sub-processors.md

Sub-Processors

Last updated: 2026-06-10. This is the public Synsmarts sub-processor register. It is Annex 2 of our Data Processing Agreement and is incorporated by reference into the Terms of Service.

We engage two classes of third parties: tenant-data sub-processors (Section 1) that process Personal Data on your behalf as your processor's sub-processor under GDPR Article 28, and operations sub-processors (Section 2) that process only Synsmarts operational data (employee accounts, internal collaboration, on-call alerts) and not tenant end-customer Personal Data. Sub-processor changes in Section 1 trigger the 30-day notification and objection process described in DPA §6 and Section 3 below. Section 2 changes are not subject to the objection mechanism because they do not affect Personal Data we process on your behalf, but we will keep this register current as a transparency commitment.

1. Tenant-Data Sub-Processors

The following sub-processors are authorized to process Personal Data on behalf of Synsmarts tenant controllers, as part of the Synsmarts managed hosting platform.

EntityServicesData categoriesLocationTransfer mechanismStatus
Amazon Web Services, Inc. Cloud infrastructure, compute, storage, database, transactional email (SES), DNS (Route53), encryption key management (KMS), content delivery, backup All tenant Personal Data (application databases, files, backups, logs); Synsmarts operational data US (us-east-1 primary, us-west-2 DR) AWS DPF + AWS DPA + SCCs Operational
Anthropic PBC AI diagnostic inference (Claude API). Zero post-inference retention. Zero training use. Redacted telemetry and redacted source-code snippets (PII / PAN stripped before transmission by the Vector and code-redaction pipelines) US DPF + SCCs (Module 3: Processor to Processor) Pending DPA execution
Cloudflare, Inc. CDN, WAF, DDoS protection (sub-processor role). Independent-controller threat intelligence is outside this DPA's scope. IP addresses, HTTP headers, request metadata, TLS session data Global edge / US origin Cloudflare DPF + Cloudflare DPA + SCCs Pending DPA review
Authorize.net (a Visa Inc. service) Payment gateway, tokenized payment profiles. We never store raw card numbers. Payment tokens, transaction amounts, billing contact names US DPF + Visa/AN DPA + SCCs Pending DPA review

1.1 Retention and Security Baseline

EntityRetentionSecurity baseline
Amazon Web Services, Inc.Duration of contract + backup retention per the Synsmarts retention scheduleSOC 2 Type II, ISO 27001, CSA STAR Level 2, per-tenant KMS encryption
Anthropic PBCZero post-inference retention (contractual, DPA §13). No training use.SOC 2 Type II, TLS 1.2+ in transit
Cloudflare, Inc.Edge cache and logs per Cloudflare's DPA; request logs typically < 72 hoursSOC 2 Type II, ISO 27001, PCI-DSS Level 1
Authorize.net (Visa Inc.)Per Visa/AN DPA and PCI-DSSPCI-DSS Level 1 Service Provider

1.2 Notes

1.3 Sub-Sub-Processors

Sub-processors are not authorized to engage further sub-processors for processing Synsmarts tenant data without prior written authorization. Each sub-processor's DPA includes flow-down obligations requiring downstream processors to be bound to equivalent data-protection terms. Tenants requiring details on specific sub-processor infrastructure providers (e.g., Anthropic's GPU cloud providers) may request this information from [email protected].

1.4 Conditions Precedent

Sub-processors marked "Pending DPA review" or "Pending DPA execution" are subject to the following:

2. Operations Sub-Processors (No Tenant Personal Data)

The following sub-processors process Synsmarts internal operational data (employee accounts, contact info, internal collaboration, on-call alerts). They do not process tenant end-customer Personal Data, so they are not subject to the DPA §6 notification / objection mechanism, but we list them here for transparency.

EntityServicesData categoriesLocationTransfer mechanism
Google LLC (Google Workspace)Email, calendar, document storage for Synsmarts staffSynsmarts employee email and documents; inbound customer correspondence (e.g. to humans@, dpo@) until triagedUS (multi-region)DPF + Google DPA + SCCs
Twilio Inc.A2P 10DLC SMS delivery for Synsmarts internal staff on-call alertsSynsmarts staff mobile phone numbers; delivery receipts and ack metadataUSDPF + Twilio DPA + SCCs
Slack Technologies LLC (a Salesforce company)Internal collaboration workspaceSynsmarts staff messages and channel contentUSDPF + Slack DPA + SCCs

3. Change Notification

We notify you at least 30 calendar days before adding or replacing a Section 1 sub-processor. Each notification includes the sub-processor's name, location, processing description, security measures, and DPF/SCC status.

3.1 How to Subscribe

To receive notifications, email [email protected] with subject "SUBSCRIBE — sub-processor notifications" and the address you want notifications delivered to. An RSS feed for automated monitoring is published when this register is in production.

3.2 How to Object

If you object to a new or replacement Section 1 sub-processor, submit your objection in writing with reasons related to data protection to [email protected] within 30 days of the notification. When you object:

  1. We will not use the objected sub-processor for your Personal Data.
  2. We will make reasonable efforts to provide an alternative arrangement (routing your data away from the objected sub-processor, using an alternative provider, or modifying the service).
  3. If no alternative is feasible, either party may terminate the affected services on 30 days' written notice without penalty to you. We continue providing the service without the objected sub-processor during the notice period where technically possible.

3.3 Sub-Processor Removal

When Synsmarts removes a Section 1 sub-processor from this register:

  1. Tenants are notified via the change-notification channels within 30 days of the removal taking effect.
  2. We confirm in writing that the removed sub-processor has deleted or returned all Personal Data processed on tenants' behalf, in accordance with the sub-processor's DPA.
  3. If the removal involves migrating to a replacement sub-processor, the standard 30-day advance notification and objection process applies to the new sub-processor before migration begins.

4. Change History

DateChangeEntityDetails
2026-06-10Register publishedInitial publication of the sub-processor register at /tos/sub-processors.
At platform launchAdded (planned)AWS, Anthropic, Cloudflare, Authorize.netInitial Section 1 sub-processors at platform launch (Anthropic, Cloudflare, Authorize.net pending DPA execution / review).

5. More Information

ResourceLocation
Data Processing Agreement/tos/dpa
Privacy policy/privacy
Terms of Service/tos
Transfer Impact AssessmentAvailable on request to [email protected]

Contact

Sub-processor notifications and objections: [email protected]
Privacy questions: [email protected]

← back to terms of service