GateAgent GuardProtocolMCPGovGuardSovereigntyFinGuardQuorumDemoTry itVerifyPricingDocsRequest Pilot
Legal · Sub-processors

Sub-processors

Effective 2026-05-05 · Updated whenever a data flow changes

Customers can subscribe to change notifications and receive at least 30 days' advance notice of any new sub-processor handling customer data.

The vendors below process customer data on behalf of EMILIA Protocol, Inc. for the purposes described. Each vendor is contractually bound to data-protection terms equivalent to those we provide our customers. Customers can subscribe to change notifications by emailing privacy@emiliaprotocol.ai; we provide at least 30 days' advance notice of new sub-processors that handle customer data.

Sub-processorPurposeRegionData category
Vercel Inc.Web hosting, edge functions, deployment platformUnited States (multi-region)Page request metadata, ephemeral function payloads
Supabase, Inc.Managed Postgres + RLS authorization for trust receipts and policy storageUnited States (us-east, configurable)Tenant policy data, trust receipts (signed), entity authority records
GitHub, Inc.Source-code hosting, CI workflows, issue trackingUnited StatesMaintainer + contributor identity (public)
npm, Inc. (GitHub)SDK distribution (@emilia-protocol/sdk, @emilia-protocol/verify)United StatesPublic package metadata only
Cloudflare, Inc.DNS, edge security, transit-layer DDoS mitigationGlobal edgeRequest metadata, IP addresses (transit only)
Anthropic, PBCAI Trust Desk — LLM answer drafting (primary)United StatesQuestionnaire question text, vendor product description (inference only; not used for training)
OpenAI, L.L.C.AI Trust Desk — LLM answer drafting (fallback); embeddings for entity registration/search and needs-broadcast matchingUnited StatesQuestionnaire question text, vendor product description, entity/needs text submitted to registry endpoints (inference only; not used for training)
Resend (Plus Five Five, Inc.)Transactional email — trust-page delivery + status noticesUnited StatesCustomer contact name + email, engagement reference
Stripe, Inc.Payment processing for AI Trust Desk engagementsUnited StatesBilling contact email; card data held by Stripe, never by us
Functional Software, Inc. (Sentry)Error tracking and performance monitoring (10% trace sample)United StatesError reports, request metadata (IP, user agent) — no message content

How we choose sub-processors

Each sub-processor passes a vendor-due-diligence review covering data security, business continuity, sub-processor practices of their own, and contractual data-protection commitments equivalent to GDPR Article 28 standards. Vendors handling customer personal data are required to maintain SOC 2 Type II or ISO/IEC 27001 certification.

What is not on this list

We deliberately keep the data-flow surface small. The hosted service does not use third-party advertising, behavioral analytics, marketing automation, or session-replay tools. We do not share customer data with third parties for their marketing or AI-training purposes. If we ever add a vendor in those categories we will list it here and notify customers in advance per the change-notification process above.

International transfers

Where a sub-processor processes personal data outside the customer's region (typically EU/EEA/UK/Swiss data transferred to the United States), we rely on EU Standard Contractual Clauses and the UK addendum where applicable. Region-pinned processing is available by arrangement on EP Enterprise engagements — contact legal@emiliaprotocol.ai for the data-residency configuration.

Contact

Questions about a specific sub-processor or to subscribe to change notifications: privacy@emiliaprotocol.ai.

Sub-processors — EMILIA Protocol