{
  "$schema": "https://travelminds.ai/legal/sub-processors.schema.json",
  "version": "0.2-draft",
  "last_edited": "2026-05-15",
  "notice_period_days": 30,
  "url_human": "https://travelminds.ai/legal/sub-processors",
  "url_json": "https://travelminds.ai/legal/sub-processors.json",
  "status_legend": {
    "active": "currently in production for at least one Customer-facing service",
    "anticipated": "likely to be engaged within the next 12 months; listed proactively",
    "conditional": "engaged only on Customer's explicit opt-in (e.g. cloud-LLM tier)"
  },
  "sub_processors": [
    {
      "id": "S1",
      "name": "Anthropic, PBC",
      "status": "conditional",
      "tier_gating": "cloud_claude",
      "legal_entity": "Anthropic, PBC",
      "location_of_entity": "Delaware, USA",
      "location_of_processing": ["USA"],
      "purpose": "LLM inference for Concierge natural-language responses; only when Customer purchases the cloud_claude Concierge tier",
      "data_categories": [
        "Customer-submitted prompt strings",
        "Provider-injected grounding context (license-filtered city / POI rows; non-PII)"
      ],
      "transfer_safeguards": [
        "Anthropic DPA",
        "2021 EU SCCs",
        "Provider configures zero-retention API mode"
      ],
      "customer_opt_out": "Yes — purchase the local_inference Concierge tier"
    },
    {
      "id": "S2",
      "name": "Paddle.com Market Limited",
      "status": "active",
      "active_since": "2026-05-03",
      "legal_entity": "Paddle.com Market Limited",
      "location_of_entity": "London, United Kingdom",
      "location_of_processing": ["EEA", "UK", "USA"],
      "purpose": "Merchant-of-record billing for non-India Customers: subscription management, invoicing, sales-tax / VAT collection, dunning, webhooks",
      "data_categories": [
        "Billing contact (name, work email, billing address)",
        "Transaction metadata (subscription ID, plan, amount, currency, date)",
        "IP address",
        "Payment-method indicators (no full PAN reaches Provider)"
      ],
      "transfer_safeguards": ["Paddle DPA", "2021 EU SCCs"],
      "customer_opt_out": "No — Paddle is Merchant of Record. Alternative: Razorpay path for INR contracts."
    },
    {
      "id": "S3",
      "name": "Razorpay Software Private Limited",
      "status": "active",
      "legal_entity": "Razorpay Software Private Limited",
      "location_of_entity": "Bengaluru, India",
      "location_of_processing": ["India"],
      "purpose": "India payment processing: UPI, NEFT, RTGS, RuPay, e-NACH mandates for Indian Customers",
      "data_categories": [
        "Customer billing entity name",
        "GSTIN where provided",
        "Transaction reference, amount, currency"
      ],
      "transfer_safeguards": [
        "India-to-India transfer",
        "DPDP Act applies",
        "No cross-border transfer at this layer"
      ],
      "customer_opt_out": "No — Razorpay is the only India payment rail Provider supports"
    },
    {
      "id": "S4",
      "name": "Cloudflare, Inc.",
      "status": "active",
      "legal_entity": "Cloudflare, Inc.",
      "location_of_entity": "San Francisco, California, USA",
      "location_of_processing": ["Global (CDN edge incl. EU PoPs)"],
      "purpose": "CDN, DDoS mitigation, TLS termination for api.travelminds.ai and travelminds.ai; Email Routing for @travelminds.ai domain inboxes",
      "data_categories": [
        "Request / response metadata (headers, IP, URL, status)",
        "Email metadata + content for routed inboxes"
      ],
      "transfer_safeguards": ["Cloudflare DPA", "2021 EU SCCs"],
      "customer_opt_out": "No on cloud surface. On-prem deployments bypass Cloudflare entirely; in that case Cloudflare drops out of that Customer's inventory."
    },
    {
      "id": "S5",
      "name": "GitHub, Inc.",
      "status": "active",
      "legal_entity": "GitHub, Inc. (a subsidiary of Microsoft Corporation)",
      "location_of_entity": "San Francisco, California, USA",
      "location_of_processing": ["USA", "EU"],
      "purpose": "Source-code hosting for Provider's private repositories; SDR-Loop-A scraping of public repos. Does not process Customer Personal Data in the ordinary course.",
      "data_categories": [
        "Source code",
        "Provider-internal commit metadata",
        "Rare: a Customer's GitHub handle if disclosed during integration"
      ],
      "transfer_safeguards": ["GitHub DPA", "Microsoft SCCs"],
      "customer_opt_out": "Customer Personal Data is not Processed via GitHub by default; opt-out not required."
    },
    {
      "id": "S6",
      "name": "Hetzner Online GmbH",
      "status": "anticipated",
      "legal_entity": "Hetzner Online GmbH",
      "location_of_entity": "Gunzenhausen, Germany",
      "location_of_processing": ["EU (Helsinki, Falkenstein)", "India region (if regulatory)"],
      "purpose": "Hosting of the Postgres warehouse + API gateway + Concierge stack outside the primary site; off-site backup target",
      "data_categories": [
        "All Personal Data categories listed in DPA Schedule 1, encrypted at rest, once ACTIVE"
      ],
      "transfer_safeguards": [
        "EEA-internal for EU Customers",
        "India→EU under SCCs / DPDP §16 depending on Controller role"
      ],
      "customer_opt_out": "30-day notice before move to ACTIVE; Customer may object per DPA §7.3"
    },
    {
      "id": "S7",
      "name": "Resend, Inc.",
      "status": "anticipated",
      "legal_entity": "Resend, Inc.",
      "location_of_entity": "Delaware, USA",
      "location_of_processing": ["USA", "EU"],
      "purpose": "Transactional email delivery (sign-up confirmations, billing receipts, password reset, breach notifications)",
      "data_categories": [
        "Recipient email address",
        "Subject and body of transactional emails (Customer authorised-representative contact, typically not end-user data)"
      ],
      "transfer_safeguards": ["Resend DPA + SCCs (verify at counsel review)"],
      "customer_opt_out": "Customer may request paper-only or alternate-email-domain delivery; reasonable effort"
    }
  ],
  "out_of_scope": [
    "Local dev-machine LLM runtimes — batch processing only, no Customer data",
    "Anthropic Console / Claude Code — Provider developer-tool usage, no Customer data shared",
    "Third-party data sources (Foursquare, OpenStreetMap, Wikipedia, Wikivoyage, Wikidata, GeoNames, Overture, NPS, USGS, ASI, GTAI, Indian state tourism portals): ingestion sources, not Sub-processors. License posture is governed by the 16-class license registry (travelminds.ai/security)."
  ],
  "changelog": [
    {
      "version": "0.2-draft",
      "date": "2026-05-15",
      "notes": "Public listing stood up. ACTIVE: Paddle, Razorpay, Cloudflare, GitHub. CONDITIONAL: Anthropic (cloud-Concierge tier only). ANTICIPATED: Hetzner, Resend."
    },
    {
      "version": "0.1-internal",
      "date": "2026-05-07",
      "notes": "Initial draft in legal/templates/sub_processor_list.md; not yet publicly listed."
    }
  ]
}