GDPR Article 28 Transparency
Sub-Processor List
ArvexLab uses the following sub-processors to deliver our compliance platform services. This list is maintained as part of our commitment to transparency under GDPR Article 28(2).
Last Updated: February 25, 2026 · Version: 1.0
Changes to this list are communicated to data controllers with at least 14 days advance notice, as specified in our Data Processing Agreement (DPA).
Supabase Inc.
Database, Authentication, File Storage
Vercel Inc.
Application Hosting, Edge Functions, CDN
Google LLC (Gemini 2.5 Flash)
AI Evidence Mapping, Policy Assessment
Anthropic PBC (Claude Haiku 4.5 / Sonnet 4)
AI Document Parsing, Contract Analysis, Board Reports
Resend Inc.
Transactional Email Delivery
SecurityScorecard Inc.
Vendor Security Rating & Monitoring
Have I Been Pwned (Troy Hunt)
Data Breach Monitoring
OpenSanctions
Sanctions & PEP Screening
GLEIF (Global LEI Foundation)
Legal Entity Identifier Verification
NewsAPI GmbH
Business Intelligence News Feeds
International Data Transfer Summary
| Region | Sub-Processors | Safeguard |
|---|---|---|
| EU / EEA | Supabase, Google (Gemini), OpenSanctions, GLEIF, NewsAPI | No transfer required |
| United States | Vercel, Anthropic, Resend, SecurityScorecard | EU-US Data Privacy Framework |
| Australia / US | HIBP | Standard Contractual Clauses |
| Switzerland | GLEIF | Adequacy Decision |
Change Notification Process
In accordance with our DPA, ArvexLab will notify data controllers at least 14 days before engaging a new sub-processor or changing an existing one. Controllers have the right to object within this period. If an objection cannot be resolved, the controller may terminate the affected services under the terms of the MSA.
To receive sub-processor change notifications, contact privacy@arvexlab.com.
Questions?
For questions about our sub-processors or data processing practices:
- Privacy inquiries: privacy@arvexlab.com
- DPA requests: legal@arvexlab.com
- Data protection officer: dpo@arvexlab.com