Sub-Processors

A sub-processor is a third-party service Altx engages to process personal data on our behalf as we deliver altx forms. Every sub-processor with access to your personal data operates under our master Data Processing Agreement (ACPL/DPDPA/R601) in addition to its own DPA where applicable. This page is the source of truth for the current list and is updated whenever we engage a new sub-processor.

The full Record of Processing Activities (RoPA) that maps each sub-processor to the specific activities it serves is maintained internally and made available to regulators and to enterprise customers under NDA.

1. PRODUCTION INFRASTRUCTURE

• Amazon Web Services (AWS), region ap-south-1 (Mumbai, India) — cloud infrastructure: compute, databases (PostgreSQL with pgvector), object storage (S3), KMS for encryption keys, Secrets Manager, GuardDuty, CloudWatch, SES for transactional email. SOC 2 Type II; ISO 27001 / 27017 / 27018; PCI-DSS.

2. IDENTITY & AUTHENTICATION

• Auth0 (Okta) — user authentication, password management, SSO, MFA. SOC 2 Type II; ISO 27001. Country of processing: subject to Auth0 tenant region.

3. PAYMENT PROCESSING

Payment-card data is captured directly by the payment processor; Altx sees only transaction metadata.

• Chargebee — subscription management (billing, invoicing, dunning, AltX Coins). SOC 2 Type II.
• Razorpay — card / UPI / netbanking payments for Indian customers. PCI-DSS Level 1; RBI-regulated. Country: India.
• Stripe — card payments for international customers. PCI-DSS Level 1. Country: US / EU per Stripe processing regions.

4. AI PROVIDERS

AI providers are invoked only when an account-holder uses an AI feature (form generation, conversational analytics, response intelligence). Prompts (which may include user-form content) are sent ephemerally to the relevant provider; outputs are returned and stored against the form / form response in Altx’s systems. We have contractually instructed each provider that identifiable Customer Data may NOT be used to train shared models without our explicit consent.

• Anthropic PBC (Claude API) — primary AI provider. Country: United States. SOC 2 Type II; no training on identifiable customer data.
• OpenAI — alternate AI provider per workload. Country: United States. SOC 2; no training on identifiable customer data without consent.

5. CORPORATE & OPERATIONAL SERVICES

• Google LLC (Google Workspace) — corporate email, calendar, Drive (for support communications, ISMS / DPDPA documentation, HR records). Not used to store altx forms product data. ISO 27001 / 27018; SOC 2. Country: Google data regions (subject to Workspace configuration).

6. LEGAL & REGULATORY AUTHORITIES

Where required by law — court orders, lawful statutory requests, regulator inquiries — we may disclose personal data to Indian authorities (Income Tax Department, GSTN / tax authorities, CERT-In, Data Protection Board of India, police and courts). These disclosures are not made on our instructions; they are mandated by law. We log every such disclosure for audit purposes.

7. CROSS-BORDER PROCESSING

8. NOTIFICATION OF CHANGES

When we engage a new sub-processor that handles personal data, we update this page before the new sub-processor begins processing. For material changes that introduce a new purpose, a new sensitive data category, or a new cross-border transfer, we will notify our customers by email at least 30 days in advance and, where required by law, obtain fresh consent before the change takes effect.

9. QUESTIONS