Sub-processors
A sub-processor is a third-party vendor we engage to process personal data on our behalf, on our documented instructions and under a written data processing agreement. This page lists our current sub-processors, the data they handle, where they process it, and the safeguards we rely on for international transfers. It supplements section 5 of our Privacy Policy.
Vendors that process only marketing content and no end-user personal data — for example our self-hosted headless CMS — are not listed as sub-processors of personal data. Our AI risk-assessment runs on infrastructure we operate ourselves, but the scan calls a third-party AI model (Google Gemini) to perform the analysis; that model provider is listed below.
| Sub-processor | Service / purpose | Personal data processed | Processing location | Transfer safeguard |
|---|---|---|---|---|
| Railway Corp. | Cloud application hosting and content delivery for the website, CMS, and assessment backend. | All data in transit to the Site; server access logs (IP address, user-agent, request metadata). | United States (US-West, California) | EU SCCs (2021/914) + UK IDTA; encryption in transit and at rest. |
| Supabase, Inc. | Managed PostgreSQL database and authentication — stores booking and contact submissions and authenticates customer-portal users. | Name, work email, company, phone, free-text messages, account credentials (hashed), session metadata. | Japan (ap-northeast-1, Tokyo) | Japan benefits from an EU/UK adequacy decision; EU SCCs + UK IDTA as backstop. Row-level security; encryption in transit and at rest. |
| Resend (Plus Five Five, Inc.) | Transactional email delivery — booking confirmations, contact-form notifications, and report delivery. | Name, email address, and the contents of the message or notification. | Japan (ap-northeast-1) | Japan benefits from an EU/UK adequacy decision; EU SCCs + UK IDTA as backstop. TLS in transit. |
| Calendly LLC | Embedded meeting-scheduling widget used when you choose to book a call or demo. | Name, email, and any scheduling details you enter into the Calendly widget. | United States | EU SCCs + UK IDTA; loaded only when you open the booking widget. |
| Google LLC (Gemini API) | AI model (Gemini 3.1 Lite) that powers the DPDP risk-assessment scan — analyses the inputs you submit and the target site to generate the risk score, findings, and report. | Assessment inputs you provide (company name, requester name, work email, phone, target website URL) and scan content sent to the model for analysis. | Global (edge/CDN) | Google Cloud / Gemini API data processing terms + EU SCCs; API inputs are not used to train Google's models under the paid API terms. |
| Google LLC (Google Fonts) | Serves web fonts so the Site renders consistently across devices. | IP address and user-agent, logged transiently by Google when your browser fetches a font. | Global (edge/CDN) | EU SCCs; data limited to network metadata required to serve the asset. |
| Unsplash Inc. | Content-delivery network for marketing imagery on the Site. | IP address and user-agent, logged transiently when your browser fetches an image. No form data. | Global (edge/CDN) | EU SCCs; data limited to network metadata required to serve the asset. |
We carry out due diligence on each sub-processor and bind each one by a data processing agreement incorporating, where personal data leaves the EEA or the UK, the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum. We give contracted customers prior notice of any change to this list at the contact address on file, and we update the "last updated" date above whenever it changes.
Questions or objections? Customers, prospects, and regulators can request further detail — including specific processing regions and copies of our transfer safeguards — by emailing dpo@silicasecure.com.