Sub-Processor List

A complete list of third parties that process data on behalf of FrootAI customers, in compliance with GDPR Article 28.

Last updated: May 2026

Change Notification Policy

We notify customers 30 days in advance before adding or changing a sub-processor. Notifications are sent via email to the tenant admin address on file. If you object to a new sub-processor, you may terminate the affected service within the 30-day notice period.

Current Sub-Processors

Sub-Processor	Purpose	Data Processed	Location	Certifications
Microsoft Azure	Cloud infrastructure — compute (AKS), database (Cosmos DB), CDN (Front Door), monitoring (App Insights), secrets (Key Vault), search (AI Search)	All customer data (evaluation inputs, outputs, scores, tenant configuration, audit logs)	EU (West Europe — Netherlands) + US (East US — Virginia) for multi-region	SOC 2ISO 27001
Stripe	Payment processing — subscriptions, invoices, payment methods	Customer billing information (name, email, payment method tokens — no full card numbers stored by FrootAI)	US (Stripe is PCI DSS Level 1 certified)	SOC 2ISO 27001
Plausible Analytics	Privacy-first website analytics (frootai.dev)	Anonymized page views — no cookies, no PII, no cross-site tracking	EU (Germany)	Privacy-first
Resend	Transactional email delivery (onboarding, alerts, billing notifications)	Email addresses + email content (transactional only, no marketing without consent)	US	SOC 2
GitHub (Microsoft)	Source code hosting, CI/CD, issue tracking	Source code (no customer data in repos), CI/CD artifacts	US	SOC 2ISO 27001

Data Processing Agreement (DPA) Summary

Data Controller

Customer (your organization)

Data Processor

FrootAI GmbH

Processing purposes

AI agent evaluation, quality scoring, compliance reporting

Data categories

Agent inputs/outputs, evaluation scores, tenant config, billing info

Data subjects

End users of customer's AI agents (as determined by customer)

Retention

Default 90 days, configurable 7 days – 3 years, deleted within 30 days of termination

Encryption at rest

AES-256 (Azure-managed keys, customer-managed key option for Enterprise)

Encryption in transit

TLS 1.3 minimum

Breach notification

Within 72 hours to customer (per GDPR Article 33)

Data deletion on termination

All customer data deleted within 30 days; certificate of deletion available

Sub-processor change notice

30 days advance email notification

SCCs for non-EU transfers

EU Standard Contractual Clauses (2021/914) included

Data Subject Rights (GDPR Articles 15–22)

Right of access (Art. 15)

Customers can export all data via Studio dashboard or GDPR export API endpoint.

Right to rectification (Art. 16)

Customers can update tenant data via Studio settings. Evaluation data is immutable (scores are append-only).

Right to erasure (Art. 17)

Customers can delete their account via Studio danger zone. All data erased within 30 days.

Right to data portability (Art. 20)

Full data export in JSON format via API or Studio. Includes eval results, configurations, and audit logs.

Right to restriction (Art. 18)

Contact support to restrict processing while a dispute is resolved.

Right to object (Art. 21)

No automated profiling or marketing based on evaluation data. Object to sub-processor via 30-day notice process.

Contact

DPA requests: [email protected]

Data subject requests: [email protected]

Sub-processor change notifications: Sent to tenant admin email on file