1. Active subprocessors
TrustWays AI engages the following third-party subprocessors to deliver the service. Each is bound by a written agreement aligned to GDPR Art. 28 and equivalent obligations under UK GDPR, Swiss FADP, and India's DPDP Act.
| Subprocessor | Category | Purpose | Location | Transfer mechanism |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Hosting of the TrustWays AI platform (RDS Postgres, EKS, S3, CloudFront). | EU (eu-central-1) primary · US, IN, CH regions for tenants in those residencies | EU SCCs (where applicable) + AWS GDPR addendum |
| Anthropic | AI inference | Powers Counsel (regulator-aware AI assistant), document drafting, classification suggestions. | US | EU SCCs + Anthropic DPA (data not retained for model training under enterprise agreement) |
| Cloudflare | CDN / WAF / DNS | DDoS protection, edge caching for the marketing site, DNS. | Global edge | EU SCCs (Cloudflare DPA, EU Data Boundary opted in) |
| Sentry | Error monitoring | Application error tracking + performance monitoring (no customer data sent — only error stack traces). | EU (Frankfurt) — EU data plane | EU residency, no transfer |
| Stripe | Payments | Subscription billing + payment processing. | US, EU, IN (regional acquirers) | EU SCCs + Stripe DPA |
| Postmark / Postmark App | Transactional email | Service emails — account verification, password reset, billing alerts, admin notifications. | US (with EU data centre for EU residency) | EU SCCs + Postmark DPA |
| Google Workspace | Internal collaboration | Internal email, document collaboration for TrustWays staff. Customer support correspondence is logged here. | EU + US | EU SCCs + Google Cloud DPA |
2. Notifications of changes
We notify Customer admins by email at least 30 days before adding or replacing a subprocessor that would process Customer personal data. To subscribe to the notification list, email legal@trustways.ai.
3. How to object
If you have a reasonable data-protection objection to a new subprocessor, write to dpo@trustways.ai within 14 days of the change notification. Per Clause 7 of our DPA, where we cannot accommodate the objection you may terminate the affected services without penalty.