A short, transparent supply chain
These are the only third parties that process personal data to deliver Soryx. Each is bound by an Article 28 GDPR contract, kept EU-resident wherever possible, and never permitted to use your data for its own purposes - or to train AI models.
Last updated
Who processes your data
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database, and AI inference via Amazon Bedrock | EU - eu-west-1 (Ireland) |
| Have I Been Pwned (HIBP) | Breach-exposure lookups to detect leaked credentials | EEA-adequate (transfers via SCCs) |
| Zyte | Managed data extraction to detect broker and people-search listings | EU / Ireland |
| Stripe | Payment processing and billing | EU / Ireland (SCCs where applicable) |
| Authentication (sign-in with Google) | EU region (SCCs where applicable) |
Where a vendor sits outside the EEA, transfers are covered by the EU Standard Contractual Clauses with supplementary encryption measures.
How we manage this list
Brokers aren’t subprocessors
The data brokers we contact to action your erasure requests are not Soryx subprocessors - they are the recipients of your Article 17 requests. We share only the minimum identifiers needed to assert your right to erasure, never to enable their processing.
Kept current
We update this page before adding or replacing any subprocessor. Business customers under our Data Processing Agreement receive at least 30 days’ advance notice and may object on reasonable grounds. To be notified of changes, email dpo@soryx.ai.