Legal
Sub-processor List
Effective date: April 12, 2026 · GDPR Article 28 disclosure
GDPR Art. 28UK GDPRSCCs30-Day Notice
1. Purpose of This Document
This page fulfils RadMah AI's sub-processor disclosure obligation under Article 28(2) of the General Data Protection Regulation (GDPR) and equivalent requirements under UK GDPR, Swiss revFADP, and other applicable data protection laws.
A "sub-processor" is a third-party organisation that RadMah AI engages to process personal data on your behalf in the course of delivering the RadMah AI platform and services. RadMah AI remains your primary data processor and is responsible for ensuring that all sub-processors provide sufficient guarantees regarding their technical and organisational security measures.
Each sub-processor listed below is engaged under a written data processing agreement that imposes obligations consistent with GDPR Article 28(3) and, where applicable, EU Standard Contractual Clauses or equivalent transfer mechanisms.
2. Current Sub-processor List
The table below lists all sub-processors currently authorised by RadMah AI to process personal data in connection with the RadMah AI platform.
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Amazon Web Services (AWS) | Primary cloud infrastructure: compute, object storage (S3), managed PostgreSQL (RDS), managed Redis (ElastiCache), container orchestration, CloudWatch logging, Secrets Manager, WAF, and CloudFront CDN | USA — us-east-1 (primary). Additional regions available for Enterprise customers with data residency requirements. | All customer data including Reference Datasets, Generated Outputs, evidence bundles, job metadata, account data, audit logs, and telemetry. All data stored within the customer's provisioned tenancy. |
| Stripe, Inc. | Payment processing, subscription billing, invoicing, and payment method tokenisation | USA (PCI-DSS Level 1 certified) | Billing contact details (name, email, billing address), payment method tokens, subscription status, invoice history. Full card numbers are never transmitted to or stored by RadMah AI — Stripe handles all card data directly. |
| OpenAI, L.L.C. | Large Language Model (LLM) inference for the AI Orchestrator and Agentic Data Scientist features, when the customer uses the platform-managed AI key | USA | Orchestrator prompts and intermediate reasoning context only. Reference Datasets and Generated Outputs are not transmitted to OpenAI. PII is redacted from prompts before transmission where technically feasible. Customers using a BYO AI key transmit data directly to their own OpenAI account and are not subject to this sub-processor relationship. |
| Anthropic, PBC | Large Language Model (LLM) inference for the AI Orchestrator and Agentic Data Scientist features, when the customer uses the platform-managed AI key and the Anthropic model is selected | USA | Orchestrator prompts and intermediate reasoning context only. Reference Datasets and Generated Outputs are not transmitted to Anthropic. PII is redacted from prompts before transmission where technically feasible. Customers using a BYO AI key transmit data directly to their own Anthropic account and are not subject to this sub-processor relationship. |
| Cloudflare, Inc. | Content Delivery Network (CDN), DDoS protection, TLS termination, and DNS resolution for RadMah AI's marketing site and public API endpoints | USA (global edge network — data in transit only; no persistent customer data storage) | HTTP request metadata (IP addresses, user agents, request headers) in transit. Cloudflare does not have access to the content of encrypted application payloads. No Reference Data or Generated Outputs are transmitted through Cloudflare. |
| GitHub, Inc. (a Microsoft company) | Source code repository hosting for RadMah AI's internal engineering teams | USA | Source code and internal development artefacts only. No customer data, Reference Datasets, Generated Outputs, or personal data of end users is stored in GitHub. |
3. LLM Sub-processors — Special Note
LLM inference sub-processors (OpenAI and Anthropic) are engaged only when:
(a) The customer uses the platform-managed AI key (the default configuration); and
(b) The AI Orchestrator or Agentic Data Scientist feature is invoked.
These sub-processors are NOT engaged when:
— The customer configures a bring-your-own (BYO) API key. In this case, the customer's prompts are transmitted directly from RadMah AI's API layer to the customer's own AI provider account, under the customer's own agreement with that provider. RadMah AI does not act as a processor for BYO key AI calls.
— The customer uses only the core synthetic data generation capabilities (Synthesize, Mock Data, Constrained Synthesis, SCADA Simulator, ICS Attack Scenario Generator) without invoking AI Orchestrator features.
RadMah AI applies prompt engineering controls to minimise the inclusion of personal data in LLM prompts. Reference Datasets submitted for generation are not transmitted to LLM providers.
4. Sub-processor Change Notification
RadMah AI will notify all registered customers of any intended addition, replacement, or removal of a sub-processor at least 30 days before the change takes effect. Notification will be made by:
(a) Email to the primary Account email address; and
(b) An update to this page at www.radmah.ai/legal/subprocessors
Enterprise customers subject to a Data Processing Addendum (DPA) that requires prior written consent for sub-processor changes may object to a new sub-processor within 30 days of notification in accordance with the procedure set out in the DPA. If a reasonable objection cannot be resolved, the customer may terminate the affected Services without penalty in accordance with the DPA termination-for-cause provisions.
Changes required to comply with legal obligations or to remediate a security incident may be made with shorter or no advance notice; RadMah AI will provide notice as soon as reasonably practicable in such cases.
5. International Data Transfers
The sub-processors listed above are located primarily in the United States. Transfers of personal data from the EEA, UK, or Switzerland to these sub-processors are made under appropriate safeguards:
EU to USA: EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), as incorporated into RadMah AI's Data Processing Addendum and the sub-processor's own DPA terms.
UK to USA: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, as applicable.
Switzerland to USA: Equivalent SCCs consistent with the Swiss Federal Act on Data Protection (revFADP).
Enterprise customers who require data residency outside the USA should contact their Account Manager to discuss available configuration options.
Copies of applicable SCCs and transfer mechanism documentation are available on request: privacy@radmah.ai
6. Sub-processor Due Diligence
RadMah AI conducts due diligence on all sub-processors before engagement and on a periodic basis thereafter. This includes:
— Review of the sub-processor's data processing terms and security documentation
— Verification of relevant certifications (e.g., ISO 27001, SOC 2 Type II, PCI-DSS) where applicable
— Contractual requirements for security incident notification, audit rights, and data deletion
RadMah AI does not engage sub-processors that cannot demonstrate adequate security measures consistent with the risks involved in processing the relevant personal data.
7. Contact
Sub-processor and GDPR inquiries: privacy@radmah.ai
DPA and enterprise data processing terms: legal@radmah.ai
RadMah AI will respond to all sub-processor enquiries within 10 business days.
ITLOX Inc. · Wilmington, Delaware, USA · privacy@radmah.ai
© 2026 ITLOX Ltd. and ITLOX Inc. All rights reserved.