What a subprocessor is
A subprocessor is a third-party provider that may process data on behalf of SynchrotronAI so SynchrotronAI can operate the website, provide products, deliver professional services, run managed services, host systems, secure infrastructure, process payments, receive intake forms, and support customers.
The exact provider set can vary by product, project, customer-selected cloud, integration, pilot, managed services scope, and signed agreement. A customer order may identify additional or narrower providers for a specific engagement.
Core providers
| Provider | Purpose | General data categories | Location |
|---|---|---|---|
| Cloudflare, Inc. | DNS, CDN, edge security, traffic routing, caching, bot protection, and website reliability. | IP addresses, request metadata, security logs, cache metadata, browser details, and technical information needed to serve and protect the website. | United States and Cloudflare global edge network. |
| Stripe, Inc. | Payment processing, billing, checkout, invoices, payment support, fraud prevention, and financial operations. | Billing contact information, payment details submitted to Stripe, transaction metadata, tax or invoice details, and payment support records. | United States and other locations used by Stripe. |
| HubSpot, Inc. | Website intake forms, CRM records, sales communication, workflow review requests, and business follow-up. | Contact details, company information, inquiry context, form submissions, communication records, and CRM metadata. | United States and other locations used by HubSpot. |
| Amazon Web Services, Inc. | Cloud hosting, infrastructure, networking, storage, databases including PostgreSQL, logging, monitoring, deployment, backup, security, and production operations. | Application data, PostgreSQL database data hosted on AWS, technical logs, operational metadata, files, and hosted workload data depending on the service or product. | United States and selected AWS regions. |
| Microsoft Corporation | Azure cloud infrastructure, AI services, hosting, storage, identity, analytics, integrations, and customer delivery when Azure is part of the chosen architecture. | Application data, workflow data, technical logs, operational metadata, files, and hosted workload data depending on the service or product. | United States and selected Microsoft Azure regions. |
| Google LLC | Google Cloud infrastructure, AI services, hosting, storage, analytics, integrations, and customer delivery when Google Cloud is part of the chosen architecture. | Application data, workflow data, technical logs, operational metadata, files, and hosted workload data depending on the service or product. | United States and selected Google Cloud regions. |
| GitHub, Inc. | Source control, development workflow, issue management, deployment automation, code review, and engineering operations. | Code, issue metadata, deployment metadata, operational records, technical context, and limited business information needed for delivery. | United States and other locations used by GitHub. |
Provider notice fields
For each provider, SynchrotronAI tracks the provider name, purpose, applicable product or function, general data categories, expected processing location, and whether the provider is generally used or project-specific. Customer-specific provider details may be documented in an order, security questionnaire, architecture document, or DPA exhibit.
Project-specific providers
Some engagements may require customer-selected systems, identity providers, CRMs, ERPs, data warehouses, analytics systems, cloud accounts, monitoring tools, email providers, ticketing systems, AI model providers, storage services, or other integration partners. Those providers should be identified in the applicable statement of work, architecture, order, security documentation, or customer instructions when they materially process customer data.
Provider diligence
SynchrotronAI considers provider purpose, security, reliability, availability, data categories, processing location, contractual terms, and fit for the engagement. Provider review may vary based on risk, data sensitivity, customer requirements, project scope, and whether the provider is selected by SynchrotronAI or directed by the customer.
Changes and objections
SynchrotronAI may update this list as vendors, cloud architecture, products, services, and managed support evolve. Customers with a signed DPA may object to a new subprocessor when they have a reasonable, documented data protection concern. If the concern cannot be resolved, the remedy will be the one stated in the applicable agreement.
Customer responsibilities
Customers are responsible for identifying customer-directed providers, approving architecture choices, configuring customer-controlled systems, managing access, and ensuring that data provided to SynchrotronAI is appropriate for the selected providers and regions.
Contact
Questions about subprocessors may be submitted through the workflow review intake or by email at [email protected].