This page lists the third-party providers CybeDefend engages to deliver the Services. The list is incorporated by reference into our Data Processing Addendum. We commit to 30 days' advance notice before adding or replacing any sub-processor for enterprise customers.
What's on this page
CybeDefend SAS is the data processor for Customer Personal Data submitted to the platform. The companies below are sub-processors, they perform a specific function on our behalf, under written agreements that bind them to confidentiality, security and data-protection obligations no less protective than our own.
- We list every sub-processor that touches Customer Personal Data, by name, purpose and location.
- We do not list pure development or office-tools providers that have no access to Customer Personal Data (e.g., source-control hosts for our own code, internal note-taking apps).
- The list reflects the platform as of the "last updated" date at the top of this page.
Current sub-processor list
Cloud infrastructure
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Scaleway SA | Primary EU cloud infrastructure for the EU region, compute, object storage, managed databases. Also hosts the self-operated AI inference layer for both regions. | Customer Personal Data, Customer Code (transient), service logs, model inference traffic. | France (Paris, Amsterdam) |
| Google Cloud (Google LLC) | Cloud infrastructure for the US region, compute, object storage, managed databases. | Customer Personal Data, Customer Code (transient), service logs. | United States |
| Cloudflare, Inc. | Public edge, TLS termination, DDoS mitigation, WAF, DNS, CDN. | Request metadata (IP, headers, URL paths). No request bodies are persisted. | Global edge, anycast |
AI inference
CybeDefend operates its own AI inference layer on sovereign EU infrastructure (Scaleway). Customer Code and prompts are processed by self-hosted open-weight models that we run, not by third-party AI APIs. No prompts, completions or Customer Code are sent to OpenAI, Anthropic, Google AI or any other external LLM provider.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Mistral AI (open-weight models, self-hosted by CybeDefend on Scaleway) | Open-source Mistral-family large-language-model weights running on infrastructure CybeDefend operates. Powers security analysis, patch generation and the AI security copilot. | Prompt + completion content (which may include Customer Code excerpts and repository metadata) — never leaves CybeDefend-operated infrastructure. | Scaleway, EU (France) for both regions; the inference layer is region-pinned but the weights are open-source and operated by us. |
Payments & billing
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing, subscription billing, tax determination, invoicing. | Billing identification, payment-instrument tokens (we never see the full PAN), transaction metadata. | EU (Ireland) for EU customers, US for US customers. |
Communications & support
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Resend (Resend, Inc.) | Transactional email, account verification, billing receipts, security alerts, password resets. | Email address, message content. | United States with EU sub-region. |
| Slack Technologies, LLC | Customer support channels (where customers opt in to a shared channel). | Conversation content shared in the channel. | United States. |
| Calendly, LLC | Booking demos and customer-success calls. | Name, email, scheduling preferences. | United States. |
Observability & analytics
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Sentry (Functional Software, Inc.) | Application error monitoring. | Stack traces, request metadata; pseudonymised. We do not forward Customer Code or Customer Personal Data to Sentry. | EU (Frankfurt) for EU region, US for US region. |
| OpenReplay, Inc. | Session replay for the marketing and dashboard front-end (UI-only, never replays code-handling actions or Customer Code). | Pseudonymised session events, click streams, page-view events. | EU (Frankfurt) for EU region, US for US region. |
| PostHog, Inc. | Product analytics on the marketing site and in-product UI (event-level, no replay of code-handling actions). | Pseudonymised user identifiers, page-view events, feature-usage events. | EU (Frankfurt) for EU region, US for US region. |
How regions affect this list
The platform runs as two independent regions, EU and US. Each customer selects a region at signup, and customer data is processed in that region's sub-processors only.
- EU region, EU-resident sub-processors for the storage tier (Scaleway, Resend EU, Sentry EU, OpenReplay EU, PostHog EU, Stripe EU).
- US region, US-resident sub-processors (Google Cloud US, Resend US, Sentry US, OpenReplay US, PostHog US, Stripe US).
The AI inference layer (self-hosted open-weight Mistral models) runs on Scaleway EU for both regions. No prompts, completions or Customer Code are ever sent to third-party AI APIs. Where a sub-processor is genuinely global (Cloudflare for edge), data is routed in line with the customer's region preference where the provider supports it.
Advance notice and right to object
For enterprise customers we commit to at least 30 days' advance notice before we engage a new sub-processor or materially expand the role of an existing one. Notice is given via:
- this page, with an updated "Last updated" date and a changelog entry;
- a direct email to the contact on file for customers on the Enterprise plan.
The customer may object to a new sub-processor on legitimate data-protection grounds. If the objection cannot be resolved in good faith within 30 days, the customer may terminate the affected portion of the Services without penalty, in line with the DPA.
Contact
To request advance notice as a non-Enterprise customer, or to raise an objection, write to our legal team. For day-to-day data-protection questions: our contact email.