1. What this page is
This page is the binding sub-processor list referenced from the Data Processing Addendum and from the Terms of Service. It is updated whenever a sub-processor is added, replaced or removed. Changes affecting customer-tenant data are notified to customers in advance per the change- notification commitment below.
All Secruna customer tenant data is stored in Microsoft Azure Sweden Central and never leaves the European Union. Sub-processors that are headquartered outside the EU are engaged only under EU Standard Contractual Clauses.
2. Sub-processor list
The table below covers every sub-processor that touches customer-tenant data or that supports Secruna’s ability to deliver the Service (for example, GitHub, which holds employee identity but no customer PII — flagged corporate processor).
| Name | Purpose | Data categories | Region | SCCs | Audit reports | Scope |
|---|---|---|---|---|---|---|
| Anthropic, PBC | Inference for the extractor LLM used in classification and evidence drafting. | Short metadata strings extracted from connector data (system identifiers, configuration snippets). Outputs: classification rationale text. No raw customer datasets are sent. | Anthropic data centres in the United States with EU regional inference where available. | Yes — Anthropic Standard Contractual Clauses (2023). | SOC 2 Type II reported by Anthropic; verify current report at execution. | Customer data |
| Microsoft Azure (Microsoft Ireland Operations Ltd) | Hosting (Container Apps), Postgres Flexible Server, Redis, Key Vault, Container Registry, Log Analytics. | All customer tenant data, audit logs, evidence pack PDFs, configuration metadata. | Sweden Central exclusively. West Europe configured only as a documented failover region. | Covered under the Microsoft Online Services DPA and Microsoft EU Data Boundary commitments. | SOC 2, ISO 27001, ISO 27018, EU Cloud Code of Conduct (per Microsoft public attestations). | Customer data |
| Amazon Web Services EMEA SARL | Cross-cloud read access via STS for the AWS connector and S3 storage for the marketing-mockup site. | AWS customer credentials (read-only role assumption) used by the connector. No customer PII is stored in AWS. | eu-central-1 (Frankfurt) and eu-west-1 (Ireland) where applicable. | Yes — covered under the AWS GDPR DPA. | SOC 2, ISO 27001 (per AWS public attestations). | Customer data |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracing. | Stack traces and redacted request paths. Auth headers, cookies and request bodies are stripped client-side and server-side before transmission. No customer data of data subjects is sent. | Sentry EU instance (Frankfurt). | Yes — Sentry DPA with Standard Contractual Clauses. | SOC 2 Type II reported by Sentry; verify current report at execution. | Customer data |
| Amazon CloudFront (AWS EMEA SARL) | CDN delivery of static assets for the marketing site and the dashboard frontend. | No customer tenant data. Network-layer IP addresses for cache routing. | Global edge with origin in the EEA. | Covered under the AWS GDPR DPA. | Same as AWS (SOC 2, ISO 27001). | Customer data |
| GitHub, Inc. | Source code hosting, CI/CD pipelines and employee identity (Entra-linked). | Employee identifiers and repository metadata only. Does not process customer tenant data or customer PII. | GitHub data centres (United States with EU routing). | Yes — GitHub DPA with Standard Contractual Clauses. | SOC 2 Type II (per GitHub public attestations). | Corporate only |
3. Categories of data
The sub-processors above split into two clear groups by what data they touch:
- Customer-tenant data — Microsoft Azure (the entirety of customer data sits here in Sweden Central); Anthropic (short metadata strings only, never raw customer datasets); AWS (read-only credentials for cross-cloud connector reads; no customer PII stored); CloudFront (no customer data, only network-layer IPs for cache routing); Sentry (stack traces and redacted paths, no customer data of data subjects).
- Corporate-only data — GitHub holds Secruna employee identifiers and repository metadata. It is included here for transparency; it does not have, and is not contractually permitted to receive, customer PII.
4. Change notification
Secruna provides at least 30 days’ advance notice before adding or replacing a sub-processor that handles customer-tenant data. Notice is delivered by:
- Email to the customer’s designated privacy or procurement contact, and
- An updated entry on this page.
Customers may object on reasonable data-protection grounds within the 30-day window. If we cannot accommodate the objection, the affected subscription may be terminated for cause without penalty.
5. Subscribe to change notifications
Subscription tooling is in build-out. For the moment, please check this page or email us to be added to the notification list manually.
For now, drop a note to privacy@secruna.com and we will add you to the manual list.
6. Audit reports
The audit and certification references above reflect the attestations the listed vendors publish themselves. Customers performing their own vendor due-diligence are encouraged to obtain the latest copies directly from the vendor or under NDA via the vendor’s trust portal. Secruna does not redistribute third-party audit reports.