[ LEGAL ]
Sub-processors
Last updated: 2026-04-28
This page lists the Sub-processors Spinal Technologies GmbH uses to deliver the Service. We update this page in advance of material changes per our DPA. Customers on enterprise plans receive at least 30 days' email notice before we add or replace a Sub-processor that handles Service Data.
To subscribe to change notifications: privacy@getspinal.com.
Infrastructure
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Application hosting, compute, networking, block storage, deployment volumes, and related infrastructure for the Dockerized API, Next.js frontend, Postgres database, Vespa search/index service, and nginx edge | EU (eu-central-1, Frankfurt) | n/a (within EEA). AWS is engaged under the AWS GDPR Data Processing Addendum and AWS Service Terms; SCCs in the AWS DPA cover any incidental transfers. |
AI / Machine learning
For the launch configuration, Spinal does notengage a managed AI sub-processor under Spinal's own provider account. Customers provide their own Anthropic / Claude API keyand choose the model in the Service. Anthropic is therefore a customer-configured model provider in that configuration, and the customer's own Anthropic contract governs model-training, retention, and transfer terms.
If Spinal later supplies managed model access through its own provider account, we will add the provider to this Sub-processor list before that change applies to Customer Data.
Identity and source-control authorization providers
The following providers are used only when the customer or its users authenticate or authorize source-control access via that provider. Personal data flow direction is generally into Spinal (the provider returns identity tokens, installation data, or repository authorization metadata to us).
| Provider | Purpose |
|---|---|
| Google LLC | Google OAuth sign-in |
| Microsoft Corporation | Microsoft / Entra ID OAuth sign-in |
| GitHub, Inc. | GitHub App installation, repository authorization, and repository access |
These providers act as independent controllers of their own user data; Spinal does not direct what they collect in their own products. Their handling of authentication and authorization metadata is governed by their respective privacy policies and customer contracts.
Customer-initiated integrations (not Spinal sub-processors)
Customers may connect additional engineering systems and model providers to Spinal at their own initiative. Spinal acts on the customer's instructions in pulling data from these systems or sending prompts to the selected model provider. They are not Sub-processors of Spinalin that configuration; the customer's relationship with each is governed by that customer's own contract with the relevant provider.
These currently include (non-exhaustive): Anthropic/Claude, GitHub, GitLab, Sentry, Datadog, Grafana, Loki, Prometheus, Kubernetes, AlertManager, Jira, Confluence, Microsoft Teams, Google Drive, Notion, PagerDuty, Opsgenie, Terraform Cloud, ArgoCD, AWS, and Kibana. The full enabled integration set is visible inside the Service at Integrations.
Notification mechanism
- This page is the canonical list. Material additions or replacements are reflected here.
- Enterprise customers receive an email to nominated contacts at least 30 days before a change takes effect.
- Customers may object on reasonable data-protection grounds per § 6 of the DPA.