Legal · Subprocessors

Subprocessors

Last updated: May 25, 2026

A "subprocessor" is a third party that processes customer data on our behalf to help us deliver the Service. We choose subprocessors that meet our security and privacy expectations, and we sign data-protection agreements with each one. We will give at least 14 days' notice in-app and by email before adding a new subprocessor.

None of the subprocessors below use your data to train their own AI models. Anthropic is explicit about this in its commercial terms; the others are infrastructure providers that do not perform AI training at all.

Current subprocessors

Subprocessor	Purpose	Data processed	Region	Compliance
WorkOS	User authentication & identity (Google / Microsoft / SAML SSO).	Email, name, profile picture URL.	US	SOC 2 Type II GDPR
Anthropic	Large-language-model inference for skill extraction and classification.	Message text we send for extraction; never used for model training.	US	SOC 2 Type II No training
Supabase	Managed Postgres database; row-level storage of tenants, skills, audit logs.	All workspace content. Encrypted at rest.	US	SOC 2 Type II HIPAA-capable
Render	Application hosting for the CrossLayer API.	Request payloads in memory; operational logs.	US (Oregon)	SOC 2 Type II
Vercel	Hosting for the marketing site and React SPA.	Static assets, request metadata. No customer workspace content.	Global edge	SOC 2 Type II
Slack Technologies	Source of conversational data; OAuth provider.	Messages from channels you've invited the bot to; team metadata.	US	SOC 2 Type II ISO 27001
GitHub	Optional integration; OAuth provider.	Repository metadata and files you explicitly grant access to.	US	SOC 2 Type II
Cloudflare	DNS, edge TLS termination, DDoS protection.	Request metadata (IP, user-agent). No payload bodies stored.	Global edge	SOC 2 Type II ISO 27001

How to be notified of changes

We will notify all customer workspace admins in-app and by email at least 14 days before adding or replacing a subprocessor. If you want a direct notification channel, email privacy@crosslayer.ai and we will add you.

Objection right

If you object to a new subprocessor on reasonable security or privacy grounds, contact us within 14 days of notice. We will work in good faith to resolve the concern and, if we cannot, you may terminate the affected portion of the Service and export your data without penalty.

Contact

Subprocessor questions: privacy@crosslayer.ai.