Sub-processor List

Version 1.1 · Effective 2026-05-19

Knorra Sub-processors

Effective date: 2026-05-19 Last updated: 2026-05-15

We use a small set of trusted vendors ("sub-processors") to operate Knorra. This page lists all of them. It is kept current and is referenced by our Data Processing Agreement (in effect from full product launch).

If you're an Owner of a Knorra organisation, you'll get 30 days' advance notice by email before any new sub-processor is added or any existing one is materially changed (different region, expanded scope). To make sure you receive these notices, confirm your email is correct in your account settings.

You can object to a new sub-processor on reasonable data-protection grounds — see DPA §6.4 for the process.

A note on sub-sub-processors

This list shows our direct sub-processors only — vendors we contract with directly to operate Knorra. Those sub-processors in turn use their own infrastructure providers and sub-processors (for example, Neon hosts on AWS, Anthropic hosts on AWS, OpenAI hosts on Microsoft). Listing direct sub-processors only is the industry convention and reflects how UK GDPR Article 28 allocates responsibility — the sub-processor's own onward chain is governed by our contract with them, which requires equivalent data-protection standards. If your procurement review requires sub-sub-processor disclosure, email privacy@knorra.ai and we will share what we have on file.

Current sub-processors

| Sub-processor | What they do | Where they process | Compliance | |---|---|---|---| | Vercel Inc. | Two services from the same legal entity: (1) hosting our application — frontend and serverless functions; (2) AI request routing via Vercel AI Gateway with team-wide Zero Data Retention enforced | US and EU (auto-routed) | SOC 2 Type II; ISO 27001 | | Neon Inc. | Hosting our PostgreSQL database, including vector embeddings | EU (Frankfurt) by default; UK on request for enterprise customers | SOC 2 Type II | | Anthropic PBC | AI inference (Claude models) for analysis and reasoning, accessed via Vercel AI Gateway | US and EU | SOC 2 Type II; ZDR enforced by Vercel AI Gateway routing | | OpenAI, LLC | AI embeddings (text-embedding-3-large) for similarity search, accessed via Vercel AI Gateway | US | SOC 2 Type II; ZDR enforced by Vercel AI Gateway routing | | Inngest, Inc. | Background job orchestration (running scheduled and triggered detection jobs) | US (multi-region) | SOC 2 Type II | | Resend Inc. | Transactional and notification email; double opt-in confirmation for launch-notification capture | EU | SOC 2 Type II | | Stripe Payments Europe Ltd | Processing subscription payments (active at full product launch, not before) | UK and EU | PCI DSS Level 1; SOC 2 Type II | | Better Stack | Service status page (status.knorra.ai) and critical incident SMS / on-call alerting | EU (Czech Republic) | SOC 2 Type II | | Functional Software, Inc. (Sentry) | Error tracking | EU (region-selected) | SOC 2 Type II | | Axiom Cloud Inc. | Logs and observability | EU | SOC 2 Type II | | Cloudflare, Inc. | CDN, DNS, DDoS protection | Global edge | SOC 2 Type II; ISO 27001 | | Google LLC (Google Workspace) | Email aliases at @knorra.ai for our staff inboxes (support@, privacy@, security@, etc.) | EU and US | SOC 2 Type II; ISO 27001 | | Plausible Insights OÜ | Cookieless aggregate website analytics on knorra.ai | EU (Estonia / Frankfurt) | EU-based, no cookies, no cross-site tracking |

Notes

Anthropic and OpenAI: AI training

AI requests are routed through Vercel AI Gateway with team-wide Zero Data Retention enforced. This means requests reach Anthropic and OpenAI under Vercel-negotiated ZDR agreements that prohibit retention of inputs and prohibit using inputs to train models. Vercel itself does not retain prompts or outputs after request completion. This is how Knorra stays compliant with Google's Limited Use Policy for Workspace data and Microsoft's equivalent terms for Microsoft 365 data.

Stripe: payment data

We do not store full payment-card numbers. Card data is tokenised by Stripe at the point of capture and never touches our infrastructure. We see only the last four digits, the card brand, and the expiry month.

Stripe is listed for full transparency, even though Stripe processing only begins at full product launch (not at the pre-launch coming-soon phase). Including Stripe on this list now means we will not need to issue a new sub-processor notice at the moment payment processing goes live.

Cloudflare: limited processing

Cloudflare proxies our traffic and provides DDoS protection. It sees connection metadata (IP, timing, request paths) but does not store request or response bodies. Cloudflare's processing is incidental and short-duration.

Better Stack: status page + on-call

Better Stack runs the public status page at status.knorra.ai (no personal data) and the critical incident alerting that pages Knorra staff during incidents (incident metadata can include customer organisation references). Listed as a sub-processor because of the on-call function, not the status page itself.

Google Workspace: staff email only

Google Workspace hosts the @knorra.ai staff inboxes. It does not receive customer source content. It receives the contents of emails customers send us (e.g., to privacy@knorra.ai, support@knorra.ai) — which is why it is listed as a sub-processor.

Plausible: cookieless analytics

Plausible's default mode does not set cookies and does not identify individual visitors. Listed for full transparency even though Plausible operates at the lightest possible touch on personal data.

Region commitments

Default data residency for Knorra is the European Economic Area, with specific exceptions for sub-processors based outside the EEA (Anthropic, OpenAI, Inngest, parts of Vercel, Cloudflare global edge, parts of Google Workspace). UK-only data residency is available for enterprise customers as part of a bespoke contract.

International transfers are governed by the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses, and applicable data bridges. See DPA §7 for the detail.

Get notified about changes

We email Owners of every customer organisation before sub-processor changes. If you want to subscribe a non-Owner email (e.g., your privacy officer or procurement contact) to these notices, fill out the form below or email privacy@knorra.ai.

[Subscribe form rendered here at launch]

Changelog

| Date | Change | Effective | |---|---|---| | 2026-05-19 | Initial sub-processor list published with Knorra Phase A (coming-soon page launch) | 2026-05-19 |

Contact

Email: privacy@knorra.ai Post: Privacy, NEXTGEN SOFTWARE LTD, 85 Great Portland Street, London, England, W1W 7LT Company number: 14613977 ICO registration: ZC148593