sub-processors – DefendAI – AgentOps Platform for AI Security

Sub-Processor List — DefendAI

DefendAI uses the sub-processors listed below in connection with the delivery of its runtime AI security and governance platform. This list is maintained in accordance with GDPR Article 28(2). Customers and partners will be notified of material additions to this list in advance of any new sub-processor relationship commencing.

For questions or to request a copy of any applicable Data Processing Agreement, contact mwaseem@defendai.ai.

Infrastructure Sub-processors

Processor	Purpose	Data processed	Location	DPA / Privacy
Cloudflare	CDN, edge security, DDoS mitigation, DNS management	Customer traffic metadata, IP addresses	Global (EU nodes available)	DPA
Let’s Encrypt / ISRG	TLS certificate issuance and renewal	Domain names only — no personal data	US	Privacy Policy

LLM Provider Sub-processors

DefendAI’s LLM gateway routes customer prompts to provider APIs based on tenant configuration. The following providers are sub-processors of customer prompt data under the default DefendAI-managed deployment. Customers may substitute their own credentials at any time via the Connections API or dashboard — when customer credentials are used, the provider relationship is solely between the customer and the provider.

Processor	Endpoint	Default provisioning	Data processed	DPA / Privacy
OpenAI	api.openai.com	Auto-provisioned	Customer prompts & completions	DPA
Anthropic	api.anthropic.com	Auto-provisioned	Customer prompts & completions	DPA
Google / Gemini	generativelanguage.googleapis.com	Auto-provisioned	Customer prompts & completions	DPA
Groq	api.groq.com	Shared pool — per-tenant Q3 2026	Customer prompts & completions	Privacy Policy
Perplexity	api.perplexity.ai	Customer credentials	Customer prompts & completions	Privacy Policy
DeepSeek	api.deepseek.com	Customer credentials	Customer prompts & completions	Privacy Policy
Hugging Face	api-inference.huggingface.co	Customer credentials	Customer prompts & completions	Privacy Policy
Ollama	Customer-hosted	Customer-hosted only	No data leaves customer environment	N/A — self-hosted

Operational Vendors — No Customer Data Processed

IONOS

Domain registration, company email service, static marketing site hosting (mcpfw.dev)

No customer data flows through IONOS infrastructure

Notification of changes: DefendAI will provide advance notice of material additions to this sub-processor list per GDPR Article 28(2). Customers with Data Processing Agreements in place will be notified directly. For questions about this list or to request copies of applicable DPAs, contact mwaseem@defendai.ai.

Customer-hosted deployments: Where DefendAI is deployed in the customer’s own cloud environment (Section 4.2 of the Compliance Posture Statement), LLM provider relationships are solely between the customer and the provider. DefendAI’s sub-processor obligations are limited to software support scope.

Sub-Processor List

Offering

Useful Links

Contact