Sub-Processor List
Our sub-processors
We only use sub-processors that meet our security standards. We notify customers at least 30 days before adding or changing any processor.
Our Commitment
How we manage sub-processors
Due diligence
- Every sub-processor is reviewed for security posture, data protection practices and compliance certifications before onboarding.
- We require sub-processors to sign data processing agreements under GDPR Article 28.
- Sub-processors are reassessed annually or on material change to their services.
Change notifications
- We notify customers at least 30 days before adding or changing a sub-processor.
- Customers who have entered into a DPA have the right to object to a new sub-processor.
- Notifications are sent by email and published as an update to this page.
- To register for notifications: email dpo@identityfirst.net with subject line “Sub-processor notifications”.
Current Sub-Processors
Current sub-processor list
Last updated:
| Sub-Processor | Role | Data categories processed | Location |
|---|---|---|---|
| Amazon Web Services / Microsoft Azure / GCP (customer-selected) |
Cloud infrastructure hosting | All data at rest and in transit on the platform (identity records, audit logs, usage metrics, configuration) | EU or UK region (customer-selected at contract time) |
| PostgreSQL AWS RDS / Azure Database for PostgreSQL |
Relational data persistence | Identity records, audit logs, approval workflow data, tenant configuration | Same region as infrastructure selection |
| Redis AWS ElastiCache / Azure Cache for Redis |
Rate limiting and ephemeral session data | API key identifiers (hashed), session tokens, rate limit counters. No identity records stored in Redis. | Same region as infrastructure selection |
| Neo4j | Identity graph analysis | Identity relationship data (anonymised graph projections used for path analysis; no raw PII in the graph store) | Same region as infrastructure selection |
| Cognitia Self-hosted AI inference (Ollama / Gemma3) |
AI-assisted risk analysis and anomaly detection | Anonymised risk data and hashed entity identifiers. No raw PII is passed to the inference engine. Data never leaves the customer’s infrastructure boundary. | Same region as infrastructure selection; data never exported to external AI services |
| Prometheus + Grafana Self-hosted monitoring stack |
Platform health monitoring and alerting | Metrics only (request counts, latency, error rates). No personally identifiable information is exposed in metrics. | Same region as infrastructure selection |
| GitHub GitHub, Inc. (Microsoft) |
Source code repository, CI/CD pipeline | Build logs, test results, static analysis output. No customer identity data or personal data is processed in CI/CD pipelines. | GitHub global cloud infrastructure (US). No customer data is present in GitHub. |
| Sentry Functional Software, Inc. (Sentry.io) |
Error monitoring and performance tracing | Anonymised error stack traces, performance metrics, and request context. Sentry is configured with PII scrubbing enabled: usernames, email addresses, API keys, and tenant identifiers are redacted before transmission. No identity records or audit data are sent to Sentry. | Sentry cloud infrastructure (US). EU data residency option available; SaaS EU customers are routed to Sentry’s EU region. Sentry DPA |
| Stripe Stripe, Inc. / Stripe Payments Europe Ltd |
Payment processing and billing | Payment card data, billing name, billing address, and transaction records. IdentityFirst does not store payment card data — all card processing is handled exclusively by Stripe. Stripe shares billing metadata (amount, invoice ID) with IdentityFirst for reconciliation. | Stripe (UK/EU transactions): Stripe Payments Europe Ltd, Dublin, Ireland. PCI DSS Level 1 certified. Stripe DPA |
Changes
Sub-processor change process
Before we add or change a sub-processor
- We publish notice on this page and notify registered customers by email at least 30 days in advance.
- Customers who have signed a DPA have the right to object in writing within 30 days of notification.
- If a customer objects, we will work with them to find a resolution. If no resolution is possible, either party may terminate the affected services without penalty, subject to the terms of the contract.
- Emergency changes (required by a security incident or legal obligation) will be communicated as soon as practicable, with retrospective notice where advance notice was impossible.
Register for change notifications
Email with subject “Sub-processor notifications” to be added to the notification list.
Last updated
This page is reviewed quarterly and updated whenever a sub-processor change occurs.
Related documents
Our DPA references this sub-processor list and is updated in lock-step.