All Policies

Subprocessor List

Last UpdatedMarch 15, 2026
OwnerMarko Ratić, COO
Review CycleQuarterly
Notification30 days before changes

1. Overview

This page lists the third-party services ("subprocessors") that SpiceFactory uses at the company level. These are services we rely on for our day-to-day operations — separate from project-specific infrastructure that varies by engagement.

We evaluate each subprocessor's security posture before engagement and conduct ongoing reviews. All subprocessors are contractually bound by data processing agreements where applicable.

Project-specific infrastructure (cloud hosting, CI/CD, monitoring) varies by engagement and is documented in each project's security plan. Common platforms include Google Cloud, AWS, and Azure — selected based on partner requirements.

2. Productivity & Communication

SubprocessorPurposeData Location
Google Workspace Email, calendar, documents, identity provider (SSO), video conferencing US
GitHub Source code hosting, code review, CI/CD pipelines US

3. AI & Development Tools

Our engineering team uses AI-assisted development tools to improve productivity and code quality. These tools are governed by our AI Acceptable Use guidelines.

SubprocessorPurposeData Handling
Google Gemini AI assistant integrated with Google Workspace; code assistance for engineering Processed by Google; governed by Workspace DPA
Anthropic (Claude Code) AI-assisted software development, code review, and documentation Not used for training; governed by Anthropic API terms
OpenAI (Codex) AI-assisted code generation and engineering productivity API-based; data not used for training
AI usage guardrails: Partner source code, credentials, PII, and PHI are never submitted to AI tools unless the partner has explicitly approved the specific tool and its data handling terms. Engineers are trained on what can and cannot be shared with AI assistants.

4. Business Operations

SubprocessorPurposeData Location
Xero Accounting and financial management US / AU
Gusto Payroll, benefits, and HR management US

5. Hosting Infrastructure (Project-Level)

The following cloud platforms are used across partner engagements. The specific platform for each project is selected based on partner requirements, compliance needs, and technical fit. These are not company-level subprocessors — they are documented here for transparency.

PlatformUsageTypical Data Regions
Google Cloud Platform Compute, storage, databases, AI/ML services for partner projects Per project requirements
Amazon Web Services Compute, storage, databases for partner projects Per project requirements
Microsoft Azure Compute, storage, databases for partner projects Per project requirements
Firebase (Google) Hosting, authentication, databases for select projects and internal tools US

6. Change Notification

SpiceFactory reviews our subprocessor list quarterly. When we add or change a company-level subprocessor:

  1. We update this page at least 30 days before the change takes effect
  2. We notify affected partners via their designated security contact
  3. Partners may raise objections within 30 days of notification

For project-specific infrastructure changes, notification is handled through the project's change management process.

To receive proactive notifications, contact security@spicefactory.co.