Name: EMILIA Protocol
Availability: InStock
Author: EMILIA Protocol

Sub-processors

Effective 2026-05-05 · Updated whenever a data flow changes

Customers can subscribe to change notifications and receive at least 30 days' advance notice of any new sub-processor handling customer data.

The vendors below process customer data on behalf of EMILIA Protocol Foundation for the purposes described. Each vendor is contractually bound to data-protection terms equivalent to those we provide our customers. Customers can subscribe to change notifications by emailing privacy@emiliaprotocol.ai; we provide at least 30 days' advance notice of new sub-processors that handle customer data.

Sub-processor

Purpose

Region

Data category

Vercel Inc.

Web hosting, edge functions, deployment platform

United States (multi-region)

Page request metadata, ephemeral function payloads

Supabase, Inc.

Managed Postgres + RLS authorization for trust receipts and policy storage

United States (us-east, configurable)

Tenant policy data, trust receipts (signed), entity authority records

GitHub, Inc.

Source-code hosting, CI workflows, issue tracking

United States

Maintainer + contributor identity (public)

npm, Inc. (GitHub)

SDK distribution (@emilia-protocol/sdk, @emilia-protocol/verify)

United States

Public package metadata only

Cloudflare, Inc.

DNS, edge security, transit-layer DDoS mitigation

Global edge

Request metadata, IP addresses (transit only)

How we choose sub-processors

Each sub-processor passes a vendor-due-diligence review covering data security, business continuity, sub-processor practices of their own, and contractual data-protection commitments equivalent to GDPR Article 28 standards. Vendors handling customer personal data are required to maintain SOC 2 Type II or ISO/IEC 27001 certification.

What is not on this list

We deliberately keep the data-flow surface small. The hosted service does not use third-party advertising, behavioral analytics, marketing automation, or session-replay tools. We do not share customer data with third parties for their marketing or AI-training purposes. If we ever add a vendor in those categories we will list it here and notify customers in advance per the change-notification process above.

International transfers

Where a sub-processor processes personal data outside the customer's region (typically EU/EEA/UK/Swiss data transferred to the United States), we rely on EU Standard Contractual Clauses and the UK addendum where applicable. Customers on EP Cloud Enterprise tiers may pin processing to specific regions — contact legal@emiliaprotocol.ai for the data-residency configuration.

Contact

Questions about a specific sub-processor or to subscribe to change notifications: privacy@emiliaprotocol.ai.