Sub-Processors
Last updated: 2026-06-10. This is the public Synsmarts sub-processor register. It is Annex 2 of our Data Processing Agreement and is incorporated by reference into the Terms of Service.
We engage two classes of third parties: tenant-data sub-processors (Section 1) that process Personal Data on your behalf as your processor's sub-processor under GDPR Article 28, and operations sub-processors (Section 2) that process only Synsmarts operational data (employee accounts, internal collaboration, on-call alerts) and not tenant end-customer Personal Data. Sub-processor changes in Section 1 trigger the 30-day notification and objection process described in DPA §6 and Section 3 below. Section 2 changes are not subject to the objection mechanism because they do not affect Personal Data we process on your behalf, but we will keep this register current as a transparency commitment.
1. Tenant-Data Sub-Processors
The following sub-processors are authorized to process Personal Data on behalf of Synsmarts tenant controllers, as part of the Synsmarts managed hosting platform.
| Entity | Services | Data categories | Location | Transfer mechanism | Status |
|---|---|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, compute, storage, database, transactional email (SES), DNS (Route53), encryption key management (KMS), content delivery, backup | All tenant Personal Data (application databases, files, backups, logs); Synsmarts operational data | US (us-east-1 primary, us-west-2 DR) | AWS DPF + AWS DPA + SCCs | Operational |
| Anthropic PBC | AI diagnostic inference (Claude API). Zero post-inference retention. Zero training use. | Redacted telemetry and redacted source-code snippets (PII / PAN stripped before transmission by the Vector and code-redaction pipelines) | US | DPF + SCCs (Module 3: Processor to Processor) | Pending DPA execution |
| Cloudflare, Inc. | CDN, WAF, DDoS protection (sub-processor role). Independent-controller threat intelligence is outside this DPA's scope. | IP addresses, HTTP headers, request metadata, TLS session data | Global edge / US origin | Cloudflare DPF + Cloudflare DPA + SCCs | Pending DPA review |
| Authorize.net (a Visa Inc. service) | Payment gateway, tokenized payment profiles. We never store raw card numbers. | Payment tokens, transaction amounts, billing contact names | US | DPF + Visa/AN DPA + SCCs | Pending DPA review |
1.1 Retention and Security Baseline
| Entity | Retention | Security baseline |
|---|---|---|
| Amazon Web Services, Inc. | Duration of contract + backup retention per the Synsmarts retention schedule | SOC 2 Type II, ISO 27001, CSA STAR Level 2, per-tenant KMS encryption |
| Anthropic PBC | Zero post-inference retention (contractual, DPA §13). No training use. | SOC 2 Type II, TLS 1.2+ in transit |
| Cloudflare, Inc. | Edge cache and logs per Cloudflare's DPA; request logs typically < 72 hours | SOC 2 Type II, ISO 27001, PCI-DSS Level 1 |
| Authorize.net (Visa Inc.) | Per Visa/AN DPA and PCI-DSS | PCI-DSS Level 1 Service Provider |
1.2 Notes
- AWS is listed as a single sub-processor because all AWS services are covered under one AWS DPA. Adding a new AWS service triggers the 30-day notification process even though the entity is unchanged.
- Anthropic processes data only when a tenant enables AI diagnostics (
code_diagnosis_enabled). Data is deleted immediately after inference. Zero post-inference retention and zero training use are contractually binding. - Cloudflare also acts as an independent controller for its own threat intelligence (DDoS botnet threat feeds, Bot Management ML, Cloudforce One). This independent-controller processing is outside the scope of the Synsmarts DPA and governed by Cloudflare's own privacy policy. The processor boundary: CDN caching, WAF rule evaluation, and DDoS mitigation are sub-processor activities under our DPA; threat intelligence aggregation and bot ML model training on network-wide data are Cloudflare's independent controller activities.
- Authorize.net processes payment-profile tokens and transaction amounts. Synsmarts never stores raw card numbers.
1.3 Sub-Sub-Processors
Sub-processors are not authorized to engage further sub-processors for processing Synsmarts tenant data without prior written authorization. Each sub-processor's DPA includes flow-down obligations requiring downstream processors to be bound to equivalent data-protection terms. Tenants requiring details on specific sub-processor infrastructure providers (e.g., Anthropic's GPU cloud providers) may request this information from [email protected].
1.4 Conditions Precedent
Sub-processors marked "Pending DPA review" or "Pending DPA execution" are subject to the following:
- We will execute DPAs with all pending sub-processors within 90 days of our DPA's execution date and provide monthly progress updates on pending DPA negotiations.
- No sub-processor may process Personal Data on a controller's behalf until its DPA is executed AND the 30-day notification / objection period has elapsed.
- If a pending sub-processor DPA is not executed within 90 days, we will remove that sub-processor from the register and cease any plans to engage it. The controller may terminate the affected services without penalty if the failed sub-processor is essential to service delivery.
- AI diagnostics is unavailable until the Anthropic sub-processor DPA is fully executed; the zero-retention and zero-training guarantees are contractual commitments to be confirmed there.
2. Operations Sub-Processors (No Tenant Personal Data)
The following sub-processors process Synsmarts internal operational data (employee accounts, contact info, internal collaboration, on-call alerts). They do not process tenant end-customer Personal Data, so they are not subject to the DPA §6 notification / objection mechanism, but we list them here for transparency.
| Entity | Services | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| Google LLC (Google Workspace) | Email, calendar, document storage for Synsmarts staff | Synsmarts employee email and documents; inbound customer correspondence (e.g. to humans@, dpo@) until triaged | US (multi-region) | DPF + Google DPA + SCCs |
| Twilio Inc. | A2P 10DLC SMS delivery for Synsmarts internal staff on-call alerts | Synsmarts staff mobile phone numbers; delivery receipts and ack metadata | US | DPF + Twilio DPA + SCCs |
| Slack Technologies LLC (a Salesforce company) | Internal collaboration workspace | Synsmarts staff messages and channel content | US | DPF + Slack DPA + SCCs |
3. Change Notification
We notify you at least 30 calendar days before adding or replacing a Section 1 sub-processor. Each notification includes the sub-processor's name, location, processing description, security measures, and DPF/SCC status.
3.1 How to Subscribe
To receive notifications, email [email protected] with subject "SUBSCRIBE — sub-processor notifications" and the address you want notifications delivered to. An RSS feed for automated monitoring is published when this register is in production.
3.2 How to Object
If you object to a new or replacement Section 1 sub-processor, submit your objection in writing with reasons related to data protection to [email protected] within 30 days of the notification. When you object:
- We will not use the objected sub-processor for your Personal Data.
- We will make reasonable efforts to provide an alternative arrangement (routing your data away from the objected sub-processor, using an alternative provider, or modifying the service).
- If no alternative is feasible, either party may terminate the affected services on 30 days' written notice without penalty to you. We continue providing the service without the objected sub-processor during the notice period where technically possible.
3.3 Sub-Processor Removal
When Synsmarts removes a Section 1 sub-processor from this register:
- Tenants are notified via the change-notification channels within 30 days of the removal taking effect.
- We confirm in writing that the removed sub-processor has deleted or returned all Personal Data processed on tenants' behalf, in accordance with the sub-processor's DPA.
- If the removal involves migrating to a replacement sub-processor, the standard 30-day advance notification and objection process applies to the new sub-processor before migration begins.
4. Change History
| Date | Change | Entity | Details |
|---|---|---|---|
| 2026-06-10 | Register published | — | Initial publication of the sub-processor register at /tos/sub-processors. |
| At platform launch | Added (planned) | AWS, Anthropic, Cloudflare, Authorize.net | Initial Section 1 sub-processors at platform launch (Anthropic, Cloudflare, Authorize.net pending DPA execution / review). |
5. More Information
| Resource | Location |
|---|---|
| Data Processing Agreement | /tos/dpa |
| Privacy policy | /privacy |
| Terms of Service | /tos |
| Transfer Impact Assessment | Available on request to [email protected] |
Contact
Sub-processor notifications and objections: [email protected]
Privacy questions: [email protected]