Draft for legal review
Sub-processors
Version 2026-05-11 · Effective 2026-05-11 · Material version
1. About this page
Amarantic uses the sub-processors listed below to operate the platform. This page is part of our Layer-1 contracts together with the Terms (opens in new tab), the Privacy Policy (opens in new tab), and the Data Processing Agreement (opens in new tab). Adding a sub-processor that processes Tenant personal data is a material event; we will give Tenants 30 days' notice and a chance to object. Removals are disclosure-only.
2. Disclosure pattern: function-not-vendor
For each load-bearing function we disclose the function (what the data is used for) and a versioned current named list of the providers we use to serve that function, with role labels. Provider swaps within the same function — for example replacing one EU-region SMS aggregator with another — do not require a DPA rewrite. The unit of disclosure is the function row; the unit of versioning is the named list inside it.
3. Conditional Standard Contractual Clauses
Where any sub-processor listed in any function row below is located outside the European Economic Area (EEA), the Module-2 Standard Contractual Clauses (Commission Decision 2021/914) controller→processor apply. This clause auto-applies while a non-EEA sub-processor is on the list and auto-stops applying if and when every listed sub-processor in a given function becomes EEA-only. No DPA rewrite is required on a provider swap within the same function. We maintain Transfer Impact Assessments for each US sub-processor.
4. Public-copy guardrail
Amarantic does not and will not claim that "all data stays in the EU" while any sub-processor in any function row is located outside the EEA. The conditional SCCs clause above is the load-bearing safeguard in that posture. Marketing copy across our surfaces must remain honest about sub-processor location.
5. Function: LLM inference for AI assistant and tool calling
The Amarantic AI assistant uses LLM inference to answer in-product questions, draft messages, navigate the product, and surface proactive opportunities. Data flowing into this function: tenant-scoped operator prompts and tool inputs (subject to a server-side projection that drops internal identifiers, tokens, audit telemetry, and other denied keys), redacted assistant chat content, and — only where the end-client has granted explicit Art. 9 consent at a named egress surface — clinical content. Today no Art. 9 egress surface is enabled.
Current named list (vendors and roles):
| Vendor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic PBC | Primary LLM sub-processor | United States (us / global Anthropic-direct inference regions) | Module-2 SCCs |
| OpenAI L.L.C. | Configured fallback LLM sub-processor (fires only when the primary is unavailable) | United States; direct-API EU residency available on eligible endpoints with zero-data-retention since January 2025, expanded January 2026 | Module-2 SCCs |
Verified facts (May 2026):
- The Anthropic direct API supports only
usandglobalinference regions today; direct-API EU residency is not available. EU residency for Claude is achievable via AWS Bedrock EU-Ireland and Google Vertex EU, which we may evaluate as a forward step. - OpenAI offers direct-API EU residency on eligible endpoints with zero-data-retention as referenced above.
Explicitly NOT a tenant-data sub-processor — Google Gemini. A test-only opt-in path through Google Gemini exists in the codebase (AI_PROVIDER=gemini) for benchmarking and AI-DEPLOY-01 end-to-end telemetry proofs when the primary provider is unavailable. Gemini is never used for production Tenant data and is intentionally not listed here. Promoting Gemini to a tenant-data processor would require a separate documented change that updates this page first.
A future evaluation of EU-residency-capable LLM providers is tracked internally as AI-EU-RESIDENCY-EVAL-01. Until then, the conditional SCCs clause above governs.
6. Function: Database, authentication, and platform storage
| Vendor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Managed Postgres, authentication, and storage for tenant and platform data | EU (Frankfurt, aws-eu-central-1) | N/A (EU-to-EU) |
Row-Level Security is applied to every tenant-scoped table; cross-tenant reads and writes are blocked at the database level. Encryption at rest is provided by the managed platform; field-level AES-256-GCM is applied on top for Art. 9 special-category data and for the per-mutation change-log of those fields.
7. Function: Application hosting and edge network
| Vendor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Application hosting and edge network for amarantic.com (marketing site) and app.amarantic.com (product) | EU (Stockholm arn1) primary region, plus a global edge POP network for static asset delivery | Module-2 SCCs for non-EEA edge POPs |
Auth-sensitive routes resolve through the primary EU region.
8. Function: Cache and rate limiting
| Vendor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Upstash Inc. | Redis-backed cache and sliding-window rate limiting | EU (Frankfurt) | N/A (EU-to-EU) |
Rate-limit keys derive from IP and authenticated principal; values are short-lived and contain no end-client PII.
9. Function: Subscription billing and payment processing
| Vendor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Subscription checkout, customer portal, and payment processing for Tenant subscriptions and (where enabled) for end-client checkout | EU primary acquirer (Ireland) with global routing for some endpoints | Article 46 transfer tools where applicable |
We do not store full card numbers. Stripe controls card data directly; we hold provider references (Stripe customer IDs, subscription IDs, invoice IDs) and the amount/currency/status fields we need to reconcile. The subscription invoice ledger is retained for 5 years under bogføringsloven.
10. Function: Outbound email
We are mid-transition on this function. The disclosure is honest about the current state.
| Vendor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Resend Inc. | Current outbound transactional email provider (confirmations, recovery, marketing) | United States (account metadata, logs, and API records reside in the US even when dispatch uses eu-west-1) | Module-2 SCCs / EU-US Data Privacy Framework |
| Mailjet (Sinch Email — Mailjet SAS) | Planned outbound email provider replacement for an EU-first posture | France (Mailjet/Sinch Email EU infrastructure) | N/A (EU-to-EU) once active |
The transition to Mailjet is in flight (COMMS-EMAIL-MAILJET-01). When the cold switch lands, this row will be updated and the change will trigger re-acknowledgement under our material-version contract; Resend will be removed in the same update.
11. Function: SMS delivery
| Vendor | Role | Location | Transfer mechanism |
|---|---|---|---|
| GatewayAPI ApS | Outbound SMS delivery (booking confirmations, reminders, and — where enabled — marketing SMS and time-sensitive slot-fill offers) | Denmark | N/A (EU-to-EU) |
| Twilio Inc. | Alternative SMS path for time-sensitive slot-fill offers where enabled by the Tenant; not the default path | United States | Module-2 SCCs / EU-US Data Privacy Framework |
Appointment-reminder SMS runs under Art. 6(1)(b) contractual necessity, not consent. Marketing SMS, when introduced, will run under the same Marketing consent that governs marketing email under our simplified two-checkbox model.
12. First-party click tracking — not a sub-processor
The trackable {{bookingLink}} redirect that powers marketing-attribution reporting runs first-party on a platform-controlled redirect domain. Click events are processed only by Amarantic's own infrastructure and are not shared with any sub-processor. IP and user agent are stored only as salted SHA-256 digests, never as raw values. The attribution cookie expires 30 minutes after issue and carries an HMAC-signed (linkId, organizationId) reference, not PII. Click tracking can be disabled per-Tenant.
13. Change events
| Event | material flag | What happens |
|---|---|---|
| Add a new vendor performing Tenant-data processing | true | Re-acknowledgement modal on the Tenant Owner's next privileged action |
| Replace one named vendor with another in the same function | true (treated as addition) | Re-acknowledgement modal |
| Remove a vendor (we stop using them for Tenant data) | false | Passive notice |
| Update a vendor's role label or jurisdiction string without changing data flow | false | Passive notice |
| Update the SCCs jurisdiction posture | true | Re-acknowledgement modal |
Tenants are notified 30 days in advance of any addition or replacement and may object on reasonable grounds; see the DPA (opens in new tab) Section 8.
14. Data categories sent to listed sub-processors
- LLM inference function (Anthropic / OpenAI) — tenant-scoped operator prompts, tool inputs, redacted assistant chat content; Art. 9 content only via an explicit, consent-gated egress surface (none enabled today). No batched cross-tenant prompts. No bulk dataset egress. Internal identifiers, secrets, and audit telemetry are dropped by a canonical projection boundary.
- Database and storage (Supabase) — all structured tenant data, encrypted at rest by the managed platform; Art. 9 fields additionally encrypted at the field level with AES-256-GCM.
- Hosting and edge (Vercel) — HTTP request logs, session-cookie payloads (httpOnly + Secure).
- Cache and rate limiting (Upstash) — IP, session principal, rate-limit window keys; no end-client PII.
- Payments (Stripe) — customer email, subscription metadata, transaction amounts; card data is controlled by Stripe directly.
- Email (Resend → Mailjet) — recipient email, name, message body, delivery + open/click events for outbound communications.
- SMS (GatewayAPI / Twilio) — recipient phone number and message body for SMS communications.
15. End-client objection right
End-clients retain the GDPR Art. 21 right to object to AI-driven processing of their data. We record the objection through the ai_processing consent type in our tenant-scoped consent ledger; AI-driven outreach checks this before every action and skips clients who have objected. The Art. 21 opt-out path for appointment reminders (which run under contractual necessity, not consent) is captured separately as END-CLIENT-COMMUNICATION-OPT-OUT-01 and ships with a preference toggle so end-clients can opt out of reminders without breaking the contract for the appointment itself.
16. How we maintain this list
We review the list at least quarterly and update it whenever a sub-processor is added, replaced, or removed. The version, effective date, and material flag at the top of this page govern re-acknowledgement under our material-version contract.
For questions about this list, contact privacy@amarantic.com.