Subprocessor List
Last reviewed: 2026-05-10
Review cadence: Quarterly, plus on any change.
Contact for updates: security@hailbytes.com
Audience: Procurement, DPO, and legal teams completing a DPA review.
Purpose: Enumerate, by product and by category, every third-party HailBytes engages that touches customer data or that operates infrastructure in service of HailBytes’ obligations to the customer.
1. How to read this list
HailBytes operates a Bring-Your-Own-Cloud architecture. The bulk of what would be subprocessors for a multi-tenant SaaS vendor is, for HailBytes, infrastructure the customer themselves chooses and operates. The lists below are split accordingly:
- A. HailBytes’ own subprocessors. Third parties HailBytes contracts with directly that process data on HailBytes’ behalf. These appear in the HailBytes DPA.
- B. Customer-elected integrations. Third parties the customer chooses to connect their HailBytes deployment to. The customer’s data flows directly from their deployment to these third parties; HailBytes does not interpose. The customer’s own DPAs with these parties govern. They are listed here for completeness so customers have a single inventory.
Sections are separated by product (ASM, SAT). Where the list is identical for both products, the entry says “Both.”
A. HailBytes’ subprocessors (HailBytes contracts directly)
| Subprocessor | Function | Data categories | Location | Applies to | Contract status |
|---|---|---|---|---|---|
| GitHub, Inc. (Microsoft) | Source-code hosting, CI/CD, container registry (ghcr.io), release artifact distribution | Source code, public release artifacts, container images. No customer-tenant data. | United States | Both | Standard GitHub Enterprise terms + Microsoft DPA |
| Microsoft Azure | Marketplace listing distribution; build VMs for Packer image creation; HailBytes-operated support portal and marketing site (where applicable) | Public release artifacts; Marketplace settlement metadata (customer name, subscription ID, billing) | Region depends on workload; primary East US 2 | Both | Microsoft Online Services DPA |
| Amazon Web Services | Marketplace listing distribution; build VMs for Packer image creation | Public release artifacts; Marketplace settlement metadata | Region depends on workload; primary us-east-1 | Both | AWS Customer Agreement + AWS DPA |
| Cloudflare, Inc. | Marketing site CDN/WAF (hailbytes.com), DNS, and the runtime host for the HailBytes-built Support Hub (Cloudflare Workers + Pages + KV/D1 as the storage backend). The Support Hub is HailBytes’ own application that notifies HailBytes personnel of pending support and integration tickets; it is not a third-party ticketing product. | Marketing site traffic (visitor IPs, request metadata); Support Hub data (ticket subject, body, customer contact email, support-thread metadata). No customer-tenant scanning or campaign data. | Global edge; Cloudflare KV/D1 datastore | Both | Cloudflare DPA |
| Sigstore (public good infrastructure, Linux Foundation) | Container image signing (Fulcio CA, Rekor transparency log) for ASM | Image digests and signing-event metadata. No customer data. | United States (public infrastructure) | ASM | Public good service; no contract |
| Stripe, Inc. | Direct-checkout subscription billing (where used outside of cloud Marketplaces) | Customer billing contact, card token, transaction history | United States, EU | Both | Stripe DPA |
| Anthropic, PBC | LLM API for internal HailBytes use (UAT report grading, documentation generation). Not invoked from the customer-deployed product. | Test artifacts, public documentation drafts. No customer-tenant data. | United States | HailBytes internal use only | Anthropic DPA |
| Google LLC (Google Workspace) | Internal email, calendar, document collaboration, and marketing email distribution (newsletter, partner updates). Also the underlying mail platform for transactional and operational email. | Marketing-list contacts (work email, name, company) for individuals who have opted in; internal HailBytes communications; support-thread email contents the customer sends. No customer-tenant data. | United States; data residency per Google Workspace policy (HailBytes’ tenant is in the standard Google region set, not the EU data-region option at this time) | Both | Google Cloud DPA; Google Workspace standard terms |
| Boden McHale (engineering services contractor) | Engineering services on the HailBytes product line. | Source code, public release artifacts, internal HailBytes systems. No customer-tenant data unless customer explicitly grants access during a support engagement. | United States | Both | Contractor agreement with NDA + IP assignment; no direct access to customer deployments by default |
B. Customer-elected integrations
These are configured by the customer in their own HailBytes deployment, with their own credentials, and process data flowing directly from the customer’s deployment to the third party. HailBytes does not contract with these parties on the customer’s behalf.
B.1 HailBytes ASM — customer-elected integrations
LLM providers (optional, customer brings API key):
- OpenAI; Anthropic; OpenRouter; locally hosted Ollama.
Threat intelligence sources (optional, customer brings API key per source):
- Shodan, Censys, GreyNoise, VirusTotal, AbuseIPDB, Have I Been Pwned, MISP, OpenCTI, AlienVault OTX, Netlas.
Cloud-asset discovery connectors (optional, customer scopes credentials):
- AWS (boto3), Azure (azure-mgmt SDK), GCP (google-cloud SDK), Cloudflare (REST API v4).
Notification destinations (optional, customer-owned webhook URLs):
- Slack, Discord, Telegram, Microsoft Teams, Lark, PagerDuty, Opsgenie, Jira, ServiceNow, GitHub Issues, GitLab Issues, generic webhooks.
SIEM / event dispatch (optional, customer-owned endpoints):
- Syslog (CEF), Splunk HEC, Microsoft Sentinel (Azure Monitor), generic webhooks.
B.2 HailBytes SAT — customer-elected integrations
SMTP relay (required for phishing-simulation send):
- Customer-owned SMTP relay or customer-contracted email-relay provider (the SAT product does not impose a specific provider; the customer chooses).
IMAP reply tracking (required for the reply-tracking feature, optional otherwise):
- Customer-owned IMAP mailbox.
LLM providers (optional, customer brings API key and endpoint):
- Configurable provider; commonly OpenAI, Anthropic, or self-hosted. Used for campaign-summary generation with documented PII-redaction in the prompt.
SIEM / event dispatch (optional):
- Splunk HEC, Microsoft Sentinel via Log Analytics, generic webhooks.
C. What to do with this list as a customer reviewer
- For an LGPD or GDPR review, the parties in §A are the ones to enumerate in your record of processing activities relating to HailBytes. Parties in §B should be enumerated relative to your own configuration choices; they are not HailBytes’ subprocessors.
- If you intend to disable certain customer-elected integrations entirely, you can do so at deployment time. The product functions with the §B list empty (with the exception of SMTP for SAT, which is required for phishing send).
- HailBytes commits to notifying customers of any addition or change to §A at least 30 days in advance by publishing an updated version of this document and emailing the security contact on record. To subscribe directly to subprocessor-change notifications, email
subprocessors@hailbytes.com. Customers may object; the contract terms (DPA §5.2) govern remedies.
Cross-references: byoc-architecture.md §3 (data flow boundary); lgpd-compliance.md (cross-border transfer framing for §A entries); caiq-lite.md SEF and GRM control families.