Schedule 2 / Annex III to DPA

Approved sub-processors.

v0.2-draft · last edited 2026-05-15

Provider engages the following sub-processors to deliver the Service. This page is the source-of-truth for the "current" Schedule 2 between annual MSA renewals; we provide thirty (30) days' advance written notice before moving an ANTICIPATED entry to ACTIVE, per DPA §7.3. Machine-readable JSON at /legal/sub-processors.json.

Active in production for at least one Customer-facing service today. Anticipated likely to be engaged within the next 12 months; listed proactively. Conditional engaged only on Customer's explicit opt-in (e.g. cloud-LLM tier).
S1

Anthropic, PBC Conditional

Entity
Anthropic, PBC · Delaware, USA
Processing
USA (Anthropic-managed datacenter regions)
Purpose
LLM inference for cloud Concierge tier (CONCIERGE_MODEL=claude-*). Not engaged on on-prem deployments — those default to a locally hosted open-weights model.
Data
Customer prompt strings + Provider-injected grounding context (city / POI rows from license-filtered set; non-PII).
Safeguards
Anthropic DPA + 2021 EU SCCs; Provider configures zero-retention API mode.
Opt-out
Yes — purchase the local_inference Concierge tier (default for on-prem buyers).
S2

Paddle.com Market Limited Active

Entity
Paddle.com Market Limited · London, UK
Processing
EEA / UK / USA (per Paddle's published list)
Purpose
Merchant-of-record billing for non-India Customers: subscriptions, invoicing, sales-tax / VAT, dunning, webhooks.
Data
Billing contact (name, work email, billing address); transaction metadata; IP address. No full PAN reaches Provider.
Safeguards
Paddle DPA + 2021 EU SCCs.
Opt-out
No (Paddle is Merchant of Record). Alternative: Razorpay for INR-denominated contracts.
S3

Razorpay Software Pvt Ltd Active

Entity
Razorpay Software Private Limited · Bengaluru, India
Processing
India
Purpose
India payment processing: UPI, NEFT, RTGS, RuPay, e-NACH mandates for Indian Customers (state DMO contracts).
Data
Customer billing entity name, GSTIN where provided, transaction reference, amount, currency.
Safeguards
India-to-India; DPDP Act applies; no cross-border transfer at this layer.
Opt-out
No — Razorpay is the only India payment rail supported today.
S4

Cloudflare, Inc. Active

Entity
Cloudflare, Inc. · San Francisco, USA
Processing
Global CDN edge (incl. EU PoPs); origin from Provider's primary region.
Purpose
CDN, DDoS mitigation, TLS termination for api.travelminds.ai and travelminds.ai; Email Routing for @travelminds.ai domain inboxes.
Data
Request / response metadata (headers, IP, URL, status); email metadata + content for routed inboxes.
Safeguards
Cloudflare DPA + 2021 EU SCCs.
Opt-out
No on cloud surface. On-prem deployments bypass Cloudflare entirely — it drops out of that Customer's inventory.
S5

GitHub, Inc. Active

Entity
GitHub, Inc. (Microsoft subsidiary) · San Francisco, USA
Processing
USA, EU
Purpose
Source-code hosting for Provider's private repositories; future SDR-Loop-A scraping of public repos. Does not process Customer Personal Data in the ordinary course.
Data
Source code; Provider-internal commit metadata; in rare integration cases, a Customer's GitHub handle.
Safeguards
GitHub DPA + Microsoft SCCs.
Opt-out
Customer Personal Data not Processed via GitHub by default; opt-out not required.
S6

Hetzner Online GmbH Anticipated

Entity
Hetzner Online GmbH · Gunzenhausen, Germany
Processing
EU (Helsinki, Falkenstein) or India region depending on regulatory needs.
Purpose
Hosting of Postgres + gateway + Concierge stack outside the dev box; off-site backup target.
Data
All Personal Data categories listed in DPA Schedule 1, encrypted at rest, once ACTIVE.
Safeguards
EU-internal for EU Customers; India→EU under SCCs / DPDP §16 depending on Controller role.
Opt-out
30-day notice before move to ACTIVE; Customer may object per DPA §7.3.
S7

Resend, Inc. Anticipated

Entity
Resend, Inc. · Delaware, USA
Processing
USA / EU
Purpose
Transactional email (signup confirmations, billing receipts, password reset, breach notifications).
Data
Recipient email, subject, body (typically Customer authorised-representative contact, not end-user data).
Safeguards
Resend DPA + SCCs (verify at counsel review).
Opt-out
Customer may request paper-only or alternate-email-domain delivery; reasonable effort.

Out of scope (not sub-processors)

Listed for transparency: local dev-machine LLM runtimes (no Customer Personal Data); Anthropic Console / Claude Code (Provider developer tools, no Customer data shared); third-party data sources (Foursquare, OpenStreetMap, Wikipedia, Wikivoyage, Wikidata, GeoNames, Overture, NPS, USGS, ASI, GTAI, Indian state tourism portals, etc.) are ingestion sources, not Sub-processors — Customer queries do not flow upstream to them. License posture is governed by our 16-class license registry.

Change notification

Sub-processor changes are notified by email to the Customer's designated contact and reflected on this page with an updated version pill + a row in the changelog below. The JSON feed at /legal/sub-processors.json carries the same data for automated change-watch.

Changelog

VersionDateNotes
0.2-draft2026-05-15Public listing stood up. ACTIVE: Paddle, Razorpay, Cloudflare, GitHub. CONDITIONAL: Anthropic (cloud-Concierge tier only). ANTICIPATED: Hetzner, Resend.
0.1-internal2026-05-07Initial draft in legal/templates/sub_processor_list.md; not yet publicly listed.