Trust Center

Sub-processor list

Every vendor that touches customer data, what they do, and their compliance posture. 30-day notice on changes.

Audience
customers, procurement, privacy officers
Last reviewed
2026-07-05

Audience: customers (via trust portal), auditors. Status: Living document — must be re-reviewed every quarter and on every change of vendor.

Last reviewed: 2026-07-05.


VendorServiceData sharedRegionSecurity review statusDPA on file
AWSS3, SES, KMS (Govcloud), Route 53Reports, exports, evidence bundlesus-gov-east-1 / eu-central-1✅ FedRAMP High; SOC 2 Type IIYes
HetznerVPS hosting (commercial tier)App tier computeDE (FRA1, NBG1)✅ ISO 27001; DPA + SCCsYes
CoolifySelf-hosted PaaS for commercial deploysContainer metadata onlyself-hostedn/a — runs in our VPCn/a
GoogleGemini API — active default AI model providerRedacted dataset summaries and profiles only — never raw rows; PII pseudonymised before egress; never used for trainingUS / EU✅ SOC 2 Type II; ISO 27001Yes
AnthropicClaude API — available AI model provider, routed only where a deployment or organisation configures itSame envelope as above: redacted summaries/profiles only; never used for trainingUS✅ SOC 2 Type IIYes
OpenAIOpenAI API — available AI model provider, routed only where a deployment or organisation configures itSame envelope as above: redacted summaries/profiles only; never used for trainingUS✅ SOC 2 Type IIYes
StripePaymentsEmail, billing addressUS✅ PCI DSS Level 1Yes
PagerDutyAlertsAlert payloads only (no customer data)US✅ SOC 2 Type IIYes
Sentry (self-hosted)Error monitoringSanitised error payloads (PII redacted)DE (self-hosted)✅ self-hostedn/a
DatadogAPM, logs (commercial)Sanitised metrics; PHI/PII redacted via PiiRedactorEU pod✅ SOC 2 Type II; HIPAA BAAYes
Google (OAuth)SSOEmail, nameUS✅ SOC 2 Type IIYes
GitHubSSO + source controlSource code + commit metadataUS✅ SOC 2 Type IIYes

A note on AI model providers. Rahoto’s AI subsystem supports multiple model providers; which one handles a request depends on the deployment’s configuration and the organisation’s own settings. Google (Gemini) is the active default. What leaves Rahoto is always the same restricted envelope: compact, PII-redacted summaries and profiles of your data — never raw rows — and no provider is permitted to train on it (see how Rahoto handles your data with AI). Organisations can additionally require that confidential or restricted data never reaches a cloud model at all. Bring-your-own-model endpoints that a customer configures are the customer’s own vendor, not a Rahoto sub-processor.


Vendor onboarding workflow

Adding a new vendor that handles customer data:

  1. Open ticket in Linear, label vendor-review.
  2. Complete the security questionnaire (template at docs/compliance/vendor-questionnaire.md).
  3. Collect:
    • SOC 2 Type II (current within 12 months).
    • ISO 27001 or equivalent.
    • DPA / SCCs signed by Legal.
    • Sub-processor list (if vendor uses further sub-processors).
  4. Risk assessment — score 1-5 on:
    • Sensitivity of data shared
    • Region of processing
    • Cert posture
    • Track record / public incidents
  5. Approval threshold:
    • Score < 8: engineering manager approves.
    • Score 8-12: CTO approves.
    • Score > 12: CTO + General Counsel approve.
  6. Once approved:
    • Add row to this table.
    • Add to trust portal sub-processor list (must be public 30 days before vendor goes live for customer data).
    • Document data flow in docs/security/ARCHITECTURE.md.
    • Update SOC 2 / HIPAA / FedRAMP audit packages.

Vendor offboarding

When a vendor is replaced or removed:

  1. Stop sending data to the vendor.
  2. Issue a data deletion request per the DPA.
  3. Verify deletion (vendor must produce a certificate of destruction).
  4. Update this table — mark row “Decommissioned ” and keep for audit history; don’t remove.

Sub-processor commitments to customers

Per the customer DPA:

  • 30 days advance notice before a new sub-processor handles customer data.
  • Customers may object; we’ll work with them or terminate the contract.
  • The trust portal lists current sub-processors and changes feed.