Trust & Compliance
Sub-processors
This page lists the third-party sub-processors that may process customer data on behalf of Clear Garment Group (CGG) in connection with the Enterprise Trust API. It is the canonical reference for DPA Annex 2 and SIG Lite §M.3, and is updated immediately upon any material change.
Active sub-processors Currently authorized to process customer data on CGG's behalf.
| Sub-processor | Service | Data scope | Location | Certifications |
|---|---|---|---|---|
| Vercel | Hosting, edge network, serverless functions | Customer requests/responses transit Vercel edge; payload not retained beyond transaction. | US, Global edge | SOC 2 Type 2 |
| Amazon Web Services (via Vercel) |
Underlying compute & storage infrastructure for the Vercel edge platform | Same payload scope as Vercel; AWS is Vercel's underlying infrastructure provider, disclosed for transparency. | US, Global | SOC 1 / 2 / 3, ISO 27001, ISO 27017, ISO 27018, FedRAMP, PCI-DSS |
| Let's Encrypt (ISRG) |
TLS certificate authority | Certificate signing requests; no customer data. | US, Global | WebTrust-audited CA |
| Google Fonts CDN | Font asset delivery | IP address of end-user browsers requesting fonts (Inter, JetBrains Mono). | US, Global | Google SOC 2 / SOC 3, ISO 27001 |
| ZenBusiness | Domain registrar, DNS, email hosting | Domain configuration; email contents (operator inbox via HostedEmail / OpenSRS). | US | ICANN-accredited registrar; HostedEmail security controls |
| Stripe | Payment processor (Test + Live mode) | Customer billing data and payment information; CGG PCI scope is SAQ-A (Stripe-hosted elements). | US, Global | PCI-DSS Level 1, SOC 1 / SOC 2 Type 2, ISO 27001 |
| Supermemory | Memory store / vector DB for CGG operational context | Internal CGG operational data only; no customer data. | US | Vendor security posture per current procurement review |
Notice on change: 30 days advance notice on any material change to a listed sub-processor (data scope, location, certification posture, or sub-processor agreement).
Pending sub-processors Not yet active. Will move to the active list with 30-day customer notice when the activation gate is met.
| Sub-processor | Service | Data scope | Location | Activation gate |
|---|---|---|---|---|
| Google Cloud Platform pending | Future control-plane infrastructure | Operational telemetry, audit logs, KMS-encrypted secrets. | US, Global | Phase 2B closure with 30-day customer notice under the DPA |
Customer notification commitment How CGG keeps customers informed of changes to this list.
30-day advance notice on additions
Before a new sub-processor is added, CGG will email support@cleargarment.com contacts at least 30 days in advance and post the proposed change here.
30-day notice on removals
Within 30 days of removing a sub-processor, CGG will publish an entry capturing the removal date, reason, and any replacement.
Customer right to object
Customers may object to a new sub-processor under the DPA. Objection process and remedies — including termination of affected services where the sub-processor is essential — are documented in DPA Annex 2.
Annual review
This list is reviewed at least annually and updated immediately on any material change. Each review captures prior version, changes made, rationale, and Source + CipherNet sign-off.
How to be notified of changes Subscribe an email address to the change notification list.
Email support@cleargarment.com with the subject "Sub-processor change notifications — subscribe" and the contact email(s) you want added. For DPA-governed accounts, change notifications are sent automatically to the notice address on the executed DPA; this subscription path is for informational recipients outside the contracting entity.
Data-protection inquiries — including data-subject access requests under the GDPR or CCPA — should be addressed to privacy@cleargarment.com.
Sub-processor due diligence How CGG evaluates and approves each sub-processor.
Each sub-processor is evaluated against: (1) documented information security program; (2) data handling practices appropriate to the data scope; (3) current third-party certifications (SOC 2, ISO 27001, PCI-DSS, etc., as applicable); (4) contractual data protection alignment, including signed DPA and Standard Contractual Clauses for international transfer where applicable; and (5) incident notification commitment aligned with CGG's incident-response playbook customer-comms timing.
Addition or removal of any sub-processor requires Source approval per the CGG ApprovalWhisper governance plane. CipherNet maintains the due-diligence record per sub-processor in the operator vault.