Data Processor Commitment
Ferentin operates as a data processor on behalf of its customers (data controllers). We engage a limited number of sub-processors to deliver our services. This page lists all sub-processors and is updated whenever changes occur. Customers are notified at least 30 days before any new sub-processor is engaged.
This page lists the third-party sub-processors that Ferentin, Inc. (“Ferentin,” “we,” “us”) engages to process personal data on behalf of our customers (“Controllers”) in connection with the Ferentin platform. This list is maintained in accordance with GDPR Article 28(2) and our Data Processing Addendum (DPA).
1. Overview
A sub-processor is a third party engaged by Ferentin that processes personal data on behalf of our customers. We perform due diligence on all sub-processors to ensure they provide adequate security and privacy protections.
Each sub-processor is bound by a data processing agreement that imposes obligations no less protective than those in our DPA with customers.
2. Infrastructure Sub-Processors
These sub-processors provide the core infrastructure on which the Ferentin platform operates.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: compute, database, cache, storage, key management | All categories of customer data as described in our DPA | US-East-1 (default) or customer-selected region |
Security Certifications
- SOC 2 Type II
- ISO 27001
- FedRAMP
Encryption
- All data encrypted at rest using AES-256 with AWS Key Management Service (KMS)
- All data encrypted in transit using TLS 1.2 or higher
- Per-tenant encryption key isolation (dedicated data encryption keys per customer)
3. Operational Sub-Processors
These sub-processors provide specific operational capabilities required to deliver the platform.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Postmark (ActiveCampaign) | Transactional email delivery (welcome emails, password resets, invitations) | Email address, recipient name | United States |
What about Ferentin’s internal tools?
Ferentin uses additional services for internal corporate operations (e.g., Google Workspace for email, GitHub for source code, CrowdStrike for endpoint protection). These services do not process customer data and are therefore not listed as sub-processors. They are documented in our SOC 2 Type II report, available under NDA via our Trust Center.
4. Services That Are NOT Sub-Processors
The following services are commonly associated with the Ferentin platform but are not Ferentin sub-processors. Customers maintain direct contractual relationships with these providers.
A. LLM Providers
Ferentin acts as a technical gateway that routes AI requests from the customer’s edge infrastructure directly to the customer’s chosen LLM provider. Ferentin does not have an independent data processing relationship with these providers because:
- Customers use their own API keys and credentials
- Requests flow directly from the customer’s edge to the provider — prompts and responses never transit Ferentin’s cloud
- Ferentin records only metadata (token counts, model identifier, cost) for billing and analytics, not prompt or response content
Supported LLM providers include: OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Google Vertex AI, Google AI Studio, xAI, and Mistral AI. Customers are responsible for maintaining their own data processing agreements with these providers.
B. Upstream MCP Servers
Customers may connect their own MCP (Model Context Protocol) server instances through the Ferentin gateway. Ferentin proxies MCP protocol traffic but does not have an independent contractual or data processing relationship with these upstream services.
C. Telemetry Destinations (OpenTelemetry Sinks)
Customers may configure their own OpenTelemetry (OTEL) export destinations to receive telemetry data from the Ferentin platform (e.g., Datadog, Grafana Cloud, Splunk, New Relic, or self-hosted collectors). These are not Ferentin sub-processors because:
- Customers choose and configure the destination using their own accounts and credentials
- Ferentin sends telemetry data to the destination on the customer’s instruction
- The customer has a direct contractual relationship with the telemetry provider
Customers are responsible for maintaining appropriate data processing agreements with their chosen telemetry destinations.
D. AI Clients and Development Tools
End users connect to the Ferentin platform using AI-enabled clients and development tools (e.g., Claude Desktop, Cursor, Windsurf, Continue, VS Code with Copilot, or custom applications). These are not Ferentin sub-processors because:
- They are client applications operated by the customer’s end users, not services engaged by Ferentin
- Ferentin does not have a contractual or data processing relationship with these tool vendors
- The customer’s organization controls which clients are permitted to connect via access policies
5. Changes to This List
We will update this page whenever a sub-processor is added, removed, or materially changed. Customers with an active DPA will be notified by email at least 30 days before any new sub-processor begins processing personal data.
If a customer objects to a new sub-processor, the process described in the DPA will apply.
Change Log
| Date | Change | Details |
|---|---|---|
| March 25, 2026 | Initial publication | Sub-processor list published with AWS and Postmark |
6. Contact
If you have questions about our sub-processors or data processing practices, please contact us:
- Email: privacy@ferentin.net
- Security inquiries: security@ferentin.net
- Trust Center: trust.ferentin.com