dodo Payments Pvt. Ltd.	Merchant of record for SaaS billing (Starter, Pro, Business plans). Handles card processing, invoicing, and tax remittance. PCI scope is theirs, not ours.	United States, India, EU	Customer name, billing email, billing address Payment card information (never touches feder8d systems) Invoice line items (plan name, overage usage totals)	View	Critical	2026-06-01
SMTP2Go Ltd	Transactional email delivery (account verification, password reset, billing notifications, DSAR confirmations, breach notices). Delivered via standard SMTP — the platform's email provider is pluggable, so this entry may be substituted with AWS SES, Mailgun, Postmark or any equivalent SMTP-capable provider without code changes.	United States (or European Union if EU SMTP host is used)	Recipient email address Email body (transactional, system-generated)	View	Standard	2026-06-08
Cloudflare, Inc.	Static CDN for the public marketing site feder8d.ai. Serves HTML/CSS/JS only. No tenant data crosses this sub-processor — application code is not on Cloudflare.	Global (Cloudflare anycast edge)	Visitor IP address (transient logs, 24h retention) Public marketing content (no PII)	View	Standard	2026-06-01
Vanta, Inc.	Compliance evidence collection for SOC 2 Type II observation. Read-only integrations into AWS, GitHub, and HR system. Collects metadata about controls — not tenant data.	United States	Internal employee access metadata Infrastructure control evidence (configuration snapshots, no payload data)	View	Optional	2026-06-01

Explicitly not sub-processors

Common assumptions worth heading off:

WorkOS: Identity is Authentik (self-hosted). WorkOS is NOT used (Q12 reversal).
OpenAI: No OpenAI dependency. The OpenAI-compatible chat API is a thin adapter feder8d implements; no requests are sent to OpenAI.
Anthropic: Not a sub-processor. Build-time use only by feder8d engineering staff.

How to subscribe to changes

Email legal@feder8d.ai with subject line Sub-processor notifications to receive 30 days advance notice of additions or removals. Enterprise customers receive notice automatically per their MSA.