Sub-processors.
A sub-processor is any third party that processes personal data on CertiFlow’s behalf in the course of delivering the service. We disclose every one of them, what they do, where they do it, and what categories of data they touch. This list is part of the Data Processing Agreement annex and is the binding source of truth.
Last updated 2026-06-08
01 · Sub-processors that hold customer evidence
Ciphertext only. None of them can read your evidence.
These sub-processors hold ciphertext only. A subpoena to any of them returns ciphertext + plaintext metadata only — the decryption key never touches their infrastructure.
| Sub-processor | Role | Data categories | Location |
|---|---|---|---|
| Supabase Inc. | Application database + authentication | Ciphertext evidence blobs, encrypted DEKs, encrypted Vault Keys, plaintext metadata (control IDs, framework names, timestamps, audit chain), profile rows | EU — Frankfurt (eu-central-1) |
| Vercel Inc. | Web application hosting + CDN | HTTP request metadata, session cookies, no customer evidence | US (entity); edge globally; data residency varies by route |
| Amazon Web Services (AWS S3 — CertiFlow production) | Evidence file object storage | Ciphertext files only | EU — Ireland (eu-west-1) |
| AWS S3 Object Lock vault (DCS audit account) | Out-of-band immutable backup of ciphertext + audit chain | Ciphertext files, ciphertext metadata, audit_log rows | EU — Ireland (eu-west-1) |
| AWS KMS (CertiFlow production) | Database storage envelope (at-rest encryption layer) | Database envelope keys only — does NOT hold customer-data DEKs | EU — Frankfurt |
02 · Volatile plaintext — in-flight only, no persistence
Two participants see plaintext briefly during an active session.
Plaintext processing happens only when you are actively using the product and only inside customer-initiated request scopes. Volatile memory only, no persistence to durable storage.
| Sub-processor | Role | Data categories | Location |
|---|---|---|---|
| AWS Bedrock (Claude family models) | AI evidence translation — describe-in-English to audit-grade | Customer's typed control description (plaintext); generated evidence response (plaintext) | EU region; transient only — in-memory, deleted at end of request per Bedrock VPC endpoint terms |
| Anthropic Claude for Legal Managed Agents (Bedrock + direct API) | First-pass document review for customer-uploaded contracts and policies — Commercial Legal, Product Legal, Privacy, and other practice-area plugins per ADR-0019 | Document plaintext for review (transient inference only); customer playbook plaintext when applicable. Findings + severity + confidence persisted to c1.ai_findings; document plaintext NOT persisted. | EU region preferred (Bedrock); some plugins via direct Claude API (US/EU). Volatile-plaintext-in-flight only — no retention. |
| Customer's own browser | Argon2id key derivation, Vault Key unwrap, DEK unwrap, file decrypt for view, plaintext rendering | Master Password (typed by customer), Account Key (derived in browser), file plaintext during active view | Customer device — sessionStorage only, purged on tab close or 30-min idle |
03 · Infrastructure sub-processors that never see evidence
Payments, email, CDN, source control.
These sub-processors are involved in running the company but do not handle customer evidence in any form — neither plaintext nor ciphertext.
| Sub-processor | Role | Data categories | Location |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing — subscription management, invoicing | Billing data: name, email, billing address, card-tokenised reference (never raw PAN at DCS) | Ireland |
| Stackmail SARL | Transactional email — OTPs, billing receipts, notifications | Email address; minimal body content | Switzerland |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, WAF for the marketing site | IP addresses (transient request log), browser fingerprint (transient) | Edge locations worldwide; logs in Ireland |
| GitHub, Inc. | Source-code hosting and CI/CD execution (engineering data only) | DCS contributor identities, commit metadata. NO customer personal data. | United States |
Why this list is shorter than incumbents
Vanta, Drata, and Sprinto’s sub-processor lists are 25 to 40 entries long because they integrate with customer SaaS tools (Okta, Slack, Microsoft, Google, AWS, GitHub, …) and pull plaintext evidence into their own systems for indexing and continuous monitoring.
CertiFlow’s sub-processor list is intentionally short. We never integrate directly with customer-side SaaS tools because doing so would require us to hold customer evidence in plaintext — which would break our zero-knowledge guarantee. The integration sources you use to gather evidence are your sub-processors, not ours; the relationship between you and Okta is yours, not ours.
Change notice protocol
- 30 days advance notice to all active customers before any addition, removal, or material scope change. Notice goes to the contracted notice address (typically legal@your-domain) and to the in-product notification feed for tenant admins.
- 15 days to object from notice on reasonable grounds. If unable to reach resolution, you may terminate the affected service without penalty.
- No silent additions. Every new sub-processor is documented here and dated, including the historical record below.
Removed sub-processors (historical record)
Contact
Sub-processor enquiries, DPA requests, and supervisory-authority correspondence: trust@certiflow.com.
See also: our Data Processing Agreement, Privacy notice, and Security page.