Sub-processors
This page is the customer-facing list of sub-processors engaged for the lynox Managed Hosting service. The contractually binding list lives in the Data Processing Agreement — if any version diverges, the DPA prevails. The same list is also mirrored as a public reference at SUBPROCESSORS.md in the source repo.
The self-hosted lynox software (@lynox-ai/core) engages no sub-processors. When you run lynox on your own infrastructure, the software only communicates with the LLM provider whose API key you configure. This list applies only to lynox AI's managed offering.
Current sub-processors
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic, PBC | Primary LLM inference (Claude family, direct API) | United States | SCCs (2021/914, Modules 2/3) + Swiss and UK addenda (per Anthropic's Data Processing Addendum) |
| Mistral AI SAS | LLM inference for chat, agent workflows, mail-triage classification, and memory consolidation (Mistral Large family, direct API). Runs as the worker/failover profile for all managed instances; any customer can select it in Settings as their main inference provider to keep primary inference within the EU. | France (EU) | EU |
| Stripe, Inc. | Payment processing and subscription billing | United States / EU | EU-US and Swiss-US Data Privacy Framework + SCCs |
| Hetzner Online GmbH | Server infrastructure — shared tenant hosts (isolated container per customer); dedicated VPS as Enterprise upgrade | Germany (EU) | EU |
| Brevo (Sendinblue SAS) | Transactional email delivery (SMTP relay) and contact list management | EU (France/Germany) | EU |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, tunnel relay. TLS terminates at the Cloudflare edge, so Cloudflare has plaintext visibility on incoming HTTPS traffic before it is re-encrypted to our origin. | United States / EU (edge network) | EU-US and Swiss-US Data Privacy Framework + SCCs |
| Plausible Insights OÜ | Anonymous website analytics (no personal data) | EU (Estonia) | EU |
| Google LLC | Marketing measurement on lynox.ai only — Google Analytics 4 + Google Tag Manager (Consent Mode v2; fires only with marketing consent via Klaro). Not engaged for any data flow inside the Managed Hosting service. | United States | EU-US and Swiss-US Data Privacy Framework + SCCs (Module 2/3, 2021/914) |
| Self-hosted (Bugsink) | Error reporting (always active for managed instances) | EU (self-hosted on lynox infrastructure) | No third-party transfer |
Customer-configured endpoints (BYOK). If you connect your own LLM provider via Settings → LLM — for example OpenAI, an OpenAI-compatible endpoint, Google Vertex AI, or a self-hosted model — that provider is engaged by you under your own agreement with it. It is not a lynox sub-processor and is not listed above; you act as controller for that transfer. See "Customer-configured endpoints" in the DPA.
Change notification
We notify Managed Hosting customers at least 30 days in advance of any addition or replacement of sub-processors, per section 8.4 of the DPA. To subscribe to sub-processor change notifications or object to a change, contact [email protected].
Contact
For questions about sub-processors:
[email protected] · EU representative: Prighter portal