SchemaLabs uses a small set of third-party service providers ("Sub-Processors") to operate the SchemaLabs Service. This page lists every Sub-Processor that processes Customer Data or operational data on our behalf, and what they do.
We update this page when Sub-Processors are added or replaced. Enterprise customers receive at least fifteen (15) days' advance notice of changes by email, in accordance with our Data Processing Agreement.
This page is the authoritative list of SchemaLabs Sub-Processors and supersedes any Sub-Processor list embedded in our legal documents in the event of any conflict.
To subscribe to update notifications, email [email protected] with the subject line "Subscribe: Sub-Processor Updates" and the email address you want notified.
Capitalised terms used on this page (including "Sub-Processor," "Customer Data," "Fine-Tuned Checkpoint," and "BYOL Endpoint") have the meanings set forth in the Data Processing Agreement and the Schema Model License.
1. Current Sub-Processors
| Sub-Processor | Location | Purpose | Data Categories |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | United States | Cloud infrastructure: compute, storage, key management, networking | All Customer Data; all Fine-Tuned Checkpoints; all system data |
| Amazon Web Services (Amazon.com, Inc.) | United States | Cloud infrastructure: compute, storage, key management, networking | All Customer Data; all Fine-Tuned Checkpoints; all system data |
| Stripe, Inc. | United States | Payment processing for paid subscriptions | Billing contact name, billing address, email, payment card data (handled directly by Stripe; not stored on SchemaLabs systems) |
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, SchemaLabs and each Sub-Processor rely on the European Commission's Standard Contractual Clauses (SCCs), Module Two (Controller-to-Processor). UK transfers also incorporate the UK ICO's International Data Transfer Addendum.
GCP and AWS each independently maintain SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and other certifications. Stripe maintains PCI-DSS Level 1 certification.
Anticipated future Sub-Processors
We expect to add infrastructure or operational providers as the Service scales. Before any addition that processes Customer Data, we will update this page and provide at least fifteen (15) days' advance notice to enterprise customers in accordance with our Data Processing Agreement.
2. What is NOT a Sub-Processor
BYOL Endpoints (customer-directed third-party LLMs)
When you connect a third-party large language model endpoint to the Service using your own API credentials (for example, OpenAI, Anthropic, Google Gemini, or Mistral), those providers are not Sub-Processors of SchemaLabs. The transmission of data to those providers is directed by you, governed by your agreement with the relevant provider, and conducted outside our processor relationship with you.
If you use a BYOL Endpoint, we recommend you:
- Confirm the provider's data handling terms meet your obligations
- Verify the provider does not use your data to train their models
- Maintain your own data processing agreement (DPA) with the provider if you process EU personal data through them
Internal vendors that do not access Customer Data
We use additional vendors for our own operations (for example, customer relationship management, internal analytics, email marketing, accounting). These vendors are not granted access to Customer Data and are not Sub-Processors under the GDPR or our DPA. If this changes for any vendor, we will add them to this page before granting access.
3. How we vet Sub-Processors
Before engaging any new Sub-Processor that will process Customer Data, we:
- Verify the Sub-Processor's security and data protection certifications (SOC 2, ISO 27001, or equivalent)
- Add the Sub-Processor to this page with at least fifteen (15) days' notice to enterprise customers
4. Customer rights regarding Sub-Processors
Enterprise customers may object to a new Sub-Processor on reasonable data protection grounds. Objection procedures are set out in Section 6 of our Data Processing Agreement.
5. Contact
Questions about Sub-Processors: [email protected]