Sub-processors
Effective date: June 18, 2026
1. About this list
KollGuard uses a small number of third-party service providers (“sub-processors”) to operate the Service. A sub-processor is a third party that processes customer personal data on our behalf. This page lists our current sub-processors and supplements the sub-processor section of our Privacy Policy.
We require each sub-processor to protect personal data consistent with our Privacy Policy and any Data Processing Addendum in place with you, and we limit them to the data needed for their function.
2. Current sub-processors
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase | Primary application platform — managed Postgres database, authentication, file storage, and the Edge Functions that run the API and scans. Encrypted backups (point-in-time recovery). | Account and profile data, tenant/organization records, scan metadata and findings, audit logs, encrypted connection credentials. | United States |
| Amazon Web Services (AWS) | Underlying cloud infrastructure on which the platform runs, and Amazon SES for transactional email delivery. | Infrastructure-level hosting of the above. For email: recipient address and message contents (e.g. invitations, reports, security notices). | United States |
| Stripe | Subscription billing and payment processing. | Billing contact, plan and subscription status, and payment details handled directly by Stripe. KollGuard does not store full card numbers. | United States |
| Anthropic | Default AI provider for the compliance advisor (finding explanations, remediation guidance, questionnaire drafting). | Only the content needed to fulfil a request you initiate — typically finding text, control descriptions, and your prompts. Used to serve the request, not to train models. | United States |
| OpenAI, Google, xAI | Alternative AI providers for the compliance advisor. Used only when you select that provider, or when you configure your own AI endpoint. | Same scope as above, sent only if you choose that provider. If you configure a self-hosted or private endpoint, no third-party AI sub-processor is involved. | United States (or your configured endpoint) |
3. Systems you connect (not sub-processors)
When you connect a repository, database, or cloud account, KollGuard reads from those systems using credentials you provide in order to run the scans you request. We process data from those systems — we do not send your data to them — so they are your systems and integrations, not our sub-processors. These include:
- GitHub and other source-code hosts you authorize, scanned read-only.
- Databases you point us at (PostgreSQL, MySQL, MongoDB, SQL Server), scanned read-only.
- Cloud accounts you connect for posture checks (e.g. AWS), using least-privilege read access.
Scanning is read-only and we do not store your source code or the contents of your databases. See the Privacy Policy for details.
4. Changes and notification
We may add or replace sub-processors as the Service evolves. We will update this page when we do. Customers with a Data Processing Addendum that provides for advance notice of sub-processor changes will be notified in accordance with that addendum. To request notification of changes, email security@kollitech.com.
5. DPA and BAA
A Data Processing Addendum (DPA) is available for customers who need one, and customers subject to HIPAA may request a Business Associate Agreement (BAA). Email info@kollitech.com to request either.