Current subprocessors
The table below lists every subprocessor Soryx engages, what each one does, the categories of data it touches, and where that processing takes place. Where a vendor is outside the EEA, transfers are covered by the EU Standard Contractual Clauses with supplementary encryption measures.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Primary cloud hosting, database, and compute | All service data | EU - eu-west-1 (Ireland) |
| Have I Been Pwned (HIBP) | Breach-exposure lookups | Email address (hashed where supported) | EEA-adequate (transfers via SCCs) |
| DeHashed | Breach and leaked-credential intelligence | Email, username, identifiers being monitored | United States (SCCs) |
| Zyte | Managed data extraction to detect broker listings | Search inputs and matched public listings | EU / Ireland |
| Amazon Bedrock | AI assistant scoped to your own data | Prompts and your exposure data (no model training) | EU - eu-central-1 / eu-west region |
| Amazon SES | Transactional and removal-request email delivery | Email address, message content | EU - eu-west-1 (Ireland) |
| Paddle | Payments and merchant of record | Billing details, transaction metadata | EU / UK (SCCs where applicable) |
How we manage subprocessors
Note that data brokers we contact to action your erasure requests are not Soryx subprocessors - they are the recipients of your Article 17 requests. We share only the minimum identifiers needed to assert your right to erasure.
Changes and notifications
We will update this page before adding or replacing a subprocessor. Business customers under our Data Processing Agreement receive at least 30 days’ advance notice and may object on reasonable grounds. To be notified of changes, email dpo@matrix.eu.