Platform
Athena PlatformThe whole platformAegisAutonomous detection and responseVigil24/7 agentic SOCCitadelSecurity technology management
Explore
OutcomesWhat the business fundsAI DefendersThe four DefendersAdversariesThe ten enterprise risksResourcesBlog and moreTrust CenterSecurity and governance
Company
AboutWhy Athena existsLeadershipThe teamCareersOpen rolesPartnersProgram and portalNews RoomAnnouncementsContactReach the team
Request a briefing
Legal · Sub-processors

Sub-processor List

Last updated: 14 June 2026  ·  Effective: 14 June 2026

This document is a comprehensive legal framework draft. It must be reviewed and approved by licensed attorneys before publication and enforcement. It does not constitute legal advice.

1. Purpose and Scope

1.1 Purpose

This Sub-processor List and Management Policy (this "Policy") identifies the third-party sub-processors that Athena Agentic, Inc. ("Athena Agentic", "we", "us", or "our") engages to process Personal Data in connection with the Athena Agentic Platform and the Aegis, Vigil, and Citadel services (collectively, the "Platform") and our website at athenaagentic.com (the "Website"). It also describes how we select, vet, contract with, and oversee those sub-processors, and how we notify customers of changes and honour their right to object.

1.2 What is a sub-processor

A "sub-processor" is a third party engaged by Athena Agentic (in our capacity as a data processor) to process Customer Personal Data on our behalf in order to provide the Platform. This includes, for example, infrastructure-as-a-service, application hosting, managed database, transactional email, error and performance monitoring, analytics, and customer-relationship-management providers, to the extent they process Personal Data on our behalf.

For clarity:

  • A sub-processor is distinct from a service provider that we engage as an independent data controller for our own business purposes, and from third parties to whom a customer directly instructs disclosure.
  • Where Athena Agentic acts as an independent data controller (for Website, prospect, marketing, and job-applicant data, as described in the Privacy Policy), the third parties we use are our service providers / processors rather than sub-processors of a customer. For transparency, this Policy also identifies the providers that support the Website and our controller-side processing, and indicates in the table which surface each provider supports.

1.3 Relationship to the DPA and Privacy Policy

  • This Policy supplements, and must be read together with, the executed Data Processing Agreement (DPA) between Athena Agentic and the relevant customer, the applicable Customer Agreement, and the Athena Agentic Privacy Policy.
  • The legally binding obligations governing sub-processing, including the general authorisation, notice period, objection rights, and audit rights, are set out in the DPA. In the event of any conflict between this Policy and the executed DPA, the DPA controls.
  • This Policy also operationalises the Sub-Processor Management commitments in the Athena Agentic Data Processing and International Transfers Framework (Section 5 of that document).
  • Capitalised terms not defined in this Policy (including "Customer Data", "Customer Content", "Platform Data", "Telemetry Data", and "Personal Data") have the meanings given in the Privacy Policy and/or the applicable DPA.

2. How We Engage Sub-processors

Before engaging any sub-processor that will process Customer Personal Data, and on an ongoing basis thereafter, Athena Agentic applies the following controls.

2.1 Due diligence and vetting

  • Risk-based assessment of the prospective sub-processor's data-protection and information-security posture, proportionate to the nature, scope, and sensitivity of the Personal Data involved.
  • Review of independent assurances where available, such as SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27701, or comparable certifications, audit reports, and penetration-test summaries.
  • Assessment of the sub-processor's sub-processing chain, data-residency options, retention and deletion practices, breach-notification commitments, and support for data-subject-rights assistance.
  • Evaluation of the location(s) of processing and the availability of valid international transfer mechanisms (see Section 4).

2.2 Contractual data-protection terms (flow-down)

Each sub-processor that processes Customer Personal Data is engaged under a written agreement (a data processing agreement or equivalent terms) that imposes data-protection obligations at least as protective as those imposed on Athena Agentic under applicable law and the customer DPA, consistent with Article 28(4) GDPR. These obligations include requirements to:

  • process Personal Data only on documented instructions and solely for the authorised purposes of providing the relevant service;
  • implement appropriate technical and organisational security measures;
  • ensure that personnel authorised to process Personal Data are bound by confidentiality;
  • comply with applicable international transfer requirements (including SCCs / UK IDTA where applicable);
  • notify Athena Agentic of any actual or suspected Personal Data breach without undue delay;
  • assist Athena Agentic in responding to data-subject requests and in meeting our security, breach-notification, and impact-assessment obligations;
  • not engage further sub-processors without equivalent flow-down obligations and appropriate authorisation; and
  • delete or return Personal Data at the end of the engagement and submit to audits or inspections.

2.3 Security review and ongoing oversight

  • New sub-processors that handle Customer Personal Data are subject to a security review before production use, and to periodic re-assessment thereafter.
  • We maintain internal records of our sub-processors as part of our Records of Processing Activities (Article 30 GDPR).
  • Where a sub-processor materially fails to meet its data-protection or security obligations, Athena Agentic will take appropriate remedial action, which may include suspension, remediation requirements, or replacement of the sub-processor.

3. Notice of Changes and Right to Object

Athena Agentic engages sub-processors under a general written authorisation in accordance with Article 28(2) and Article 28(4) GDPR (and equivalent provisions of the UK GDPR and other applicable laws), subject to the notice and objection rights described below and as further set out in the applicable DPA.

3.1 We maintain this list

  • Athena Agentic maintains this Sub-processor List and updates it when sub-processors that process Customer Personal Data are added, replaced, or removed.
  • The current list is available to customers, including upon request, at Privacy@athenaagentic.com.

3.2 Subscribing to updates

  • Customers may subscribe to notifications of changes to this list by emailing Privacy@athenaagentic.com with the subject line "Sub-processor Updates" and the customer/account name and a notification email address.
  • Subscribed customers will receive advance notice of new or replacement sub-processors as described below.

3.3 Advance notice of new or replacement sub-processors

  • We will provide [e.g. 30] days' advance notice before authorising any new or replacement sub-processor to begin processing Customer Personal Data, except where a shorter period is required to respond to an emergency, a security incident, or a legal or regulatory obligation, in which case we will provide notice as soon as reasonably practicable.
  • Notice will be provided through the mechanism specified in the applicable DPA and/or by updating this list and notifying subscribed customers under Section 3.2.

3.4 Right to object and resolution

  • A customer may object, on reasonable data-protection grounds, to a new or replacement sub-processor by notifying us at Privacy@athenaagentic.com within the notice period specified in the applicable DPA (for example, within the [e.g. 30]-day notice window).
  • Upon a timely, good-faith objection, the parties will work together in good faith to resolve the objection, which may include Athena Agentic offering a commercially reasonable alternative, additional safeguards, or a configuration that avoids use of the objected-to sub-processor for the objecting customer's Customer Personal Data, where feasible.
  • If the parties are unable to reach a resolution within the period specified in the DPA, the customer may, as its sole and exclusive remedy, terminate the affected portion of the services that cannot be provided without the objected-to sub-processor, in accordance with the termination provisions of the applicable Customer Agreement and DPA.
  • Absent a timely objection, the customer is deemed to have authorised the new or replacement sub-processor.

4. International Transfers

  • Several sub-processors are located in, or may process Personal Data in, the United States or other countries outside the EEA, the UK, and other jurisdictions with cross-border-transfer restrictions.
  • Where a sub-processor processes Personal Data originating from the EEA in a country without an adequacy decision, transfers are made under the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914), using the appropriate module (including Module 2, Controller to Processor and Module 3, Processor to Processor, as applicable), together with a Transfer Impact Assessment (TIA) and any supplementary measures identified.
  • Where a sub-processor processes Personal Data originating from the United Kingdom, transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, together with a Transfer Risk Assessment (TRA).
  • For Personal Data subject to PIPEDA / provincial Canadian laws and the Australian Privacy Act 1988 (Cth), equivalent-protection contractual obligations are imposed on recipients, consistent with the Data Processing and International Transfers Framework.
  • Where an adequacy decision covers the destination country, Athena Agentic may rely on that decision in lieu of SCCs or the UK IDTA.
  • A copy of the applicable transfer safeguards is available on request at Privacy@athenaagentic.com.

5. Current Sub-processors

The following table lists the sub-processors and key service providers that Athena Agentic currently engages. Rows marked [to be confirmed] are placeholder categories that Athena Agentic must complete and verify before publication; they identify provider categories that are likely required but are not yet confirmed in the current stack.

The "Applies to" column indicates which surface each provider supports: Website, Platform, and/or Customer Data (i.e., whether the provider may process Customer Personal Data on our behalf as a sub-processor).

Sub-processorService / PurposeProcessing LocationApplies to
Vercel, Inc.Application hosting, content delivery network (CDN), and edge compute / serverless functions for the Website and Platform front-end and API layerUnited StatesWebsite; Platform; Customer Data
Neon, Inc.Managed PostgreSQL database hosting and storage for application and Customer DataUnited StatesWebsite; Platform; Customer Data
[to be confirmed], Transactional / email delivery providerTransactional and operational email delivery (e.g., account, authentication, notification, and system emails)[to be confirmed]Website; Platform
[to be confirmed], Error / performance monitoring providerApplication error tracking, performance monitoring, and observability[to be confirmed]Website; Platform
[to be confirmed], Privacy-preserving analytics providerPrivacy-preserving website and product analytics (aggregate usage, no cross-context behavioural advertising)[to be confirmed]Website
[to be confirmed], CRM providerCustomer-relationship-management and sales/marketing-contact management (prospect, inquiry, and customer-contact data)[to be confirmed]Website
[to be confirmed], Underlying cloud infrastructure (IaaS) provider(s)Underlying cloud infrastructure-as-a-service (e.g., AWS / GCP) on which the above platform-layer providers may operate[to be confirmed]Platform; Customer Data

6. Infrastructure and Underlying Providers

  • Some of the sub-processors listed above operate their services on top of underlying cloud infrastructure providers (for example, hyperscale infrastructure-as-a-service platforms). Those underlying providers may, in turn, process Personal Data as further sub-processors of the listed sub-processor.
  • Athena Agentic requires its sub-processors to maintain equivalent data-protection flow-down obligations with their own sub-processors, consistent with Section 2.2 and Article 28(4) GDPR.
  • The identity and processing locations of underlying infrastructure providers are determined in part by the configuration and regional deployment choices of the listed sub-processors. Where Athena Agentic has confirmed the relevant underlying provider, it is identified in the table in Section 5 (including the [to be confirmed] underlying-cloud row).

7. Affiliates

  • Athena Agentic may use its affiliates (entities that control, are controlled by, or are under common control with Athena Agentic, Inc.) to support the provision, operation, support, and security of the Platform and Website.
  • Where an affiliate processes Customer Personal Data on our behalf, that affiliate is treated as a sub-processor under this Policy and is bound by intra-group data-protection terms (including, where applicable, intra-group SCCs / UK IDTA) that impose obligations at least as protective as those in the applicable customer DPA.
  • Affiliates that process Customer Personal Data are subject to the same notice-and-objection process described in Section 3.

8. Contact

For sub-processor inquiries, to subscribe to sub-processor change notifications, to lodge an objection to a new or replacement sub-processor, or to request a copy of applicable transfer safeguards or sub-processor agreements:

Email: Privacy@athenaagentic.com Subject: Sub-processor Inquiry

For contractual or legal questions regarding sub-processing, the DPA, or this Policy:

Email: Legal@athenaagentic.com

Source of truth: /docs/legal/SubProcessors.md  ·  All legal documents