Subprocessor register
Who we rely on, and what they see
These are the third parties that may process your data on our behalf. Each operates under a data processing agreement. We update this register before adding any new subprocessor.
² Policy codes
ZDRZero Data Retention — no prompt stored after processing
no-logOnly operational metadata recorded
no-trainData not used for model training
DPACovered by Data Processing Agreement
AES-256Encrypted at rest
A Path A request makes two hops — from us to OpenRouter, then from OpenRouter to the chosen model provider (Anthropic, OpenAI, or Google). With ZDR-only routing enforced, neither hop retains your prompt content: OpenRouter logs only operational metadata, and requests reach solely the provider endpoints that store nothing and never train on your data.
OpenRouter is our current routing layer because it provides a single integration point to ZDR-capable endpoints across multiple providers. We could equally connect directly to Anthropic, OpenAI, or Google under their respective enterprise ZDR agreements — or use the Ollama API, whose endpoints are zero-retention by default. Note that Ollama operates in two distinct modes: as a hosted API endpoint (Path A, ZDR) and as a fully local model server running on a private GPU (Path B, no external connection at all). The privacy guarantee across all Path A options is identical. If your agreement requires a direct relationship with a specific provider, we can accommodate that.
The local model is not a subprocessor
When you choose Path B, analysis runs on a model hosted on dedicated hardware inside the trust boundary. No third party processes your data, so there is no subprocessor to list for that step — that is the entire point of the option.