Subprocessor List

Adjudica.AI — Glass Box Solutions, Inc.

Last Updated: [INSERT DATE]

Overview

This page lists the third-party subprocessors that Glass Box Solutions, Inc. ("Provider") engages to process Customer data in connection with the Adjudica.AI platform. This list is maintained pursuant to our Data Processing Agreement and Business Associate Agreements.

To receive notifications of subprocessor changes: Email privacy@adjudica.ai with subject "Subprocessor Updates Subscribe"

Current Subprocessors

Infrastructure & Hosting

SubprocessorLocationPurposeData ProcessedCertifications
Google Cloud Platform (GCP)United States (us-west1, us-central1)Cloud infrastructure, data storage, computingAll Customer data including PHISOC 1/2/3, ISO 27001/17/18, HIPAA BAA, FedRAMP
Google Cloud SQLUnited States (us-west1)Database servicesStructured data, case metadata, user dataSOC 2, ISO 27001, HIPAA BAA
Google Cloud StorageUnited States (us-west1)Document and file storageUploaded medical records, legal documents, PHISOC 2, ISO 27001, HIPAA BAA

Contact: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043

Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

Compliance: https://cloud.google.com/security/compliance

AI & Machine Learning

SubprocessorLocationPurposeData ProcessedCertifications
Google Gemini / Vertex AIUnited States (us-west1)AI language model for document analysis, legal research, OCR, text extractionMedical records, legal briefs, user queries, case analysis (no model training)SOC 2, ISO 27001, HIPAA BAA

Google Contact: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043

Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

Data Retention: Prompts and responses not retained beyond request processing (per BAA terms)

Vector Database & Search

SubprocessorLocationPurposeData ProcessedCertifications
PineconeUnited States (us-west1-gcp)Vector database for semantic search and document retrievalDocument embeddings (mathematical representations), metadataSOC 2 Type II, HIPAA BAA

Contact: Pinecone Systems, Inc., New York, NY

Privacy Policy: https://www.pinecone.io/privacy

Data Type: Embeddings only (not raw PHI text)

Authentication & Identity

SubprocessorLocationPurposeData ProcessedCertifications
Google Identity PlatformUnited StatesAuthentication, SSOUser credentials, session dataSOC 2, ISO 27001, HIPAA BAA

Email & Communications

SubprocessorLocationPurposeData ProcessedCertifications
SendGrid (Twilio)United StatesTransactional email deliveryEmail addresses, notification contentSOC 2 Type II, ISO 27001

Payment Processing

SubprocessorLocationPurposeData ProcessedCertifications
StripeUnited StatesPayment processing, billingPayment information, billing details (no PHI)PCI DSS Level 1, SOC 2

Monitoring & Analytics

SubprocessorLocationPurposeData ProcessedCertifications
Google Cloud OperationsUnited StatesSystem monitoring, loggingSystem logs, performance metrics (no PHI in logs)SOC 2, ISO 27001
SentryUnited StatesError tracking, application monitoringError reports, stack traces (no PHI)SOC 2 Type II

Support & Customer Success

SubprocessorLocationPurposeData ProcessedCertifications
[Support Platform TBD]United StatesCustomer support ticketingSupport ticket content, contact infoSOC 2

Subprocessor Data Handling Summary

PHI Access

SubprocessorPHI AccessBAA Executed
Google Cloud PlatformYesYes
Google Gemini / Vertex AIYesYes
PineconeLimited (embeddings)Yes
Google IdentityNoN/A
SendGridNoN/A
StripeNoN/A
SentryNoN/A

AI Training Restrictions

Our AI provider (Google) is contractually prohibited from:

  • Using Customer data for model training
  • Retaining data beyond request processing
  • Sharing data with third parties

Subprocessor Change History

DateChange TypeSubprocessorDescription
[DATE]InitialAllInitial subprocessor list published

Data Flow & Processing Activities

High-Level Data Flow

User Upload → GCP Storage → Document AI (OCR) → Application Database (Cloud SQL)
                ↓
          AI Processing (Google Gemini) → Vector Embeddings (Pinecone)
                ↓
          Analysis Results → User Interface

Processing Activity by Subprocessor

ActivitySubprocessors InvolvedData Movement
Document UploadGCP Storage, Cloud SQLUser → GCP (us-west1)
OCR/Text ExtractionGoogle Vertex AI, Document AIGCP Storage → Vertex AI → Cloud SQL
AI AnalysisGoogle GeminiCloud SQL → AI API → Cloud SQL (results)
Semantic SearchPineconeDocument text → Embeddings → Pinecone index
AuthenticationGoogle IdentityBrowser → Google Identity → Application
NotificationsSendGridApplication → SendGrid → User email
Error LoggingSentryApplication errors → Sentry (no PHI)

Geographic Boundaries: All data processing occurs within United States data centers. No cross-border transfers.

Regional Data Storage

Primary Region

  • Location: us-west1 (Oregon)
  • Subprocessors: GCP, Cloud SQL, Cloud Storage, Vertex AI
  • Data: All Customer data at rest

Secondary/DR Region (if applicable)

  • Location: us-central1 (Iowa)
  • Subprocessors: GCP (backup/DR only)
  • Data: Encrypted backups only

AI Processing Regions

  • Google Gemini / Vertex AI: US-based API endpoints (us-west1)
  • Pinecone: us-west1-gcp pod

Note: We do not store Customer data outside the United States.

Notification of Changes

Pursuant to our Data Processing Agreement:

  • New Subprocessors: Customers will receive at least 30 days' notice before a new subprocessor begins processing Customer data
  • Objection Period: Customers may object to a new subprocessor within 15 days of notification
  • Updates: This list will be updated when subprocessors are added or removed

How We Notify

Notification methods:

  1. Email to registered account owner
  2. In-app notification banner
  3. Update to this page with highlighted changes
  4. Optional: Slack/webhook notification (if configured)

Notification timeline:

  • Day 0: Subprocessor change announcement
  • Day 15: Objection deadline
  • Day 30: New subprocessor may begin processing

Subscribe to Updates

To receive email notifications of subprocessor changes:

  • Email: privacy@adjudica.ai
  • Subject: "Subprocessor Updates Subscribe"
  • Include: Company name, contact email, preferred notification method

Update frequency: Immediate notification upon subprocessor addition/removal

Customer Right to Object

Objection Process

If you object to a new subprocessor:

Step 1: Submit Objection (within 15 days of notification)

  • Email: privacy@adjudica.ai
  • Subject: "Subprocessor Objection - [Subprocessor Name]"
  • Include: Reason for objection, any alternative solutions you propose

Step 2: Provider Response (within 10 business days)

  • We will either:
    • Work with you to address concerns (modify contract, additional safeguards)
    • Provide alternative technical solution (if feasible)
    • Discuss transition options if agreement cannot be reached

Step 3: Resolution

  • If concerns addressed: New subprocessor proceeds with additional safeguards
  • If alternative solution: Implementation of workaround
  • If no resolution: You may terminate services per DPA termination provisions

Valid Objection Grounds

Objections should be based on:

  • Security or privacy concerns specific to the subprocessor
  • Regulatory compliance conflicts
  • Jurisdictional restrictions
  • Contractual conflicts with your own obligations

Due Diligence

Before engaging any subprocessor, Glass Box Solutions conducts:

  1. Security Assessment

    • Review of security certifications (SOC 2, ISO 27001)
    • Security questionnaire evaluation
    • Penetration test results (where available)

  2. Privacy Assessment

    • Data handling practices review
    • Privacy policy evaluation
    • CCPA/HIPAA compliance verification

  3. Contractual Requirements

    • Data Processing Agreement execution
    • Business Associate Agreement (where PHI is processed)
    • Confidentiality provisions
    • Audit rights

  4. Ongoing Monitoring

    • Annual security review
    • Certification renewal verification
    • Incident notification monitoring

Regulatory Compliance Mapping

HIPAA Compliance

All subprocessors that process PHI have executed Business Associate Agreements:

SubprocessorBAA StatusBAA DateCompliance Verified
Google Cloud Platform✓ Executed[DATE]Annual
Google Gemini / Vertex AI✓ Executed[DATE]Annual
Pinecone✓ Executed[DATE]Annual

Verification: All BAAs reviewed annually and upon subprocessor security certification updates.

CCPA/CPRA Compliance

Subprocessors are designated as "Service Providers" under CCPA:

Service Provider Requirements Met:

  • ✓ Written contract with enumerated business purposes
  • ✓ Prohibition on selling/sharing personal information
  • ✓ Prohibition on combining data outside contractual purpose
  • ✓ Certification of understanding obligations
  • ✓ Right to audit compliance

SOC 2 Type II Verification

SubprocessorSOC 2 Type IIReport DateNext Review
Google Cloud[DATE]Annual
Pinecone[DATE]Annual
Sentry[DATE]Annual
SendGrid[DATE]Annual
Stripe[DATE]Annual

Monitoring: SOC 2 reports reviewed upon issuance; alerts set for expiration.

Incident Response & Breach Notification

Subprocessor Obligations

All subprocessors are contractually required to:

  1. Notify Glass Box Solutions within 24-48 hours of becoming aware of any security incident
  2. Provide incident details: Nature of breach, data affected, mitigation steps
  3. Cooperate with investigation: Forensics, root cause analysis, remediation
  4. Implement corrective measures: Address vulnerabilities, prevent recurrence

Our Response

Upon subprocessor breach notification:

Within 24 hours:

  • Assess Customer data impact
  • Begin internal investigation
  • Implement containment measures

Within 72 hours:

  • Notify affected Customers (per BAA/DPA)
  • Provide incident summary and impact assessment
  • Outline remediation steps

Ongoing:

  • Work with subprocessor on root cause analysis
  • Implement additional safeguards if needed
  • Provide regular updates to affected Customers
  • Re-evaluate subprocessor relationship if warranted

Audit Rights

Customer Audit Rights

Pursuant to our DPA and BAAs:

Customers may:

  • Request subprocessor security certifications (SOC 2, ISO 27001)
  • Request subprocessor BAA copies (if applicable)
  • Conduct annual audit of Provider's subprocessor management
  • Request evidence of subprocessor due diligence

Limitations:

  • Direct audits of subprocessors require subprocessor consent
  • NDA required for confidential subprocessor information
  • Audit frequency limited per DPA (typically annual)

How to request:

  • Email: compliance@adjudica.ai
  • Subject: "Subprocessor Audit Request"
  • Include: Specific information/certification needed

Questions

For questions about our subprocessors:

Support hours: Monday-Friday, 9am-5pm Pacific Time

Emergency security contact: security@adjudica.ai (24/7 monitored)

Document History

DateVersionChanges
[DATE]1.0Initial publication
[DATE]1.1Added [Subprocessor Name]
[DATE]1.2Updated certifications

Current Version: 1.0

Next Scheduled Review: [DATE]

This Subprocessor List is updated periodically. Last update: [INSERT DATE]

Glass Box Solutions, Inc.

@Developed & Documented by Glass Box Solutions, Inc. using human ingenuity and modern technology