/security/subprocessors enumerates every vendor that may process Kodori customer data. As of 2026-04-26 there are 11: Vercel, Neon, Cloudflare, Anthropic, OpenAI, Resend, Stripe, Inngest, WorkOS, Google, Microsoft.
Each vendor entry covers:
- **Purpose** — what Kodori uses them for, in plain language. - **What they see** — concrete data flow, not hand-waving. (Anthropic sees agent prompts; OpenAI sees chunked text only at embed time; Stripe never sees document content; etc.) - **Region** — where the primary infrastructure runs. - **Compliance** — SOC 2 / ISO 27001 / HIPAA-eligibility claims, each with a link to the vendor's trust center.
Why this exists:
1. **GDPR Article 28** requires a sub-processor list with the contractual right to object before changes land. Our DPA enumerates this; the page is the canonical living version. 2. **Mid-market security reviews** specifically request a sub-processor list as part of CAIQ-LITE / SIG-CORE responses. The page is structured so a buyer's security team can copy-paste it. 3. **HIPAA BAA chain** matters for healthcare prospects. We pre-selected vendors with HIPAA-tier offerings (Neon, Cloudflare R2, Anthropic, Vercel) so the BAA chain is contiguous from Day 1 of that work.
Change policy:
- **30-day written notice** before any new sub-processor is added or an existing one swapped (notice goes via email to every workspace owner + page update with an "Last updated" date). - **Vendor selection criteria**: SOC 2 Type II minimum (or equivalent ISO 27001), HIPAA-eligibility hard-required for the BAA chain. - **Data-residency variants** (EU / non-US) available on request as a per-tenant deployment configuration, not a shared-infrastructure setting.
For the executable DPA, the signed PDF version of this list, or the pre-filled CAIQ-LITE questionnaire — email security@kumokodo.ai with your firm name.