About this list
WYRM uses third-party sub-processors to deliver the service across its seven modules — the flagship engineering products MEP and Data, plus the Procure, Ledger, Cyber and Legal add-ons and the standalone Healthcare line. The public list below covers infrastructure, AI model providers, communications, payments, and operational tooling. Intelligence and data-feed providers are commercially sensitive and disclosed in full to customers under a Data Processing Addendum or NDA on request. WYRM Healthcare engagements run on a separate per-tenant FHIR UK Core gateway with no-retention LLM contracts; the additional Healthcare- specific sub-processors are disclosed under the customer's DPA + DCB0129 documentation pack rather than this public list. We update this list when sub-processors are added, removed, or materially changed.
Customers under a written agreement that incorporates a Data Processing Addendum (DPA) will receive at least thirty days' prior notice of material changes to this list, with the right to object as set out in the DPA.
WYRM proprietary engine
Jörmungandr — in-house decision orchestrator
Jörmungandr is WYRM’s proprietary agentic decision engine. It orchestrates the specialist agents across the seven modules — the flagship engineering products MEP and Data, plus the Procure, Ledger, Cyber and Legal add-ons and the standalone Healthcare line — and produces the ranked, audit-trail-backed output that customers see. Jörmungandr is built and operated by WYRM and runs on the infrastructure sub-processors listed below; it is not itself a third-party sub-processor.
Infrastructure
Vercel Inc.
Frontend hosting, edge delivery, CDN.
Railway Corp.
Backend API hosting (FastAPI services).
Supabase Inc.
Managed Postgres database, authentication, object storage. Underlying infrastructure: AWS.
Cloudflare, Inc.
DNS, edge protection, WAF, DDoS mitigation.
Upstash, Inc.
Serverless Redis for webhook deduplication and rate limiting.
AI / model
Anthropic, PBC
Large language model API (agentic decisioning, drafting).
OpenAI, OpC.
Large language model API (used as fallback or for specialist agents only — not for default routing).
Communications
Resend.com
Transactional email delivery (verification, RFQ emails, notifications).
Payments
Lemon Squeezy (Affirm Inc.)
Subscription billing, card payment processing, tax handling.
Data feed
Available on request — protected business layer
The roster of upstream intelligence and data-feed providers powering WYRM's modules is withheld from the public sub-processor list. It is disclosed in full to prospective and existing customers under a Data Processing Addendum or NDA on request — email info@wyrm.ai with details of the engagement and we’ll respond within one business day.
Public-data feeds (UK government data, EU consolidated lists, NOAA, USGS, AIS, etc.) and regulatory disclosures continue to be cited in WYRM’s individual decision audit trails as required by the Procurement Act 2023.
Operations
GitHub, Inc.
Source code hosting, CI/CD workflows.
Plausible Insights OÜ
Privacy-respecting product analytics on the public marketing site.
Data residency
Buyer data is stored in the Supabase project region selected at on-boarding. Where data is processed by sub-processors outside the United Kingdom, transfers are made under the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an equivalent transfer mechanism documented in our DPA.
Notifications and contact
To receive change notifications by email, contact info@wyrm.ai. For DPA, security questionnaires (CAIQ, SIG), and sub-processor due-diligence packs, see Trust.