What is a Sub-Processor?
Sub-processors are third-party companies that System Alphas engages to help deliver our services — and in doing so, they also process your data on our behalf.
Simple example: We build an AI agent for you. That agent runs on OpenAI’s API. OpenAI touches your data to generate responses. OpenAI is our sub-processor.
The chain looks like this: Client → System Alphas (main processor) → OpenAI / n8n / AWS, etc. (sub-processors).
Why This Matters Under GDPR
Under the General Data Protection Regulation, when System Alphas signs a contract to handle your data, we are fully responsible — including for every tool we use underneath. If a sub-processor mishandles your data, you can come after us, not them directly. That’s why GDPR Article 28 requires us to:
- Publicly disclose who our sub-processors are.
- Give clients at least 30 days’ notice before engaging any new sub-processor that processes Personal Data.
- Ensure every sub-processor is contractually bound (DPA, SCCs, or equivalent) to protect your data with safeguards equivalent to ours.
- Allow clients a reasonable objection period for new sub-processors.
Current Sub-Processor List
The table below lists all third-party services that may process Client Data on our behalf. We minimize the data shared with each provider to what is strictly necessary for service delivery.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| OpenAI | LLM inference for AI agents (GPT models) | Prompts, retrieved context, generated responses | USA (DPA + SCCs) |
| Anthropic | LLM inference for AI agents (Claude models) | Prompts, retrieved context, generated responses | USA (DPA + SCCs) |
| Google Cloud | LLM inference (Gemini), cloud infrastructure, Vertex AI | Prompts, embeddings, vector data, agent logs | USA / EU (DPA + SCCs) |
| n8n | Workflow orchestration and automation | Workflow execution data, integration payloads | EU / Self-hosted in Client infrastructure |
| Amazon Web Services (AWS) | Cloud hosting, storage, compute, vector databases | Application data, encrypted backups, agent state | USA / EU regions (DPA + SCCs) |
| Vercel | Front-end hosting, edge deployment, CDN | Web traffic logs, deployment metadata | USA / Global edge (DPA + SCCs) |
| GitHub | Source code repository and version control | Code, configurations, deployment artifacts | USA (DPA + SCCs) |
| Stripe | Payment processing and invoicing | Billing contact, payment metadata (no full card data stored by us) | USA / EU (DPA + SCCs, PCI-DSS) |
| Google Workspace | Email, document collaboration, internal communication | Client correspondence, project documents | USA / EU (DPA + SCCs) |
| Slack | Client communication and project channels | Project messages, attachments | USA (DPA + SCCs) |
| Calendly | Strategy call scheduling and calendar booking | Name, email, timezone, scheduling preferences | USA (DPA + SCCs) |
| Google Analytics | Website analytics and usage measurement | Pseudonymized usage data, anonymized IP | USA / EU (DPA + SCCs, IP anonymization) |
Sub-Processor Safeguards
For every sub-processor on this list, System Alphas:
- Executes a Data Processing Agreement (DPA) compliant with GDPR Article 28.
- Relies on Standard Contractual Clauses (SCCs) or the EU–U.S. Data Privacy Framework for international transfers.
- Audits security posture (SOC 2, ISO 27001, or equivalent) at the time of onboarding and on a recurring basis.
- Limits data sharing to the minimum necessary for service delivery.
- Maintains the right to terminate the relationship if the sub-processor fails to meet its obligations.
Notification of Changes
System Alphas will notify active clients at least 30 days in advance before engaging any new sub-processor that processes Personal Data, via email to the designated client contact and/or a prominent notice on this page.
Clients who object to a proposed sub-processor on reasonable data protection grounds may terminate the affected service without penalty within the notice period, in which case System Alphas will return or securely delete all Client Data per Section 8.3 of our Terms and Conditions.
HIPAA-Covered Engagements
Where Services involve Protected Health Information (PHI), all sub-processors with access to PHI also execute Business Associate Agreements (BAAs) before any PHI is processed. Sub-processors that do not support BAA arrangements are not used for HIPAA-covered engagements.
Questions or Objections
For questions about this list, to request the underlying DPA terms, or to formally object to a sub-processor:
Email: contact@systemalphas.com · Subject line: “Sub-Processor Inquiry”
Phone: +1 (929) 568-8522
Address: System Alphas, 30 N Gould St, Ste R, Sheridan, WY 82801, USA
We aim to respond to all sub-processor inquiries within 10 business days.