Legal

Sub-Processors

ComplianceOS uses the following third-party sub-processors to deliver our services. This list is maintained pursuant to our Data Processing Agreement.

Last updated: April 2026·7 sub-processors·30-day change notification

Change Notification Policy

We will notify you at least 30 days in advance of any new sub-processor being added to this list. If you object to a new sub-processor on reasonable data protection grounds, please contact us at founder@aiactsolutions.com within the notice period.

Supabase (AWS)

Singapore (ap-southeast-1)

Purpose

Database, authentication, file storage, and real-time subscriptions

Data Processed

Account data, AI system registrations, compliance documents, audit logs, user profiles

Safeguards

SCCs, encryption at rest (AES-256) and in transit (TLS 1.2+)

Links

Website DPA

OpenAI

USA

Purpose

AI-powered risk classification, gap analysis, document generation, and document refinement

Data Processed

AI system descriptions, compliance document content (sent as prompts for processing)

Safeguards

SCCs, zero data retention policy (API inputs/outputs not used for training), encryption in transit

Links

Website DPA

Anthropic

USA

Purpose

AI-powered document generation and compliance analysis (fallback provider)

Data Processed

AI system descriptions, compliance document content (sent as prompts for processing)

Safeguards

SCCs, zero data retention policy on API, encryption in transit

Links

Website DPA

Groq

USA

Purpose

AI-powered risk classification and gap analysis (fallback provider)

Data Processed

AI system descriptions (sent as prompts for classification)

Safeguards

SCCs, zero data retention on inference API, encryption in transit

Links

Website DPA

Vercel

USA / Global Edge

Purpose

Web application hosting, edge delivery, and serverless function execution

Data Processed

HTTP requests, IP addresses, session cookies, server-side rendered pages

Safeguards

SCCs, SOC 2 Type II certified, encryption in transit, edge caching

Links

Website DPA

Dodo Payments

Global

Purpose

Payment processing, subscription management, and invoicing (Merchant of Record)

Data Processed

Billing name, email, payment method details (handled by Dodo, not stored by ComplianceOS)

Safeguards

PCI DSS Level 1, SCCs, MoR model (ComplianceOS never sees card data)

Links

Website DPA

Resend

USA

Purpose

Transactional email delivery (account verification, notifications, password resets)

Data Processed

Email addresses, email content (notification text)

Safeguards

SCCs, SOC 2 Type II, encryption in transit, minimal data retention

Links

Website DPA

Questions?

If you have questions about our sub-processors or wish to object to a new sub-processor, please contact us:

ComplianceOS

Email: founder@aiactsolutions.com