Sub-processors

    Last updated: April 28, 2026 (v1.0)

    This page discloses every third-party processor ARD Sentinel™ engages to provide the Service. We update this list 30 days before adding a new sub-processor, with notification by email + dashboard banner.

    Customers under our DPA may object to new sub-processors per DPA Section 4. Email privacy@ardsentinel.com to raise an objection.

    Hosting & infrastructure

    • Google Cloud Platform — Firestore, Cloud Storage, Cloud Run, Cloud Functions, Vertex AI
      Data location: EU (Frankfurt) · Mechanism: DPA + intra-EU
    • Firebase (Google) — Authentication, Hosting
      Data location: EU + US transit · Mechanism: EU-US DPF + SCCs

    AI & analytics

    • Anthropic — Claude API (text classification, notice generation)
      Data location: USA · Mechanism: EU-US DPF (certified)
    • Hive AI — AI text detection
      Data location: USA · Mechanism: SCCs (Module 2) + DPA
    • Sightengine — Photo forensics
      Data location: France (EU) · Mechanism: Intra-EU + DPA

    Web scraping (review collection)

    • Outscraper — Google Maps, TripAdvisor, Yelp scraping
      Data location: USA · Mechanism: SCCs (Module 2) + DPA
    • Apify — Discovery scrape (Google Maps, TripAdvisor)
      Data location: EU + US options · Mechanism: SCCs (Module 2) + DPA
    • DataForSEO — Backup search/review API
      Data location: USA · Mechanism: SCCs (Module 2) + DPA
    • SerpAPI — Search engine results
      Data location: USA · Mechanism: SCCs (Module 2) + DPA

    Communications

    • SendGrid (Twilio) — Transactional email
      Data location: EU (Dublin) · Mechanism: Intra-EU + DPA

    Payments

    • Stripe — Payments, billing portal
      Data location: EU + US · Mechanism: EU-US DPF + SCCs fallback

    Evidence & storage

    • ScreenshotOne — Web page screenshots for evidence
      Data location: USA · Mechanism: SCCs (Module 2)

    Selection criteria

    We evaluate every potential sub-processor against:

    • Legal basis for transfers — DPF certification OR signed SCCs
    • DPA in place — standard contractual data-protection clauses
    • Security certifications — ISO 27001, SOC 2 Type II preferred
    • EU presence or DPF — mandatory for processing PII at scale
    • Track record — no major publicly disclosed breaches in last 3 years
    • Sub-sub-processor transparency — their own list available

    Schrems II supplementary measures

    For US-based sub-processors we apply EDPB Recommendation 01/2020 supplementary measures:

    • TLS 1.3 in transit + AES-256 at rest (technical)
    • Sub-processor obligation to challenge any government access request (contractual)
    • Right to terminate sub-processor if surveillance order received (organizational)

    How to object to a new sub-processor

    Per our DPA Section 4:

    1. Email privacy@ardsentinel.com within 30 days of new sub-processor notification
    2. State the specific objection (e.g. GDPR risk, data sovereignty preference)
    3. We will either address the objection or allow you to terminate without penalty

    Contact

    Questions about sub-processors: privacy@ardsentinel.com

    Customers under DPA may request executed copies of sub-processor agreements via authenticated support ticket.