Sub-processor List
CrossCheck AI — A Platilus Product
This document lists all third-party sub-processors that may process personal data on behalf of CrossCheck AI users. We provide at least 30 calendar days' notice before adding a new sub-processor. Updates are published at this URL.
For privacy inquiries: [email protected].
Infrastructure Sub-processors
| Sub-processor | Purpose | Data Processed | Hosting Location | DPA / Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc. | Database (PostgreSQL), Authentication (OTP-based email sign-in) | Account data, session metadata, encrypted API credentials | AWS us-east-1 (USA) | Supabase DPA + SCCs |
| Railway Corp. | Application hosting (Docker runtime) | Request data in transit; not persisted by Railway | USA | Railway DPA + SCCs |
| Cloudflare Inc. | CDN, DNS, DDoS protection, TLS termination, R2 file storage (when applicable) | Request headers, IP addresses (edge processing), uploaded files | Global edge network | Cloudflare DPA + EU-US DPF |
| Functional Software Inc. (Sentry) | Error tracking and monitoring | Error logs (may contain truncated request context) | USA | Sentry DPA + SCCs |
AI Model Providers
In BYOK mode, your verification request is processed by AI providers you select using your own API keys. In Hosted mode (currently restricted to selected beta administrators), the Service uses our credentials. In both modes, task text passes through our server for verification orchestration.
| Sub-processor | Models | Data Processed | Hosting Location | DPA / Transfer Mechanism | Data Retention by Provider |
|---|---|---|---|---|---|
| Anthropic PBC | Claude Opus 4.6, Claude Sonnet 4.6, Claude Haiku 4.5 | Task text, AI responses | USA (AWS/GCP) | Anthropic DPA + SCCs + EU-US DPF | Zero retention on API; no training on API data |
| OpenAI Inc. | GPT-5.3, GPT-5, GPT-4o | Task text, AI responses | USA (Microsoft Azure) | OpenAI DPA + SCCs + EU-US DPF | Zero retention on API by default |
| Google LLC | Gemini 2.5 Pro, Gemini 2.5 Flash | Task text, AI responses | USA / EU (GCP, Frankfurt option available) | Google Cloud DPA + EU-US DPF | Per Google AI API Terms |
| Microsoft Corp. (Azure) | DeepSeek R1 (Microsoft-hosted) | Task text, AI responses | EU (West Europe) | Microsoft Online Services DPA | Per Azure AI Service terms |
| Mistral AI | Mistral Large, Mistral Medium | Task text, AI responses | EU (France) | Mistral DPA + SCCs | Zero retention on API |
Note on PRC-origin models: Some models (e.g., DeepSeek R1) were developed by companies headquartered in the People's Republic of China. When accessed through Microsoft Azure or Amazon Web Services, data is processed by Microsoft / Amazon, not by the original developer. Data remains in EU/US jurisdiction and is covered by the hosting provider's DPA.
Prohibited direct endpoints: Direct API connections to AI providers headquartered in jurisdictions without adequate data protection are prohibited. See Privacy Policy §7.2 for the full list.
Website Analytics and Forms (platilus.com)
These sub-processors operate only on the marketing website at platilus.com. They are not used by the verification application at dev.platilus.com (or future app.platilus.com).
| Sub-processor | Purpose | Data Processed | Hosting Location | DPA / Transfer Mechanism |
|---|---|---|---|---|
| Plausible Insights OÜ | Cookieless privacy-friendly website analytics | Aggregate page views, referrers, country-level location (cookieless, no personal data, no individual identification) | EU (Estonia / Germany) | Plausible DPA — N/A for personal data (privacy-by-design) |
| Formspree Inc. | Email signup form processing on platilus.com | Email address, UTM parameters, page submitted from, A/B variant cookie value | USA | Formspree DPA + SCCs |
Payment Processing
Not currently active. When payment is introduced (post-beta), we will add the payment processor (likely Stripe Inc.) here with at least 30 calendar days' prior notice.
Sub-processors NOT Used
For transparency, we confirm that CrossCheck AI does not use:
- Google Analytics, Google Tag Manager, or any Google advertising tracking
- Facebook Pixel, Meta tracking, or any social media tracking pixels
- PostHog, Hotjar, Clarity, FullStory, or other session recording / behavioral analytics tools
- Direct API connections to AI providers headquartered in jurisdictions without EU adequacy decisions (per the prohibited endpoints list in our Privacy Policy §7.2)
- Advertising networks or data brokers
- Third-party AI training: none of our sub-processors use API data for model training
Change Notification
We provide at least 30 calendar days' written notice before any addition to the sub-processors list. Updates are published on this page. Customers with a Data Processing Agreement also receive email notification — to receive notifications, ensure your DPA contact email is current.
Recent changes:
| Date | Change |
|---|---|
| 2026-04-26 | Aligned with current production state. Added Plausible Analytics and Formspree (used on platilus.com landing site, previously not documented). Added DPA links to all entries. Added Mistral AI to AI providers list. Removed mention of "first-session notice" feature (planned, not implemented). Updated Microsoft DPA link. |
| 2026-03-31 | Initial published version. |
Contact
- Privacy and data protection inquiries: [email protected]
- Mailing address: D. Agmashenebeli Avenue, N 177, Floor 1, Apartment N5, Kobuleti district, Georgia
This page is referenced from Privacy Policy §7.