Last updated: 25 May 2026 Version: 1.0
What this page is
Sub-processors are the third-party services Khairos AI Comply uses to run the platform. When we add or remove one, we notify customers at least 30 days in advance by email and update this page on the same day. If you want a heads-up before a change goes live, subscribe at the bottom.
We keep the list short on purpose. Every vendor here has been reviewed for security posture, EU data-protection compliance, and fit with the kind of training-and-evidence work the platform exists to support. We do not share customer data with sub-processors who aren't on this list, and we do not sell customer data — ever.
If you are a customer and you want a copy of any sub-processor's executed DPA, or you have questions about a specific entry, email privacy@khairos.ai and we'll send the relevant documents within five business days.
Current sub-processors
| # | Sub-processor | Purpose | Data accessed | Location | Transfer mechanism | DPA in place |
|---|---|---|---|---|---|---|
| 1 | Supabase Inc. | Primary database (Postgres), authentication, edge functions, file storage | All platform data (names, work emails, training progress, quiz scores, certificates, policy acknowledgements) | EU — Frankfurt (eu-central-1) | Within EEA — no Art 46 mechanism needed | Yes |
| 2 | Vercel Inc. | Hosting, CDN, edge runtime | Authentication metadata, request logs, in-transit payloads | EU region by default; some platform features may route through US edges | SCCs (Module 2) where US edges are involved | Yes |
| 3 | Vimeo Inc. | Training video playback (embedded iframe) | Viewer IP, watch events, embedded session metadata | US | SCCs (Module 2) + EU-US Data Privacy Framework (DPF) | Yes (Vimeo Pro) |
| 4 | n8n (self-hosted) at kukkin8n.khairos.ai | Workflow automation: lead intake, invitation emails, internal notifications | Email addresses, invitation tokens, lead form submissions | EU (Netherlands) | Within EEA if confirmed | Self-operated; no third-party DPA required |
| 5 | Calendly LLC | Booking of admin meetings (sales, onboarding, audit calls) | Admin booker name, email, time-zone, meeting topic | US | SCCs (Module 2) + DPF | Yes |
| 6 | Anthropic PBC (accessed via Vercel AI Gateway) | AI features for blog topic generation and admin productivity tooling | Only prompts submitted by Khairos staff — no end-user personal data is sent | US | SCCs (Module 2) + DPF; data is not used for model training | Yes |
| 7 | Telegram Messenger Inc. ¹ | Admin-only operational notifications (e.g., new lead alert) | No customer personal data; only aggregate metadata addressed to Khairos staff | Global | N/A — admin-only operational channel | N/A |
Footnotes
¹ Telegram is admin-only. It is used exclusively for operational alerts to the Khairos team (for example, "a new lead just signed up for a trial"). No customer-employee personal data, no training records, no certificates, and no audit responses are ever sent through Telegram. It is listed here in the interest of full transparency, even though it does not strictly meet the GDPR definition of a sub-processor for customer Personal Data.
Self-hosted fonts. We are in the process of replacing the Google Fonts CDN with self-hosted fonts served from our EU edge. When that change ships (target: shipped May 2026), one US data transfer will be removed from the architecture entirely. This page will be updated and customers will be notified by email when it is done.
How we manage sub-processors
- Every sub-processor signs a written Data Processing Agreement with Khairos before any customer data is shared.
- Every sub-processor outside the EEA must rely on an approved transfer mechanism under Article 46 GDPR — for the current list, that is the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF).
- We review the full sub-processor list at least once a year for security posture, incident history, and continued necessity.
- We require breach notification from each sub-processor to Khairos within 48 hours of awareness, which lets us meet our own 48-hour customer notification commitment.
- We avoid sub-processors whose primary business model involves training AI on their customers' data. For example, Anthropic is used only with the explicit no-training data setting, configured via the Vercel AI Gateway, and only for admin prompts that contain no end-user personal data.
How to subscribe to changes
You have two options:
- Email subscription — send "subscribe" with your customer name to subprocessors@khairos.ai and we will add you to the announcement list. Notifications are sent at least 30 days before any sub-processor change takes effect.
- RSS feed (planned, target: Q3 2026) — for customers and security teams who prefer automated polling, we will publish a versioned RSS feed at
https://khairos.ai/subprocessors.rss. Until that ships, please use the email subscription.
Right to object
Customers may object to a new sub-processor on reasonable GDPR-related grounds within 15 calendar days of notification. The objection process and consequences are set out in our DPA — section 7.4. In short: if we can't resolve the objection together within 30 days, you can terminate the affected services on a pro-rata refund basis.
Contact
Data protection enquiries: privacy@khairos.ai Sub-processor change subscription: subprocessors@khairos.ai
Khairos AI Comply is a service of MLG Projects, KvK 94643342, VAT NL004552299B48, the Netherlands.