Legal
Subprocessors
Last updated June 2026
Recovea keeps its subprocessor list deliberately short. This page is the authoritative, current list referenced by the Data Processing Addendum. Each row carries an explicit engagement status: vendors marked Planned are selected and named ahead of time but are not yet engaged and receive no data today; we flip a row to Engaged (with the change notice below) before it ever processes customer data.
Change notice: we give at least 30 days’ notice before adding or replacing a subprocessor, here and by email. To subscribe to change notices, email security@recovea.ai with the subject “Subscribe: subprocessor changes.” Objection rights are set out in the DPA.
A note on LLM providers: customers bring their own provider keys (BYOK). Your inference runs on your own provider accounts — OpenAI today, with further providers (Anthropic, Google, and others) as each upstream ships. Those providers are engaged by you, not Recovea, are your processors rather than our subprocessors, and Recovea never resells their tokens.
| Subprocessor | Status | Purpose | Data involved | Location |
|---|---|---|---|---|
| Amazon Web Services | Engaged — production environment is live in us-east-1 | Cloud hosting, compute, storage, and email delivery (live). Key management via AWS KMS is a planned purpose — envelope encryption is not live today | Service metadata, encrypted provider keys, account data, the content-free ledger; no request/completion bodies by default | us-east-1 (N. Virginia) |
| Amazon Bedrock | Planned — when the eval judge ships | Cross-family eval judge (and, later, in-VPC embeddings) | Sampled eval pairs, transiently, per DPA controls | us-east-1 (N. Virginia) |
| Stripe | Engaged — before/at the first paid invoice | Billing & payment processing | Billing contact, invoice amounts, never traffic data | United States |
What subprocessors never receive
AWS hosts the live production environment in us-east-1 and stores service metadata, encrypted provider keys, account data, and the content-free ledger; prompt and completion bodies are not logged by default, so no subprocessor receives them by default. Stripe (engaged before/at the first paid invoice) receives billing contact details and amounts only, never traffic data; and eval-judge access (planned, when the eval judge ships) is limited to sampled pairs, transiently, under the controls in the DPA (per-route exclusions and metadata-only mode remove even that).
Questions
Email security@recovea.ai.