Subprocessors¶
Statement¶
A subprocessor, for the purposes of this page, is any third-party service that processes ClaimGuard customer data on our behalf in the production environment. The list is short — two entries — and is maintained alongside the Vendor management page, which covers the process of vetting and reviewing vendors.
This list is current as of 2026-04-29. Changes to it are tracked
in docs/security/HARDENING-LOG.md and disclosed to material customers
on the contractually required notice cadence (today, no customer is at
material scale; this becomes operational at first regulated-customer
onboarding).
Production subprocessors¶
| # | Subprocessor | Purpose | Data processed | Region | DPA / contract |
|---|---|---|---|---|---|
| 1 | Google LLC — Google Cloud Platform (project train-cvit2) |
Compute, persistent storage, secrets, audit logs, snapshots | All production application data: user accounts, claim narratives, evidence files, configuration, secrets at rest | Primary: europe-west1 (Belgium). Snapshots: same region geography. |
Google Cloud DPA accepted at project setup. |
| 2 | Google LLC — Google Generative AI (Gemini API, gemini-2.5-pro) |
LLM inference for the master_tool claim-analysis component | Claim narratives and evidence summaries sent to the API at analysis time. See AI transparency for what is and is not sent, and for opt-out considerations. | Google-managed; the data-residency story is the Gemini API's published one. | Same Google Cloud DPA covers Gemini API usage under the same terms. |
Non-subprocessors (clarifying scope)¶
The following touch the codebase or development environment but do not process production customer data:
- Snyk — scans source manifests / source code; does not see runtime data.
- GitHub — source-code hosting and PR review.
- npm registry / PyPI — pull-only; no production data exposure.
These are documented under Vendor management for completeness but are not subprocessors in the data-processing sense.
How additions and changes are handled¶
- A new subprocessor is added only after the vendor process described in Vendor management is complete.
- The change lands in this page in the same PR that wires the new vendor into production.
- The change is recorded in
docs/security/HARDENING-LOG.mdso the history is reconstructable. - For customers under a contractual notification clause, the change triggers the contractually required notice. Today no customer is at material scale; this becomes operational at first regulated- customer onboarding.
Data residency note¶
Both subprocessors are Google services. The primary residency
commitment we can give a customer today is "data at rest lives in the
europe-west1 GCP region for the persistent storage tier; Gemini API
inference follows Google's published Generative AI residency
behavior." Stronger residency guarantees (e.g., "no inference outside
the EU") would require a Gemini API plan change and are tracked as a
roadmap item under AI transparency.
Status¶
implemented — verified 2026-04-29.
Two subprocessors enumerated; both Google entities; covered by the Google Cloud DPA.
Roadmap¶
- PDF index of executed contracts — a single internal page linking each subprocessor entry to the PDF of the executed DPA / Order Form and any addenda.
- Customer notification workflow for material new subprocessors — formalized at first regulated-customer onboarding.
- Stronger AI-vendor residency commitment — pursued only when a customer demands it.