About this list

WYRM Sentinel uses third-party sub-processors to deliver the service. The list below covers infrastructure, AI model providers, communications, payments, data feeds, and operational tooling. We update this list when sub-processors are added, removed, or materially changed.

Customers under a written agreement that incorporates a Data Processing Addendum (DPA) will receive at least thirty days' prior notice of material changes to this list, with the right to object as set out in the DPA.

Infrastructure

Vercel Inc.

Frontend hosting, edge delivery, CDN.

Region: Global edge; primary compute United States

Certifications: SOC 2 Type II, ISO 27001, GDPR-aligned

Railway Corp.

Backend API hosting (FastAPI services).

Region: United States

Certifications: SOC 2 Type II

Supabase Inc.

Managed Postgres database, authentication, object storage. Underlying infrastructure: AWS.

Region: Region selected per project; UK eu-west-2 available

Certifications: SOC 2 Type II, HIPAA

Cloudflare, Inc.

DNS, edge protection, WAF, DDoS mitigation.

Region: Global edge

Certifications: SOC 2 Type II, ISO 27001, ISO 27018

Upstash, Inc.

Serverless Redis for webhook deduplication and rate limiting.

Region: AWS region selected per project

Certifications: SOC 2 Type II

AI / model

Anthropic, PBC

Large language model API (agentic decisioning, drafting).

Region: United States

Certifications: SOC 2 Type II

OpenAI, OpC.

Large language model API (used as fallback or for specialist agents only — not for default routing).

Region: United States

Certifications: SOC 2 Type II

Communications

Resend.com

Transactional email delivery (verification, RFQ emails, notifications).

Region: United States

Certifications: SOC 2 Type II

Payments

Lemon Squeezy (Affirm Inc.)

Subscription billing, card payment processing, tax handling.

Region: United States

Certifications: PCI DSS Level 1

Data feed

OpenSanctions Datenbanken Ltd

Consolidated sanctions registry data.

Region: European Union

Certifications: Public-data redistribution licence

Freightos Ltd

Freight rate estimation, CO₂ calculation, and (when activated) end-to-end freight booking.

Region: Israel / United States / European Union

Certifications: ISO 27001 (parent group)

AISStream

Real-time AIS maritime tracking data feed.

Region: European Union

Certifications: Public-data feed

HM Revenue & Customs (HMRC)

UK Trade Tariff data feed (public).

Region: United Kingdom

Certifications: UK government data publisher

Operations

GitHub, Inc.

Source code hosting, CI/CD workflows.

Region: United States

Certifications: SOC 2 Type II, ISO 27001

Plausible Insights OÜ

Privacy-respecting product analytics on the public marketing site.

Region: European Union

Certifications: GDPR-compliant by design

Data residency

Buyer data is stored in the Supabase project region selected at on-boarding. Where data is processed by sub-processors outside the United Kingdom, transfers are made under the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an equivalent transfer mechanism documented in our DPA.

Notifications and contact

To receive change notifications by email, contact trust@wyrm.ai. For DPA, security questionnaires (CAIQ, SIG), and sub-processor due-diligence packs, see Trust.

Sub-processors

About this list

Infrastructure

Vercel Inc.

Railway Corp.

Supabase Inc.

Cloudflare, Inc.

Upstash, Inc.

AI / model

Anthropic, PBC

OpenAI, OpC.

Communications

Resend.com

Payments

Lemon Squeezy (Affirm Inc.)

Data feed

OpenSanctions Datenbanken Ltd

Freightos Ltd

AISStream

HM Revenue & Customs (HMRC)

Operations

GitHub, Inc.

Plausible Insights OÜ

Data residency

Notifications and contact