Home

Subprocessors

Last updated: 13 April 2026

About Subprocessors

Guardiso uses third-party services (subprocessors) to provide the ISMS platform. Below is the complete list of subprocessors who may have access to customer personal data.

We have signed Data Processing Agreements (DPAs) with all subprocessors. For transfers outside the EEA, we use Standard Contractual Clauses (SCCs).

Subprocessor List

NamePurposeLocationDPA Status
Scaleway SASApplication hosting, Managed PostgreSQL, Object Storage (S3), Container RegistryWarsaw, Poland (pl-waw region)DPA signed
Anthropic PBCAI Copilot query processing (optional) — policy generation, risk analysis, evidence validation. Query text only, transient processing, no model training.US — data is not retained after the request completesDPA + SCCs
OpenAI LLCEmbedding vector generation for semantic search across the knowledge base (text-embedding-3-small model, RAG pipeline). No model training on customer data.USDPA + SCCs
Google LLCOAuth 2.0 authentication (email address, name, profile picture)US / EUDPA via Google Workspace
Stripe IncSubscription payment processing and invoicing. Guardiso never stores full card data — card details pass directly to Stripe through their secure forms.US / IrelandDPA + SCCs
Resend IncTransactional email — organisation invitations, incident notifications, expiring-evidence reminders, password resets.USDPA + SCCs
Cloudflare IncDNS, DDoS protection, Web Application Firewall, edge cachingUS / EUDPA signed

Change Notifications

We notify customers 30 days before adding a new subprocessor. Notification is sent to the organization administrator's email address.

If you have objections regarding a new subprocessor, you may file an objection within 30 days of receiving the notification. In that case, we will work together to find a solution or allow contract termination without penalties.

Data Flow Details

Scaleway SAS

Scaleway stores all application data, including the PostgreSQL database with user and organization data. All data is encrypted with AES-256 at rest. Data centers hold ISO 27001, SOC 2, and HDS certifications.

Anthropic PBC

AI features are optional — you can use the platform without them. When a user uses AI Copilot, ONLY the query content is sent to Anthropic (e.g., "generate a password management policy"). Anthropic processes data transiently — it does not store it after the request completes and does NOT use it for AI model training. Your database, files, configuration, and personal data are never sent to Anthropic. Transfer based on SCCs.

OpenAI LLC

OpenAI is used exclusively to generate embedding vectors for semantic search across the knowledge base (RAG pipeline, text-embedding-3-small model). Only document fragments are sent to OpenAI for vectorisation — OpenAI returns numeric vectors and does not retain content after the request completes. Customer data is never used to train models. Transfer is based on OpenAI DPA and SCCs.

Google LLC

Google processes data only for OAuth 2.0 authentication (email address, name, profile picture). We do not share additional user data with Google.

Stripe Inc

Stripe handles subscription payments and invoicing. Guardiso never sees or stores full payment card data — card details flow directly from the user's browser to Stripe through their secure forms (Stripe Elements). Only subscription tokens and transaction metadata (amount, currency, status) reach Guardiso. Transfer is based on Stripe DPA and Standard Contractual Clauses.

Resend Inc

Resend handles transactional email — organisation invitations, incident notifications, expiring-evidence reminders and password resets. Only email addresses and platform-generated message content reach Resend. Transfer is based on the Resend DPA and SCCs.

Cloudflare Inc

Cloudflare processes IP addresses and HTTP request metadata for DDoS protection and DNS resolution. Cloudflare does not have access to encrypted application content.

Contact

If you have questions about subprocessors or data processing:

See also: