Sub-Processors
We list every sub-processor with the geography per row, the function each one performs, and the legal mechanism that authorises the data flow. The table below is the page; the rest is what we operate around it. No "industry-leading" claims, no certifications without scope, no pen-test boasts without a vendor and a date.
What we ship
Adjudon is a SaaS-only Decision Audit Layer hosted in Frankfurt
(eu-central-1). Every customer integration crosses one HTTPS call to
api.adjudon.com; the trace lands at the Fly.io Frankfurt edge,
passes through PII scrubbing, the Confidence Engine, and the Policy
Engine, and is appended to a tamper-evident SHA-256 hash chain in
MongoDB Atlas Frankfurt. The sub-processors below are every external
service that touches that data path or supports it operationally.
Sub-processors
| Sub-processor | Region | Function | Transfer mechanism | Status |
|---|---|---|---|---|
| MongoDB Atlas | Frankfurt (eu-central-1), Germany | Primary database; trace + chain + audit storage | EU-internal | Required |
| Fly.io | Frankfurt, Germany | API server hosting | EU-internal | Required |
| Cloudflare Pages | EU edge | Landing site, dashboard, docs CDN | EU-internal | Required |
| Stripe Payments | Ireland | Billing, metered usage, invoicing | EU-internal | Required (production) |
| Resend | EU | Transactional email (auth, notifications) | EU-internal | Required |
| OpenAI | USA | Embedding generation (Confidence Engine third pillar) | GDPR Chapter V SCCs | Opt-in per organization |
| n8n | EU | Demo-request CRM (lead pipeline only) | EU-internal | Optional, not in trace pipeline |
| Google / GitHub / Microsoft | USA / EU (per provider) | Federated login (OAuth) | Provider-specific terms | Optional, customer-side opt-in |
The OpenAI line is the one external-EU sub-processor in the trace path.
The embedding call sends only the trace's inputContext + triggeringCondition text (already PII-scrubbed) to the
text-embedding-3-small model and returns a 1,536-dimensional vector
that is stored back in MongoDB Atlas Frankfurt. No customer trace
payload is retained at OpenAI for training. The feature is opt-in
— if your organization requires strict EU-only processing,
contact [email protected] to disable it before first use.
The federated-login providers (Google, GitHub, Microsoft) sit at the authentication boundary, not in the trace pipeline. They see the authenticating user's identity, not customer trace data.
Sub-processor changes are notified in advance per GDPR Article
28(3)(d) on the timeline defined in the DPA. Contact
[email protected] for the current text.
Encryption
| Layer | Mechanism | Notes |
|---|---|---|
| At rest | AES-256 | MongoDB Atlas-managed; keys rotated on the AWS schedule; Adjudon does not hold the master key |
| In transit | TLS 1.2+ | HTTPS enforced at the Fly.io edge; plain HTTP redirects to HTTPS, then Helmet CSP applies |
| Tamper-evidence | SHA-256 | Per-org Decision Hash Chain + Operations Audit Log; replay-verifiable offline |
| PII pre-storage | Regex scrubber | Email, IBAN, credit-card, SSN, phone — before hash, before persistence |
| Backup | Atlas continuous + daily snapshots | Point-in-time recovery; specific RTO/RPO defined in the DPA per plan |
The chain is tamper-evident, not tamper-proof: any modification to
a stored entry breaks the next entry's prevHash link, and verification
returns brokenAt: <sequence>. Tampering is loud.
Penetration testing
We do not currently publish a third-party penetration-test report. A first independent test is planned and will be published with the vendor name and the test date once the engagement closes — see Penetration Testing for the scheduled-by date and the open-disclosure commitment.
We do not claim "battle-tested" or "industry-leading" security in the absence of that report. The chain export bundle is independently verifiable today; the pen-test report is the procurement-grade attestation we owe alongside it.
Vulnerability disclosure
Responsible-disclosure reports go to [email protected] until the
dedicated security@ channel and PGP key publish — see
Responsible Disclosure for the
disclosure policy, the safe-harbour scope, and the response-time
commitment under EU CRA Article 11 readiness.
Uptime
| Plan tier | Uptime SLO | Status |
|---|---|---|
| Sandbox | Best-effort | Free tier; no contractual SLO |
| Scale | 99.9% | Live |
| Governance | 99.9% | Live |
| Enterprise / Custom | 99.99% target | Roadmap, not live |
The 99.99% Enterprise SLO is on the roadmap and is not live today. We flag this on every page that touches the SLO claim so procurement does not arrive expecting an enforceable 99.99% commitment that does not yet exist.
What we are working on (honest)
- Penetration testing. Vendor and date TBD; the test, the report, and the remediation timeline will be published at Penetration Testing.
- SOC 2 / ISO 27001. Neither is in progress today. We do not claim certification status we do not hold.
- Dedicated
[email protected]mailbox + PGP key. Coming with the responsible-disclosure programme; until then,[email protected]is the disclosure path. - 99.99% Enterprise SLO. Target tier exists in the plan matrix but is not contractually live.
See also
- Architecture Overview — the production stack and the HTTPS boundary
- Data Residency & GDPR — the full residency picture and the DPA / Art. 28 role split
- Responsible Disclosure — the vulnerability-disclosure policy and safe-harbour scope
- Penetration Testing — the pen-test programme status and the scheduled-by date
- Audit Log & Security — the chain formula and the four-step verify algorithm