CONFIDENTIAL — Shared under mutual NDA. Do not distribute outside your organization.
Subprocessor List
CloudFive · Effective: June 2026 · Owner: Todd Densmore · Review: Quarterly
The following third-party services may be used in the delivery of CloudFive engagements. Client data is shared with
a subprocessor only where required to deliver the agreed scope of work. CloudFive does not use subprocessors for
advertising or data monetization.
Infrastructure & Compute
| Vendor | Purpose | Data shared | HQ | Compliance |
|---|
| Amazon Web Services |
Cloud infrastructure, compute, storage, databases |
Client data per engagement scope |
USA |
SOC 2 Type II, ISO 27001, PCI DSS |
| GitHub (Microsoft) |
Source code hosting, CI/CD |
Source code only; no PII without consent |
USA |
SOC 2 Type II, ISO 27001 |
AI & LLM Services (when applicable)
| Vendor | Purpose | Data shared | HQ | Compliance |
|---|
| Anthropic |
Claude API — AI workflow automation |
Prompt content per engagement; no training on API data |
USA |
SOC 2 Type II (in progress); Privacy Policy |
| OpenAI |
GPT API — when specified by client or engagement |
Prompt content per engagement; Business API no-training opt-out |
USA |
SOC 2 Type II |
Communication & Productivity
| Vendor | Purpose | Data shared | HQ | Compliance |
|---|
| Google Workspace |
Email, calendar, documents |
Email communications; no client data stored in Docs without consent |
USA |
SOC 2 Type II, ISO 27001 |
| Resend |
Transactional email delivery (contact form, notifications) |
Email address, message content |
USA |
SOC 2 Type II |
Security & Operations
| Vendor | Purpose | Data shared | HQ | Compliance |
|---|
| 1Password (AgileBits) |
Credential and secret management |
Encrypted credential vaults only |
Canada |
SOC 2 Type II, ISO 27001 |
Change Notification
CloudFive will provide 30 days advance notice before adding a new subprocessor that will process client personal data.
Clients with DPAs in place may object to the addition within that window.
Notify: todd@cloudfive.net