Sub-processors
The third parties that process customer data on our behalf, the data categories they touch, and where they operate. Maintained in real time.
Overview
A sub-processor is a third party that processes customer data on our behalf when we cannot, or should not, host that capability ourselves (cloud infrastructure, payments, transactional email, error monitoring, LLM inference, and so on).
We aim to keep this list short. Each addition is reviewed by Security, Legal, and Engineering, signed off by the data-protection officer, and announced to workspace owners at least 30 days before it begins processing customer data.
How we add a sub-processor
Every candidate sub-processor must satisfy four gates before we onboard them: a documented security posture (SOC 2 or equivalent), a data-protection agreement that flows our obligations down, region/residency alignment with the workspaces it will serve, and a runbook for revocation if the relationship ends.
Once approved, the sub-processor is added to the list below, the changelog at the bottom of this page is updated, and a notification is sent to the Billing Admin of every active workspace.
Current sub-processors
The list below reflects every third party that may process customer data on behalf of margininfo as of the last updated date. A new sub-processor is announced at least 30 days before it begins processing customer data; you can subscribe to updates from your workspace billing settings.
| Sub-processor | Purpose | Data categories | Region | Certifications |
|---|---|---|---|---|
| Amazon Web Services | Primary cloud, compute, storage, managed Postgres | All customer data at rest | US (us-east-1, us-west-2) · EU (eu-west-1) | SOC 2, ISO 27001, HIPAA |
| Cloudflare | Edge network, DDoS, WAF, TLS termination | Request metadata only | Global edge | SOC 2, ISO 27001, PCI DSS |
| Vercel | Marketing site hosting (margininfo.com) | Anonymous web analytics | Global edge | SOC 2 |
| Stripe | Billing, subscription management, invoicing | Workspace billing contacts, payment tokens | US | PCI DSS L1, SOC 1/2, ISO 27001 |
| Anthropic | LLM inference for the agent's investigations | Prompted excerpts only, never training data | US | SOC 2 |
| OpenAI | Fallback LLM inference for the agent | Prompted excerpts only, never training data | US | SOC 2, CCPA |
| Sentry | Application error monitoring and tracing | Error payloads, stack traces (scrubbed of secrets) | US | SOC 2, ISO 27001 |
| Datadog | Infra metrics, logs, APM | Operational telemetry only | US | SOC 2, ISO 27001, HIPAA |
| Postmark | Transactional email (digest, alerts, invites) | Workspace user emails, message bodies | US | SOC 2 |
| Linear | Internal product engineering and issue tracking | Support ticket excerpts (opt-in) | US | SOC 2 |
| Slack | Customer support channel and internal comms | Workspace and contact name, message content | US | SOC 2, ISO 27001 |
| Notion | Internal knowledge base and runbooks | No customer data | US | SOC 2 |
Notifications and objections
Subscribe to sub-processor change notifications from your workspace billing settings, or via email to subprocessors-subscribe@margininfo.com.
If you object to a new sub-processor on documented data-protection grounds, write to dpo@margininfo.com within 30 days of the announcement. The objection process is described in section 5 of the Data Processing Addendum.
This list and its notification cadence are working drafts pending counsel review and will be reissued under counsel's letterhead alongside the executed DPA.