1. Purpose
This document lists the third-party sub-processors that may process customer personal data on behalf of Blankstate, in support of the services. It satisfies the standard Data Processing Agreement (DPA) requirement to maintain and disclose an up-to-date sub-processor list, and the UK GDPR / EU GDPR Article 28(2)–(4) obligations on sub-processor engagement.
2. How to read this list
A sub-processor is a third party that Blankstate engages to process customer personal data on Blankstate’s behalf in the course of providing the services to customers. Service providers that do not process customer personal data are listed separately for transparency but are not sub-processors.
Categories used:
- Criticality: Critical (production-essential, no immediate substitute), High (production-supporting, planned substitution), Medium (operational support, replaceable).
- Data location: the country / region where customer personal data is processed.
- Transfer mechanism: the legal basis used where data is processed outside the UK/EEA.
3. Sub-processors processing customer personal data
| Provider | Service | Data processed | Hosting location | Criticality | Transfer mechanism | Independent assurance |
|---|---|---|---|---|---|---|
| Google Cloud Platform (Google LLC / Google Ireland Ltd) | Cloud infrastructure: Compute Engine, Persistent Disk, VPC, IAM, Secret Manager, Cloud Logging, Cloud Audit Logs, Cloud Storage | All production data (authentication records, audit logs, deterministic measurement outputs, account data) | UK — GCP region europe-west2 (London) | Critical | UK IDTA / EU SCCs incorporated via Google’s DPA for any non-UK/EEA control-plane access | ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1, SOC 2 Type II, SOC 3, PCI DSS, UK Cyber Essentials Plus, FedRAMP |
| GitHub, Inc. (Microsoft) | Source code management, version control, CI/CD pipelines | Does not process customer personal data in normal operation. Listed for completeness | US, with EU/UK enterprise customer data residency available | High | UK IDTA / EU SCCs via GitHub DPA | ISO 27001, SOC 1, SOC 2 Type II |
| Internet Security Research Group (Let’s Encrypt) | Public-trust TLS certificate issuance and renewal (ACME) | No personal data — only public DNS names and certificate-signing requests | Distributed (ACME endpoints) | High | N/A (no personal data) | ISRG public CA, WebTrust audited |
4. Service providers that are NOT sub-processors of customer personal data
These providers are part of Blankstate’s operating environment but do not process customer personal data on Blankstate’s behalf. They are listed for full transparency.
| Provider | Service | What it processes |
|---|---|---|
| Google Workspace | Blankstate’s internal email, documents, calendars | Blankstate employee data; ad-hoc customer business contacts in support email threads |
| Bitdefender (GravityZone) | Endpoint protection (EDR, anti-malware, host firewall, application control) | Endpoint telemetry from Blankstate-managed devices only — no customer service data |
| Stripe, Inc. | Subscription billing for Blankstate’s own customers | Billing data only (commercial). Stripe maintains PCI DSS Level 1 certification |
| External UK accountants | Statutory accounts, payroll, VAT for Blankstate (Traceflow Ltd) | Employee payroll and contractor data; not customer service data |
| External UK / India HR & employment counsel | Engaged ad hoc | Employment matters only |
5. Specifically not in the data path
Several architectural choices materially reduce sub-processor surface area:
- Identity and authentication are self-hosted within Blankstate’s controlled environment — there is no external identity provider in the data path.
- The AI / measurement engine (SGM) is proprietary and self-hosted within Blankstate’s controlled environment — there is no third-party AI, LLM, or model provider in the data path. Open-source components used inside the engine operate in-process within Blankstate’s controlled environment; they do not transmit data to any third party. Specific identifications are available to customers, regulators, and auditors under the appropriate confidentiality cover.
- Model weights are Blankstate-owned and Blankstate-hosted. No customer data is used to train or fine-tune third-party models.
- Customer-deployed (on-premise) options are available under contract, under the same architectural commitments.
6. Sub-processor change notification
Material additions or changes to the sub-processors listed in §3 are notified to customers with a minimum of 30 calendar days’ notice, unless a shorter period is required for security reasons, in accordance with the DPA. Customers are entitled to object to a proposed sub-processor on reasonable, documented grounds; objection and resolution procedure is in the DPA.
This document is the authoritative version. It is reviewed quarterly and on any change. The current version is published at the Blankstate Trust Center (blankstate.ai/trust) and is mirrored to customers under DPA where a private notification cadence is contracted.
7. Sub-processor governance
All sub-processors are engaged under BKS-TPR-001 (Third-Party Risk Management Procedure) and are bound by written agreements imposing data-protection and security obligations no less protective than those Blankstate has assumed under the customer DPA. Sub-processor assessment, monitoring, and reassessment is governed by BKS-TPR-001 §§5–7.
8. Contact
Privacy and sub-processor questions: dpo@blankstate.ai.