Purpose of this page
This page identifies third parties (subprocessors) that Cloudryption authorises to process Customer Data or personal data in connection with delivering the Cloudryption platform. This list satisfies Cloudryption's disclosure obligation under the Data Processing Addendum and applicable data protection law.
Only active subprocessors currently used to deliver the Cloudryption platform are listed below. Optional subprocessors are not used unless expressly enabled by the customer or agreed in the applicable agreement. Subprocessors are reviewed for security posture, privacy terms, data locations, transfer safeguards, incident notification terms, and deletion practices before onboarding, and critical subprocessors are reviewed at least annually.
Change notification
Cloudryption will provide notice of material new subprocessors by updating this page and, where contractually required, by sending direct notice to affected customers. Customers may object to a new subprocessor within the period stated in the customer agreement (at least 30 days) by providing reasonable data-protection grounds in writing to support@cloudryption.com.
Active subprocessors
| Subprocessor | Category | Purpose | Data processed | Location / region | Transfer safeguard |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting & infrastructure | Compute, networking, managed database, object storage, backups, KMS, monitoring | Customer cloud metadata, account data, logs, encrypted backups | EU (Ireland / Frankfurt) | EU adequacy / SCCs / AWS DPT |
| Postmark | Transactional email | Account invitations, password reset, security and service notices | Business contact data, email metadata | US | SCCs / EU–US DPF |
| Linear | Support & issue tracking | Customer support, bug reports, security review questions | Support content, contact data, diagnostic logs if provided | US | SCCs / EU–US DPF |
| Sentry | Error monitoring | Reliability monitoring and error diagnostics | Error traces, stack traces, workspace / user IDs as configured; PII and secrets are redacted where technically feasible | US | SCCs / EU–US DPF |
Payment processing
Cloudryption does not currently use a third-party payment processor for pilot billing. If payment processing is introduced in the future, this page will be updated before Customer billing data is processed through that provider.
Optional subprocessors
| Subprocessor | Category | Purpose | Data processed | Location / region | Transfer safeguard |
|---|---|---|---|---|---|
| AI provider (configurable) | Optional AI assistance | Generate security summaries and narratives from selected findings and report inputs when enabled by tenant admin | Limited security summary inputs; no raw secrets, payloads, or regulated personal records by design | Varies by provider selection | Data Processing Addendum terms apply; AI features disabled by default |
Optional AI subprocessors
No AI subprocessor is enabled by default. AI-assisted narrative features are disabled by default on all Cloudryption accounts. When AI features are expressly enabled by an authorised tenant administrator, the applicable AI provider will be specified and the Data Processing Addendum applies. Cloudryption will update this page before enabling any AI provider for Customer Data processing.
AI processing, when enabled, is limited to selected security findings, attack-path summaries, and report inputs. Raw secrets, production payloads, regulated personal records, and sensitive system identifiers are excluded by design.
Security review
Before onboarding a subprocessor that may access Customer Data, Cloudryption reviews the provider's security posture (certifications, privacy terms, data location, transfer safeguards, incident notification), imposes written data protection obligations, and records the review outcome.
Critical subprocessors (cloud hosting, database, email) are reviewed at least annually.
Questions
For questions about this subprocessor list or to exercise DPA objection rights, contact: support@cloudryption.com.