Running a reliable, secure platform means relying on a few trusted partners. In the interest of the transparency we ask of everyone else, here's exactly who we use, what they do, and where. We keep this list current and give notice before it changes.
A sub-processor is a company we use to help deliver the service, which in doing so may handle some data on our behalf. For example, we don't run our own data centres — AWS does that for us — so AWS is a sub-processor. We vet each one carefully and bind them to protect your data under contract; they can only use it to do the specific job we've engaged them for.
Amazon Web Services (AWS) — hosts the platform and stores each organisation's evidence in its own isolated bucket. You choose the region: the EU (Frankfurt), the US (Northern Virginia), or Asia-Pacific (Singapore). This is the backbone of the service, and enterprise customers can bring their own AWS storage to keep data entirely in their account.
Cloudflare — protects our website and forms from bots and abuse (including the challenge you may see on our contact form) and helps keep the site fast and available. It processes limited technical data such as IP addresses to do this.
Google (Workspace) — delivers our transactional and notification emails, such as account, verification, and password-reset messages, over authenticated SMTP. It processes the recipient's email address and the message content needed to deliver it.
AI model provider (Anthropic and/or OpenAI) — powers the optional AI assistant, and only when your organisation turns AI features on. If you'd rather keep processing inside your own boundary, you can bring your own model key so requests go to your account, not ours. With AI features off, no data is sent to an AI provider at all.
Before we engage any sub-processor, we assess its security and data-protection posture, and we sign data-protection terms at least as strict as the ones we offer you. We review them periodically, and we stay accountable to you for how they perform — using a sub-processor never means shrugging off responsibility.
If we plan to add or replace a sub-processor, we'll update this page and, where your agreement requires it, give you advance notice so you have a fair opportunity to object. To be notified of changes, email hello@complianceonecloud.com and we'll add you to the list.