Subprocessors
Last updated: May 30, 2026
This page lists the third-party subprocessors that AIOX Suite engages to deliver the Services. It is referenced from our Terms of Service and our Privacy Policy, and is provided to help customers meet their own subprocessor-disclosure obligations under the GDPR, the UK GDPR, the CCPA / CPRA, and similar laws.
1. Current subprocessors
1.1 Infrastructure and hosting
| Subprocessor | Purpose | Location of processing | Transfer mechanism (if outside EEA / UK) |
|---|---|---|---|
| [YOUR CLOUD HOSTING PROVIDER] | Application hosting, server infrastructure, storage | [REGION] | Standard Contractual Clauses + supplementary measures |
| [YOUR CDN / DNS PROVIDER, IF ANY] | Content delivery, DDoS mitigation, DNS resolution | Global edge network | Standard Contractual Clauses + supplementary measures |
1.2 Payment processing
| Subprocessor | Purpose | Location of processing | Transfer mechanism (if outside EEA / UK) |
|---|---|---|---|
| Stripe, Inc. | Payment processing, billing, subscription management, fraud detection | United States; Ireland (for EU customers) | Standard Contractual Clauses; Stripe Data Processing Agreement; UK International Data Transfer Addendum |
1.3 Third-party AI providers
AI providers are engaged when you invoke an app or feature that calls them.
| Subprocessor | Purpose | Location of processing | Transfer mechanism (if outside EEA / UK) |
|---|---|---|---|
| Google LLC (Gemini API) | Default AI provider for content optimisation, Capsule generation, Help Concierge, Sentinel rule proposals, AI Visibility Score, AI Forensics | United States; EU regions where elected | Standard Contractual Clauses; Google Cloud Data Processing Addendum |
| OpenAI, L.L.C. | Optional / alternate AI provider for content processing and Forensics probes | United States | Standard Contractual Clauses; OpenAI Data Processing Addendum |
| Anthropic, PBC | Optional / alternate AI provider for content processing and Forensics probes | United States | Standard Contractual Clauses; Anthropic Data Processing Addendum |
| Perplexity AI, Inc. | Optional / alternate AI provider for Forensics probes | United States | Standard Contractual Clauses; Perplexity Data Processing Addendum |
1.4 Operational tooling
| Subprocessor | Purpose | Location of processing | Transfer mechanism (if outside EEA / UK) |
|---|---|---|---|
| [YOUR TRANSACTIONAL EMAIL PROVIDER, IF ANY] | Delivery of account, billing, security, support, and marketing emails | [REGION] | Standard Contractual Clauses + supplementary measures |
| [YOUR MONITORING / ERROR-REPORTING PROVIDER, IF ANY] | Application monitoring, error reporting, uptime checks | [REGION] | Standard Contractual Clauses + supplementary measures |
| [YOUR SUPPORT / CRM PROVIDER, IF ANY] | Support-ticket management, customer communications | [REGION] | Standard Contractual Clauses + supplementary measures |
2. Scope of processing per subprocessor
- Hosting and infrastructure providers process all categories of personal data because they host the systems on which the Services run.
- Stripe processes only the personal data necessary for payment: account identifiers, payment-method tokens, billing addresses, invoice records, and fraud-detection signals. Stripe does not receive content data, AI prompts, or visitor telemetry.
- AI providers receive only the specific prompt and contextual data necessary to fulfil the request that invoked them. They do not receive your dashboard activity, visitor IPs from your connected sites, billing data, or other operational data.
- Operational tooling processes the specific data category appropriate to each tool.
3. Subprocessor selection and review
Before engaging a new subprocessor, we:
- Review the subprocessor's security posture, certifications, and incident-response practices;
- Bind the subprocessor by written agreement to data-protection obligations no less protective than those in our Privacy Policy and Terms of Service;
- Where personal data is transferred outside the EEA, UK, or Switzerland, ensure that an appropriate transfer mechanism is in place;
- Maintain documentation of the basis on which we conduct the transfer impact assessment required under European law.
4. Notification of changes
We will update this page when we add, remove, or replace a subprocessor.
For customers who have entered a Data Processing Addendum with us that requires advance notification of subprocessor changes:
- We will provide at least thirty (30) days' notice before a new subprocessor begins processing personal data on our behalf, via email to the contact address on file and via a notice on this page;
- If you object to a new subprocessor on reasonable data-protection grounds, you may notify us within the notice window at privacy@aioxsuite.com; we will work in good faith to address your concerns.
5. Data Processing Addendum
A Data Processing Addendum incorporating the Standard Contractual Clauses and the UK International Data Transfer Addendum is available on request to privacy@aioxsuite.com.
6. Questions
For questions about this Subprocessor List, contact:
AIOX Suite — Privacy Office
Privacy & data rights: privacy@aioxsuite.com
Security disclosures: security@aioxsuite.com
General legal: legal@aioxsuite.com