Subprocessors

Our guarantee

Every third-party service that processes our data is listed below, with what data it sees, where it's located, and its own compliance posture.

Subprocessors

We use the following third-party services to operate Reclaim Protocol. Each subprocessor is contractually bound to the same data protection standards we uphold, and we maintain an up-to-date record of what data each one processes, where it is located, and their own compliance posture.

aws

Amazon Web Services

Cloud infrastructure (compute, storage, databases)

Data processed

Session metadataProof dataEncrypted logs

Location

IN (ap-south-1), EU (eu-north-1)

Compliance

SOC 2ISO 27001GDPRHIPAA

Google Cloud Platform

TEE confidential compute. Both TEE_K and TEE_A run as attested Docker images.

Data processed

TLS session keys (TEE_K, never leaves enclave)AEAD authentication tags (TEE_A)Docker image attestation hashes

Location

Prod cluster: IN (asia-south1) + US (us-central1). EU cluster: both in EU (europe-west).

Compliance

SOC 2ISO 27001GDPR

Firebase (Google)

Admin authentication (Google OAuth)

Data processed

Admin emailOAuth tokens

Location

Compliance

SOC 2ISO 27001GDPR

Anthropic

AI analysis for PII, security, and whitepaper checks

Data processed

Source code snippetsSession log samples (PII audit only)

Location

Compliance

SOC 2

GitHub

Source code hosting and Dependabot supply-chain alerts

Data processed

Source codeDependency vulnerability alerts

Location

Compliance

SOC 2ISO 27001GDPR

Firebase App Hosting

Hosting for the Trust Portal (runs on Google Cloud Run under the hood)

Data processed

HTTP request logsBuild artifacts

Location

GCP (asia-southeast1)

Compliance

SOC 2ISO 27001GDPR

Slack

Internal alert notifications (admin only)

Data processed

Alert summaries (no end-user data)

Location

Compliance

SOC 2ISO 27001GDPR