MindPath BI engages third-party subprocessors to deliver specific functions of the service — hosting, AI inference, email delivery, error monitoring, and a handful of developer-tooling providers. We publish only the information required for a controller to assess a processor under GDPR: category, purpose, data category, and region. The identities of the specific providers — and their replacements — are confirmed to customers under contract and re-confirmed before every material change.
This reflects a deliberate choice: our vendor surface is small and it shifts as the product matures. Publishing a flat list invites extrapolation we’re not yet willing to defend. Signing a DPA with us unlocks the detailed inventory, the SCCs in effect, and the change-notification feed.
The following categories of subprocessor may process customer personal data on our behalf to provide the service:
| Category | Purpose | Data category | Region |
|---|---|---|---|
| Infrastructure & hosting | Application hosting, database, object storage, edge delivery | All application data | EU (primary) · multi-region edge |
| AI inference | Language-model inference for Copilot, summaries, classification, and retrieval | Thread content, KB documents (processed in-memory, not retained for training) | EU or US (per provider topology) |
| Transactional email | Outbound notification and service email delivery | Email addresses, notification content | EU |
| Error & performance monitoring | Application error capture, performance traces | Stack traces, request metadata (PII scrubbed) | US (governed by EU SCCs) |
| Content safety | Malware and attachment scanning | File content (scanned in-memory, not stored) | EU / self-hosted |
These categories of provider support engineering, build, and product operations. They do not process customer personal data in the course of delivering the service:
| Category | Purpose | Region |
|---|---|---|
| Source control & CI | Source hosting, continuous integration, release pipelines | US |
| Artifact registries | Container image and build artifact storage | US / EU |
| Site analytics | Privacy-friendly, anonymous web analytics for the marketing site | Multi-region |
The full inventory — provider identities, corporate entities, hosting regions, applicable certifications (ISO 27001, SOC 2, &c.), the specific SCCs in force, and the change-notification feed — is shared with every customer as part of the DPA onboarding packet. Prospects under mutual NDA can request it on the access call.
We maintain a formal vendor risk-management program:
- Critical categories (infrastructure, AI inference, database): reviewed semi-annually.
- Important categories (email delivery, error monitoring): reviewed annually.
- Standard service providers (CI, registries, developer tools): reviewed at renewal or biennially.
Reviews assess security posture, compliance certifications, data handling practices, and business-continuity capabilities. Material findings are routed to the change-management process below.
Material changes — additions, removals, or region changes — are reviewed by Security and Legal before activation. We provide at least 10 calendar days’ advance notice before engaging a new subprocessor to every customer subscribed to the change-notification feed. Customer notification follows the contractual notice terms defined in your Data Processing Addendum.
To receive advance email notifications when we add, remove, or materially change a subprocessor, email josef@mindpathbi.com with the subject line “Subprocessor Change Notifications.”
For DPA requests, the detailed subprocessor inventory, or any other vendor-management question, contact josef@mindpathbi.com.