Sub-Processors List

DRAFT - REQUIRES LEGAL REVIEW

Last Updated: March 7, 2026

SMK SOFTWARE LLC ("GuardLane") uses the following third-party service providers (sub-processors) to process data on behalf of our customers. This list is maintained in compliance with GDPR Article 28.

Note on AI Sub-Processors: All AI sub-processors receive source code and repository metadata solely for the purpose of security analysis. Data is not used for training purposes under our agreements.

Current Sub-Processors

Sub-Processor Details

Firebase (Google)

• Entity: Google LLC
• Location: United States (Mountain View, CA)
• Service: Firebase Authentication
• Data Processing: Firebase processes user authentication data including email addresses, hashed passwords, and session tokens. Multi-factor authentication data (TOTP secrets) is also processed when enabled by users.
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: No EU adequacy decision for the United States; SCCs in place
• Certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018

Paddle

• Entity: Paddle.com Market Ltd
• Location: United Kingdom
• Service: Payment processing and subscription management
• Data Processing: Paddle acts as the Merchant of Record and processes billing information, payment card data, and transaction records. Paddle handles all PCI DSS compliance requirements as the merchant of record.
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: UK has EU adequacy decision
• Certifications: PCI DSS Level 1

Anthropic

• Entity: Anthropic, PBC
• Location: San Francisco, United States
• Service: AI model inference for security audit analysis (Claude Opus 4.6, Claude Sonnet 4.6)
• Data Processing: Source code and repository metadata are sent to Anthropic's API for multi-model security analysis. Data is not used for model training under our API agreement.
• Data Transferred: Source code submitted for audit, repository metadata
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: No EU adequacy decision for the United States; SCCs in place
• Privacy/DPA Link: Anthropic Privacy Policy

OpenAI

• Entity: OpenAI, LLC
• Location: San Francisco, United States
• Service: AI model inference for security audit analysis (GPT via GitHub Copilot/Codex)
• Data Processing: Source code and repository metadata are sent to OpenAI's API (via GitHub Copilot/Codex integration) for multi-model security analysis. Data is not used for model training when using the API (per OpenAI's data usage policies).
• Data Transferred: Source code submitted for audit, repository metadata
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: No EU adequacy decision for the United States; SCCs in place
• Privacy/DPA Link: OpenAI Privacy Policy
• Certifications: SOC 2 Type II

Google (Gemini)

• Entity: Google LLC
• Location: Mountain View, United States
• Service: AI model inference for security audit analysis (Gemini 3.1 Pro via Copilot)
• Data Processing: Source code and repository metadata are sent to Google's Gemini API (via Copilot integration) for multi-model security analysis. Data is not used for model training under our API agreement.
• Data Transferred: Source code submitted for audit, repository metadata
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: No EU adequacy decision for the United States; SCCs in place
• Privacy/DPA Link: Google Privacy Policy
• Certifications: SOC 2 Type II, ISO 27001

Zhipu AI / z.ai

• Entity: Zhipu AI (Beijing Zhipu Huazhang Technology Co., Ltd.)
• Location: Beijing, People's Republic of China
• Service: AI model inference for security audit analysis (GLM-5)
• Data Processing: Source code and repository metadata are sent to Zhipu AI's API for multi-model security analysis. Data is not used for model training under our API agreement.
• Data Transferred: Source code submitted for audit, repository metadata
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: No EU adequacy decision for China
• Privacy/DPA Link: Zhipu AI Privacy Policy

Important Notice Regarding Zhipu AI: Zhipu AI is based in the People's Republic of China. China does not have an EU adequacy decision. Data transfers occur under Standard Contractual Clauses. EU customers should be aware their code may be processed in China.

Railway (Brex Inc.)

• Entity: Brex Inc.
• Location: San Francisco, United States
• Service: Cloud hosting (backend, frontend, PostgreSQL, Redis)
• Data Processing: Railway hosts the GuardLane application infrastructure including backend API servers, frontend web application, PostgreSQL database, and Redis cache. All application data passes through or is stored on Railway infrastructure.
• Data Transferred: All application data (user accounts, source code during processing, audit results, database contents)
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: No EU adequacy decision for the United States; SCCs in place
• Privacy/DPA Link: Railway Privacy Policy

Resend (Resend Inc.)

• Entity: Resend Inc.
• Location: San Francisco, United States
• Service: Transactional email delivery
• Data Processing: Resend delivers transactional emails on behalf of GuardLane, including account verification, password resets, audit completion notifications, and other service communications.
• Data Transferred: User email addresses, notification content
• Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
• Adequacy Status: No EU adequacy decision for the United States; SCCs in place
• Privacy/DPA Link: Resend Privacy Policy

Change Notification Policy

We will notify our customers at least 30 days in advance of:

• Adding new sub-processors
• Making material changes to existing sub-processor arrangements
• Changing data processing locations

Customers may object to the use of a new or replacement sub-processor by contacting us at support@guardlane.io within the notification period.

Objection Process

1. Upon receiving an objection, we will make reasonable efforts to address the customer's concerns.
2. If the objection cannot be resolved, the customer may terminate the affected services without penalty.
3. We will not engage the objected-to sub-processor for processing the objecting customer's data until the matter is resolved.

Data Protection Measures

All sub-processors are required to:

• Implement appropriate technical and organizational measures to protect personal data
• Process data only in accordance with our documented instructions
• Ensure that personnel authorized to process personal data are bound by confidentiality obligations
• Assist with data subject rights requests
• Delete or return all personal data upon termination of the service relationship
• Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations
• Allow for and contribute to audits conducted by us or an auditor mandated by us

Contact Information

For questions about our sub-processors or data processing practices:

Data Protection Officer: Mikhail Kuznetsov Email: support@guardlane.io Address: 38 Shengavit Street, Apartment 8, Shengavit District, 0050 Yerevan, Armenia

Related Documents

• Privacy Policy
• Data Processing Agreement
• Cookie Policy
• Terms of Service