1 Introduction
Agentys Inc. ("Agentys") is committed to transparency regarding the third-party service providers that process personal data on behalf of our customers. This Sub-Processor List identifies the sub-processors that Agentys engages to deliver its AI-powered email management platform.
- Agentys uses carefully selected sub-processors to deliver our AI email management service.
- All sub-processors are bound by Data Processing Agreements (DPAs) that impose obligations no less protective than those in our agreements with customers.
- All sub-processors meet our security and privacy requirements, including minimum certifications and technical safeguards.
- Changes to the sub-processor list are communicated to customers at least 30 days in advance of engagement.
This document is classified as Public and may be shared with customers, prospects, and auditors without restriction.
2 Current Sub-Processors
The following table lists all sub-processors currently authorized to process personal data in connection with the Agentys platform. Data categories, processing locations, and certifications are provided for each sub-processor.
| Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute | All customer data (encrypted at rest and in transit) | Canada (ca-central-1), with US backup | SOC 2 ISO 27001 GDPR |
| Google Cloud Platform | AI/ML inference | Email content (ephemeral, not stored) | Canada / US | SOC 2 ISO 27001 GDPR |
| Anthropic | AI language model inference | Email content (ephemeral, not stored, not used for training) | US | SOC 2 GDPR |
| Supabase | Database and authentication | User accounts, preferences, metadata | US (AWS-backed) | SOC 2 GDPR |
| Stripe | Payment processing | Billing information only (no email data) | US | PCI DSS Level 1 SOC 2 |
| Resend | Transactional email (system emails only) | Email addresses, system notifications | US | SOC 2 |
| Vercel | CDN and edge functions | Static assets, anonymized analytics | Global (edge) | SOC 2 |
| Sentry | Error monitoring | Anonymized error logs (no PII) | US | SOC 2 GDPR |
3 Sub-Processor Change Notification
Agentys maintains a transparent process for notifying customers of changes to our sub-processor list. The following procedures apply when a new sub-processor is added or an existing sub-processor is replaced:
- 30 days advance notice is provided before any new sub-processor begins processing personal data.
- Notification method: Email notification is sent to designated privacy and security contacts on file for each customer account.
- Objection right: Customers may submit a written objection within the 30-day notice period if they have reasonable grounds to believe the new sub-processor cannot adequately protect their data.
- Resolution process: Agentys will work in good faith to address any objection, including by offering an alternative sub-processor or configuration. If the objection cannot be resolved to the customer's reasonable satisfaction, the customer may terminate the affected services without penalty.
Objections must be submitted in writing to privacy@agentys.io within the 30-day notice period and must include the specific grounds for the objection.
4 Security Requirements for Sub-Processors
Agentys imposes rigorous security requirements on all sub-processors prior to engagement and on an ongoing basis. Every sub-processor must satisfy the following minimum criteria:
- Certification: Minimum SOC 2 Type 2 or ISO 27001 certification, independently audited and current.
- Data Processing Agreement: A signed DPA must be in place that meets the requirements of applicable data protection legislation, including GDPR and Quebec Law 25.
- Regular security assessments: Sub-processors are subject to periodic security reviews, including questionnaire-based assessments and, where appropriate, on-site or remote audits.
- Encryption: All personal data must be encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2+).
- Incident notification: Sub-processors must notify Agentys of any security incident affecting customer data within 48 hours of discovery.
Additional Safeguards
- Access to personal data is restricted to authorized personnel on a need-to-know basis.
- Sub-processors must maintain documented information security policies and incident response procedures.
- Sub-processors may not engage their own sub-processors for the processing of Agentys customer data without prior written approval from Agentys.
5 How to Subscribe to Updates
Customers and interested parties can subscribe to receive notifications whenever the Agentys Sub-Processor List is updated:
- Email privacy@agentys.io with the subject line "Subscribe: Sub-Processor Updates" to be added to the notification list.
- Include the name and email address of the designated contact(s) who should receive notifications.
- All updates to this Sub-Processor List are also published on this page.
We recommend that customers designate at least one privacy or security contact to receive sub-processor change notifications as part of their account setup.
6 Contact
For questions about this Sub-Processor List, our data processing practices, or to exercise any rights under applicable data protection legislation, please contact us using the information below:
Last updated: February 2026 • Version 1.0 • Agentys Inc.