List of Archonite Subprocessors

Last updated: 21 January, 2026

To provide our global Identity Verification (IDV) and Know Your Customer (KYC) services, Archonite engages select third-party entities ("Subprocessors") to process Customer Data.

This document serves as our public disclosure in accordance with Article 28 of the GDPR and other global privacy frameworks. It details the identity, location, and role of each Subprocessor.

1. Definitions

Subprocessor: A third-party data processor engaged by Archonite, who has or potentially will have access to or process Service Data (which may contain Personal Data).
Infrastructure Provider: A vendor that provides the physical or virtual hardware (cloud) upon which the Archonite platform runs.
Service Partner: A vendor that provides specific functionality (e.g., email delivery, payments) integrated into the Archonite platform.

2. Authorized Subprocessors

The following entities are currently authorized to process data on behalf of Archonite. We ensure that all listed sub-processors are rigorously vetted and bound by data protection obligations consistent with our own standards.

Entity Name	Corporate Location	Purpose / Role	Service Details
Vercel Inc.	United States	Cloud Infrastructure & Hosting	Hosts our API endpoints and provides server-side metrics to monitor latency and error rates.
Google LLC (Gemini API)	United States	Artificial Intelligence (AI)	Powers our "AI-driven anomalies detection" for traffic patterns and performs "AI review" and "Liveness Detection" on verification data.
Supabase Inc.	United States	Database & Storage	Provides secure database hosting and persistence for encrypted user states and audit logs.
Polar Software Inc.	Sweden (HQ) / United States (Processing)	Payment Processing	Acts as Merchant of Record (MoR). Powered by Stripe; payment data is processed via Stripe's global infrastructure (primarily US) for fraud detection and settlement.
Hostinger International Ltd.	Lithuania	Email Services	Facilitates the "Branded Verification Mailbox" services and handles support correspondence (e.g., support@archonite.xyz).
GitHub Inc.	United States	Source Code Management	Used for version control and CI/CD pipelines to maintain our "Developer-first API" and SDKs.

These Subprocessors are critical to the delivery of the Archonite API and Platform. Removal or failure of these services would result in a total service outage.

3. Due Diligence & Security Controls

As detailed in our MVSP Declaration, Archonite adheres to a "Least Privilege" and "Minimal Surface Area" philosophy when selecting vendors.

Before onboarding a new Subprocessor, the Archonite Security Team conducts a risk assessment covering:

Security Certifications: Preference for SOC 2 Type II, ISO 27001, or equivalent attestations.
GDPR Alignment: Verification of the vendor's ability to support Data Subject Rights (deletion, export, rectification).
Data Residency: Assessment of the physical location of servers to ensure compliance with data sovereignty laws.

4. Data Residency & Sovereignty

4.1 Default Region

By default, Archonite's primary infrastructure (Vercel/Supabase) is provisioned in EU-Frankfurt for clients subject to European Economic Area (EEA) Standard Contractual Clauses (SCCs) and US-East (N. Virginia) for the rest to ensure maximum global availability and lowest latency.

4.2 EU Residency

For consignees the uses the packages with AML, CTF, and PEP checks, Archonite utilizes region-pinning features provided by our infrastructure partners (specifically Supabase and Vercel) to ensure that Data at Rest remains within the European Economic Area (EEA), specifically Frankfurt (Germany).

5. Updates & Notifications

Archonite agrees to notify the Data Controller (our client) prior to any changes to this list, granting the right to object to new sub-processors. For inquiries regarding specific data locations or to request our latest vendor audit reports, please contact our Data Protection Officer at dpo@archonite.xyz

6. Right to Object

If you have a legitimate reason to object to a new Subprocessor (e.g., due to a competitor conflict or specific compliance failure), you may submit a formal objection to dpo@archonite.xyz within 10 days of the notification.

If we cannot accommodate your objection, you may have the right to terminate your agreement with Archonite with predefined conditions.

Cookie & Tracking Technologies Use Policy

Details on how Archonite utilizes cookies, local storage, and similar technologies to maintain session security, authentication, and service integrity.