Subprocessors
Vendor table
The table lists the service providers that process personal data on behalf of Doxus.
| Vendor | Status | Purpose | Data | Location | Transfer | DPA | Customer content | Notice |
|---|---|---|---|---|---|---|---|---|
| Cloudflare | Active | Ingress, WAF, DNS, Email Routing, and Cloudflare-owned edge services | IP address, request metadata, and security event metadata | Global CDN / edge | Processor under Cloudflare DPA; restricted-transfer posture requires review | DPA via Cloudflare DPA | No customer document content intended for ingress, WAF, DNS, or public edge routing; discovery scan mapped S3-compatible R2 SDK hits to this existing frozen vendor | 30-day prior notice for new subprocessors that process customer content |
| Google Cloud | Active | Residual Google services: Cloud Vision OCR, Picker API key, project services/IAM, and historical evidence for retired GKE resources | Account data, tenant settings, business documents, extracted fields, and audit events | UK/EU for retained project posture where configured; Google API processing varies by service | Processor under Google Cloud terms; restricted-transfer posture still requires evidence by service | DPA via Google Cloud terms | OCR-transient customer content may be sent to Cloud Vision; GKE no longer hosts production workloads | 30-day prior notice for new subprocessors that process customer content |
| Anthropic | Active | LLM extraction with Claude API | Customer-provided document text, prompts, outputs, and processing metadata | US | UK IDTA Addendum (included in Anthropic Commercial Terms DPA) | DPA accepted via Anthropic Commercial Terms 2026-04-29; zero data retention enabled (no training, no retention beyond the API call) | Customer document content is sent in prompts; zero-retention setting prevents persistence at Anthropic | 30-day prior notice for new subprocessors that process customer content |
| OpenAI | Active | LLM extraction fallback / development, gated by config | Customer-provided document text, prompts, outputs, and processing metadata | US | Restricted transfer; IDTA/Addendum or other valid transfer mechanism pending before production use | DPA pending | Customer document content is exposed if enabled | 30-day prior notice for new subprocessors that process customer content |
| SMTP2GO | Active | Transactional email | Email address, message metadata, and transactional message content | UK/EU | Processor terms; no restricted transfer recorded for UK/EU posture | DPA pending | No customer document content intended; rendered attachments can be sent to tenant-user recipients | 30-day prior notice for new subprocessors that process customer content |
| Sentry | Active | Error monitoring | Error events, device metadata, route metadata, and stack context | UK/EU | UK GDPR Article 28 processor terms; no restricted transfer recorded for UK/EU posture | DPA pending | No customer content intended | 30-day prior notice for new subprocessors that process customer content |
| GitHub | Active | Source control, PR workflow, and CI runners with ARC self-hosted on PVE1 k3s | Developer account data, source code metadata, and build metadata | US | Subprocessor for tooling; restricted-transfer posture requires review | DPA via GitHub Customer Agreement | Tooling only; no customer-data processing intended | 30-day prior notice for new subprocessors that process customer content |
| SuperTokens | Active | Authentication backend | Account identifiers, authentication metadata, and session metadata | UK-hosted self-managed deployment in Doxus PVE1 k3s cluster | No restricted transfer for self-managed UK-hosted deployment; upstream image/vendor review still tracked | Self-hosted internal infrastructure; listed for completeness | Customer auth metadata stored | 30-day prior notice for new subprocessors that process customer content |
| Google OAuth/Drive APIs | Active | OAuth identity, Gmail ingestion authorisation, Drive destination delivery, and Google Picker folder selection | Account identifiers, OAuth scopes, Drive file metadata, and files handled under customer instruction | US | Processor under Google Cloud terms; restricted-transfer posture requires review for API processing | DPA via Google Cloud terms | Customer content uploaded to the user's own Drive; no extra Doxus-side storage from Drive delivery | 30-day prior notice for new subprocessors that process customer content |
Status
Each vendor is engaged under the provider's standard data processing terms.
Purpose
The purpose column explains why the provider is used in the service.
Data categories
The data categories column describes the types of personal data or customer content the provider processes.
Location and region
Locations reflect current provider or deployment regions and may change as infrastructure settings evolve.
Transfer mechanism
International transfers rely on UK-EU adequacy where it applies and on standard contractual clauses where it does not.
DPA status
A data processing addendum is in place with each listed vendor under its standard terms.
Customer content exposure
This field identifies whether the provider is expected to process customer documents or document-derived content.
Customer notice policy
30-day prior notice for new subprocessors that process customer content