Sub-processors

Third parties that process customer data on our behalf. We notify customers 30 days before adding a new one (see Privacy §5). Subscribe to changes at subprocessors-subscribe@server2agent.com.

Last updated: April 22, 2026 · Release: us-atlanta-v1

Category	Purpose	Data category	Region	Attestation
LLM provider	LLM (Triage · Investigator · Reporter)	masked incident text	US	Type II
Frontend hosting	admin-ui · status-site · landing hosting	session, app logs	US	Type II
Compute platform	orchestrator · caddy · step-ca compute	operational data	US (atl/iad)	Type II
Managed Postgres	Postgres (incidents, audit, billing)	all structured data	AWS us-east-1	Type II
Managed Redis	Redis (short-TTL streams, JTI)	ephemeral queue/cache	AWS us-east-1	Type II
Edge platform	DNS · CDN · WAF · object storage	TLS termination, release artifacts	Global (edge)	Type II
Authentication provider	Authentication (Passkey, SMS OTP, Organizations)	admin identity	US	Type II
SMS provider	SMS notifications	recipient phone numbers	US	Type II
Transactional email provider	Transactional email	recipient emails, subject lines	US	Type II
Payment processor	Billing, invoicing, US sales tax	billing contact, payment tokens	US	PCI DSS + SOC 1/2
Error monitoring	Error tracking	stack traces, redacted	US	Type II
Observability / metrics	OpenTelemetry / metrics	operational telemetry	US (us-east)	Type II
Source control / CI	Source code, CI/CD, artifact registry	no customer data	US	Type II
Code signing provider	Code signing for agent binary	binary hashes	US	third-party attestation

Regions

All primary data stays in the United States for the us-atlanta-v1 release. No data is intentionally replicated to the EU or APAC. Customer data is not sent to the LLM provider in raw form — only masked, summarized incident text required for investigation.

Archived versions

Previous lists are retained under /subprocessors/archive/<date>.md in our internal compliance repo (shared under NDA on request).