Last updated: 21 April 2026
Sub-processors
Template under legal review. This document is a working draft and has not yet been reviewed by qualified counsel. It must not be published externally without review and should not be relied upon as legal advice.
RegSpace engages the following sub-processors to provide the Service. We give at least 30 days’ notice before onboarding a new sub-processor or materially expanding the scope of an existing one. You can subscribe to change notices by emailing privacy@regspace.ai.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Google Cloud Platform | Primary cloud infrastructure: Cloud Run, AlloyDB, GCS, Cloud KMS, Pub/Sub, Cloud Scheduler | All tenant data; encrypted at rest with per-tenant CMEK | europe-west2 (UK/EU tenants); us-central1 (US tenants) |
| Google — Vertex AI (Gemini) | LLM inference for classification, memo drafting, and extraction | Request payloads (prompts + retrieved snippets); no training on client data | Pinned to tenant residency region |
| Anthropic — via Vertex AI Model Garden | Second-opinion LLM inference for Reviewer agent | Request payloads; zero-retention enterprise endpoint | Pinned to tenant residency region |
| Langfuse (self-hosted) | Observability for agent traces | Metadata, tokens, latencies; payloads hashed | Same region as tenant |
| Firebase Auth | Authentication | Account metadata (email, display name, provider) | Google global (metadata only) |
| Postmark (or SendGrid) | Transactional email (weekly digests, account notifications) | Recipient email and message content | US / EU (provider default) |
| Cloudflare | DNS and DDoS protection | Request metadata (IP, user agent) | Global edge |
Review cadence
Sub-processors are re-assessed at least annually against their SOC 2, ISO 27001, or equivalent attestations. Where an attestation is not available, RegSpace conducts its own risk assessment and records the outcome in our internal vendor register.