Sub-processors
To deliver the Diligio platform, we engage the third-party sub-processors below. Each is bound by data-protection terms no less protective than our Data Processing Agreement, and we remain responsible for their performance. Customer content is never used to train AI models.
Last updated 11 June 2026
| Sub-processor | Purpose | Location | Data processed |
|---|---|---|---|
Amazon Web Services (AWS) Infrastructure | Primary cloud hosting: compute, object storage (S3), content delivery (CloudFront) and DNS. | European Union (Paris, eu-west-3) | All customer content and account data, encrypted at rest. |
Supabase Infrastructure | Managed PostgreSQL database, authentication and file storage. | European Union (Paris, eu-west-3) | Account data, knowledge-base documents and questionnaire content. |
CloudConvert Infrastructure | Document format conversion (e.g. Word and PowerPoint files to PDF) during ingestion. | European Union (Germany) | Office documents you upload for conversion. Processed transiently and not retained beyond the conversion job. |
LlamaParse (LlamaIndex) Infrastructure | Parsing uploaded documents to extract their text and structure during ingestion. | United States | Documents you upload, sent at ingestion time to extract text and structure. Not used to train models. |
Anthropic (Claude) AI | AI inference: drafting and independent verification of answers. | United States | Questionnaire text and relevant knowledge-base context sent at inference time. Not retained for training; processed under the provider’s zero-retention / enterprise API terms. |
Google (Gemini API) AI | AI inference and text embeddings for retrieval. | United States / Global | Questionnaire and knowledge-base text sent at inference time. Paid API; not used to train foundational models. |
Resend Email | Transactional email delivery (authentication, invitations, notifications). | United States | Recipient name and work email address. |
Upstash Infrastructure | Rate limiting and abuse protection (transient request counters). | Global | Transient, short-lived request counters derived from IP address. No content. |
Cloudflare Analytics | Cookieless, privacy-friendly web analytics for the public website. | Global | Aggregate page metrics only; no cookies and no personal identifiers. |
Primary cloud hosting: compute, object storage (S3), content delivery (CloudFront) and DNS.
Managed PostgreSQL database, authentication and file storage.
Document format conversion (e.g. Word and PowerPoint files to PDF) during ingestion.
Parsing uploaded documents to extract their text and structure during ingestion.
AI inference: drafting and independent verification of answers.
AI inference and text embeddings for retrieval.
Transactional email delivery (authentication, invitations, notifications).
Rate limiting and abuse protection (transient request counters).
Cookieless, privacy-friendly web analytics for the public website.
Changes & notifications
We give customers reasonable prior notice before adding or replacing a sub-processor that handles personal data. To subscribe to change notifications, or to raise a reasonable data-protection objection, contact privacy@diligio.co. International transfers are covered by Standard Contractual Clauses and/or the UK International Data Transfer Addendum, as described in our DPA.