Trust & Compliance
Sub-processors
This page lists the third-party sub-processors that may process customer data on behalf of Clear Garment Group (CGG) in connection with the Enterprise Trust API. It is the canonical reference for DPA Annex 2 and SIG Lite §M.3, and is updated immediately upon any material change.
Active sub-processors Currently authorized to process customer data on CGG's behalf.
| Sub-processor | Service | Data scope | Location | Certifications |
|---|---|---|---|---|
| Vercel | Hosting, edge network, serverless functions | Customer requests/responses transit Vercel edge; payload not retained beyond transaction. | US, Global edge | SOC 2 Type 2 |
| Amazon Web Services (sub-sub-processor via Vercel and Supabase) |
Underlying compute & storage infrastructure for the Vercel edge platform and the Supabase managed Postgres + Realtime service | Same payload scope as Vercel for request/response transit; same operational-records scope as Supabase for LogScribe ledger storage. AWS is the underlying infrastructure provider for both, disclosed for transparency. | US, Global | SOC 1 / 2 / 3, ISO 27001, ISO 27017, ISO 27018, FedRAMP, PCI-DSS |
| Let's Encrypt (ISRG) |
TLS certificate authority | Certificate signing requests; no customer data. | US, Global | WebTrust-audited CA |
| Google Fonts CDN | Font asset delivery | IP address of end-user browsers requesting fonts (Inter, JetBrains Mono). | US, Global | Google SOC 2 / SOC 3, ISO 27001 |
| ZenBusiness | Domain registrar, DNS, email hosting | Domain configuration; email contents (operator inbox via HostedEmail / OpenSRS). | US | ICANN-accredited registrar; HostedEmail security controls |
| Google Cloud Platform | Control-plane infrastructure (KMS-encrypted secrets, operational telemetry, audit logging, Workspace-bound IAM) | CGG operational records only (KMS key material, configuration, telemetry, audit logs). No customer verification payloads or end-user PII are processed via GCP. | US, Global | SOC 1 / 2 / 3, ISO 27001, ISO 27017, ISO 27018, FedRAMP, HIPAA-eligible |
| Supabase | Managed Postgres + Realtime for the LogScribe immutable event ledger | CGG operational records only (sealed event chain: sequence number, action, phase, immutable hash, prior hash, timestamp, agent). No customer verification payloads or end-user PII are stored in Supabase. AWS is Supabase's underlying infrastructure provider (see AWS row). | US | SOC 2 Type 2; HIPAA-eligible tier available; AWS-backed (SOC 1 / 2 / 3, ISO 27001) |
| Stripe | Payment processor (Test + Live mode) | Customer billing data and payment information; CGG PCI scope is SAQ-A (Stripe-hosted elements). | US, Global | PCI-DSS Level 1, SOC 1 / SOC 2 Type 2, ISO 27001 |
Notice on change: 30 days advance notice on any material change to a listed sub-processor (data scope, location, certification posture, or sub-processor agreement).
Pending sub-processors Not yet active. Will move to the active list with 30-day customer notice when the activation gate is met.
| Sub-processor | Service | Data scope | Location | Activation gate |
|---|---|---|---|---|
| Supermemory pending | Memory store / vector DB for CGG operational context | Internal CGG operational data only; no customer data. | US | Activation gated on executed DPA / data-processing terms; until executed, no Customer Personal Data is ingested via Supermemory. |
Customer notification commitment How CGG keeps customers informed of changes to this list.
30-day advance notice on additions
Before a new sub-processor is added, CGG will email support@cleargarment.com contacts at least 30 days in advance and post the proposed change here.
30-day notice on removals
Within 30 days of removing a sub-processor, CGG will publish an entry capturing the removal date, reason, and any replacement.
Customer right to object
Customers may object to a new sub-processor under the DPA. Objection process and remedies — including termination of affected services where the sub-processor is essential — are documented in DPA Annex 2.
Annual review
This list is reviewed at least annually and updated immediately on any material change. Each review captures prior version, changes made, rationale, and Source + CipherNet sign-off.
How to be notified of changes Subscribe an email address to the change notification list.
Email support@cleargarment.com with the subject "Sub-processor change notifications — subscribe" and the contact email(s) you want added. For DPA-governed accounts, change notifications are sent automatically to the notice address on the executed DPA; this subscription path is for informational recipients outside the contracting entity.
Data-protection inquiries — including data-subject access requests under the GDPR or CCPA — should be addressed to privacy@cleargarment.com.
Sub-processor due diligence How CGG evaluates and approves each sub-processor.
Each sub-processor is evaluated against: (1) documented information security program; (2) data handling practices appropriate to the data scope; (3) current third-party certifications (SOC 2, ISO 27001, PCI-DSS, etc., as applicable); (4) contractual data protection alignment, including signed DPA and Standard Contractual Clauses for international transfer where applicable; and (5) incident notification commitment aligned with CGG's incident-response playbook customer-comms timing.
Addition or removal of any sub-processor requires Source approval per the CGG ApprovalWhisper governance plane. CipherNet maintains the due-diligence record per sub-processor in the operator vault.