Sub-Processors
UpdatedMay 11, 2026
This list of Sub-Processors is published in accordance with Section 7 of our Data Processing Agreement. We engage carefully selected Sub-Processors to provide infrastructure, AI model APIs, payment processing, transactional email and code-repository integration. We notify Customers of changes at least 30 days in advance and allow objection on reasonable data-protection grounds.
To receive change notifications by email, subscribe at privacy@xaio.dev.
1. Infrastructure
| Sub-Processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud infrastructure (compute, storage, database, networking, EFS, S3, CloudFront, ALB) | Frankfurt, Germany (eu-central-1) — primary region for production workloads | EU entity; for any incidental US transfers: Standard Contractual Clauses and supplementary measures |
2. AI model providers
| Sub-Processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic (Claude, via Amazon Bedrock) | Large-language-model API (Claude) for chat, code generation and agent runtimes — served through Amazon Bedrock | European Union (Amazon Bedrock, EU region) | Processed within the EU via Amazon Bedrock; inputs and outputs are not used to train models and are not shared with the model provider |
| OpenAI, L.L.C. | Optional fallback large-language-model API | United States (model APIs) | Standard Contractual Clauses + supplementary measures; API data not used to train OpenAI models |
| Google Ireland Limited / Google LLC | Optional Gemini / Vertex AI model API and OAuth for sign-in | European Union and United States | Standard Contractual Clauses + supplementary measures |
| DeepSeek V4 (official API) | Optional large-language-model API (DeepSeek V4) for chat and code generation, used only when a Customer selects the DeepSeek V4 model | China (People's Republic of China) | Exception to EU residency and no-training (see §5 and §6): served via DeepSeek's official API. Inputs are processed and stored in China and DeepSeek may use them to improve its models. Transfers rely on Standard Contractual Clauses, supplementary measures and the Customer's explicit opt-in. |
3. Operations (payment, email, code)
| Sub-Processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd. / Stripe Inc. | Payment processing for subscriptions and credit purchases | Ireland (controller for payment data); United States for fallback infrastructure | Standard Contractual Clauses + EU–US Data Privacy Framework |
| Sendinblue / Brevo SAS | Transactional email (account, billing, security notifications) | European Union (France) | EU/EEA — no third-country transfer |
| GitHub, Inc. | Code repository, Git operations and OAuth for Customers who connect a repository | United States | Standard Contractual Clauses |
4. Analytics
| Sub-Processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Internal product analytics (self-hosted) | Aggregated, pseudonymised product-usage analytics for operating and improving the Service | European Union (Frankfurt) | EU/EEA — no third-country transfer |
5. Data residency commitment
Application data (workspaces, projects, generated code, files, databases, published sites) is hosted in the European Union (Frankfurt, Germany). Personal Data is transferred to non-EEA Sub-Processors only as necessary to process AI requests and other features listed above, under the transfer mechanisms identified.
6. No training on Customer data
We do not use User Content (prompts, code, files, AI Output, secrets, configurations) to train, fine-tune or evaluate foundation models, whether ours or those of any AI provider listed above, and we do not share User Content with any AI provider for training purposes. Anonymous, aggregated telemetry (token counts, latency, error rates) may be used for operating and improving the Service. See Section 7 of the Terms.
Exception — DeepSeek V4: If a Customer explicitly selects the DeepSeek V4 model, inputs are processed via DeepSeek's official API in China under DeepSeek's own terms, which may use inputs to improve DeepSeek's models. This is an explicit, opt-in exception to the no-training and EU data-residency commitments stated above.