Subprocessors
Categories of third-party services Kernion uses to deliver agency.kernion.io and the platform.
This page summarises the categories of sub-processors Kernion engages to deliver the Service, per Art. 28(2) GDPR. A sub-processor is a third party we instruct to process personal data on our behalf. Every engagement is governed by a data processing agreement with Standard Contractual Clauses, where applicable.
Categories
| Category | Purpose | Region | Data categories |
|---|---|---|---|
| Infrastructure & hosting | Virtual machines, managed relational database, event-bus, storage buckets. All Service data lives here. | EU | All Service data at rest (encrypted), application logs, backups. |
| AI inference | Large-language-model inference for chat, drafting, agent routing, classification, and AI search visibility probes. | EEA and/or US (SCCs in place; no training on API traffic). | Prompt + completion content. |
| Communications โ SMS & voice | Transactional SMS, agent voice calls, and demo SMS. | EEA + US (SCCs in place). | Phone numbers, call metadata, SMS content. |
| Communications โ email | Transactional outbound email (account, billing, DSR receipts). | EEA / US (SCCs in place). | Recipient email, email content, delivery metadata. |
| Payments | Subscription billing, invoice generation, payment processing, tax calculation. | EEA with global card-network routing. | Billing name, email, VAT ID, tokenised payment method, invoice metadata. |
Named sub-processor list (for contracted customers)
On request, we provide contracted customers with a named, versioned list โ the processor entity, the region, the data-processing agreement reference, and the transfer mechanism. Send the request from an email address on your company domain to hello@kernion.io. We provide it under our standard NDA within 3 business days.
Optional โ customer-enabled integrations
When a customer connects their own business profile, social accounts, or calendar feeds, data flows to those platforms under the customer's own contract with them. Those are customer-chosen integrations, not Kernion sub-processors.
International transfers
Where a sub-processor is established outside the EEA / UK / Switzerland, transfers rely on the 2021 Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Transfer Impact Assessments are documented.
Changes to this list
We notify contracted customers in writing of any new sub-processor category โ or a provider change within a category โ at least 30 days before production use, so you can object. Objections are handled under Art. 28(2) GDPR.
Contact
Questions about sub-processors or transfer safeguards: hello@kernion.io.