1. Overview
Under UK GDPR Article 28 and EU GDPR Article 28 we are required to maintain a public list of sub-processors. Each is contracted via a Data Processing Agreement meeting Article 28(3) requirements. All transfers outside the UK and EEA rely on approved mechanisms (UK IDTA, EU SCCs, or adequacy decision).
See our Privacy Policy for the broader framework and your rights regarding these processors.
2. Infrastructure
| Sub-processor | Purpose | Location | Data categories | Transfer mechanism |
|---|---|---|---|---|
| Microsoft Azure | Container hosting (Web + API), Key Vault for secret storage, Container Registry for images | UK South (uksouth) | All operational data flows through Azure containers | UK — no transfer |
| Supabase | Managed Postgres database + object storage (memory snapshots) | EU (Frankfurt) | Account, receipt, snapshot, activity, email-log, ai-call-log tables | EU — no transfer (UK→EU covered by UK adequacy decision) |
| Upstash | Managed Redis for rate limiting + session state | EU | Rate-limit counters; session tokens (short-lived) | EU — no transfer |
3. AI providers
We do not use AI providers to process every receipt — only when you explicitly invoke features that require them (dedup search, dispute jury, memory snapshots).
| Sub-processor | Purpose | Location | Data categories | Transfer mechanism |
|---|---|---|---|---|
| OpenAI, Inc. | Embeddings (semantic search, dedup, org_context_lookup) + Multi-LLM Jury (one of three vendors) | United States | Receipt descriptions for embedding; dispute payloads for jury | EU-US Data Privacy Framework (OpenAI certified) + SCCs as belt-and-braces |
| Anthropic PBC | Multi-LLM Jury (one of three vendors) | United States | Dispute payloads only | Standard Contractual Clauses + Transfer Impact Assessment |
| Google LLC (Vertex AI) | Multi-LLM Jury (one of three vendors) | United States + EU regional endpoints | Dispute payloads only | EU-US Data Privacy Framework (Google certified) |
| Mem0 | Memory snapshot capture (when customer opts in) | United States | Memory snapshot blobs + agent identifiers | SCCs + UK IDTA |
| Letta | Memory snapshot capture (when customer opts in) | United States | Memory snapshot blobs + agent identifiers | SCCs + UK IDTA |
4. Business operations
| Sub-processor | Purpose | Location | Data categories | Transfer mechanism |
|---|---|---|---|---|
| Stripe Payments Europe Ltd | Payment processing (subscriptions + credit packs) | Ireland (EU customers) / United States (US customers) | Billing email, payment card last-4, transaction amounts | PCI-DSS compliant; we never see card details. EU customers stay in EU. |
| Resend | Transactional email (welcome, weekly digest, dispute notifications) | United States | Recipient email, template name, send status, error messages | EU-US Data Privacy Framework + SCCs |
| Persona Identities, Inc. | Real-KYC tier identity verification | United States | Government ID, biometric liveness, address (only for users who opt into Real-KYC) | SCCs + UK IDTA + Persona-side encryption; we store only the verification reference, not the documents |
5. Authentication
We use OAuth for sign-in. The provider you pick is the only one that handles your credentials; we never see your password.
| Sub-processor | Purpose | Location | Data categories | Transfer mechanism |
|---|---|---|---|---|
| Google LLC (Google Sign-In) | OAuth sign-in (when customer chooses Google) | United States + EU regional endpoints | Email, display name, profile photo URL only | EU-US Data Privacy Framework |
| GitHub, Inc. | OAuth sign-in (when customer chooses GitHub) | United States | Email, username, public profile only | SCCs |
| Microsoft (Entra ID) | OAuth sign-in (when customer chooses Microsoft / Entra) | EU + customer tenant region | Email, display name, tenant ID only | EU — no transfer for EU customers |
6. Optional / consent-based
These sub-processors only operate after you give consent (analytics) or only on specific endpoints (Cloudflare for DDoS protection).
| Sub-processor | Purpose | Location | Data categories | Transfer mechanism |
|---|---|---|---|---|
| Google LLC (Google Analytics 4) | Aggregated visit analytics — only loaded after customer consent via cookie banner | United States + EU regional endpoints | Anonymised page views, country, referrer, UTM (IP truncated) | EU-US Data Privacy Framework + Google's IP anonymisation |
| Cloudflare | DDoS protection + bot management on selected high-volume endpoints (post-launch) | Global edge — closest POP to the user | Request metadata (IP, headers); no request body inspection | Cloudflare DPA + SCCs |
7. Notification of changes
We notify customers 30 days before any new sub-processor begins processing personal data, via:
- Email to your registered address
- An entry on /changelog
- An update to this page (with the effective date bumped)
If we replace an existing sub-processor with an equivalent one in the same jurisdiction with no change in data categories, we may notify with shorter lead time but always before the change is live.
8. Objecting to a sub-processor
If you object to a new sub-processor for legitimate reasons within 30 days of our notification, contact hello@genzagents.io. We will attempt to provide an alternative or accept termination of the affected service. If neither is feasible, you may terminate the affected paid service for a pro-rata refund.
9. Contact
Sub-processor questions: hello@genzagents.io.