Sub-processor List
Compliance Assessment Tool, LLC engages the following sub-processors to deliver the service. We commit to providing at least 30 days' notice of any addition or change to this list. Customers may object to a new sub-processor per the procedure in our Data Processing Addendum.
| Sub-processor | Purpose | Data processed | Location | Compliance |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Infrastructure: compute (Lambda), storage (DynamoDB, S3), networking, KMS, IAM, CloudWatch | All customer data at rest and in flight | US — us-east-1 (N. Virginia) | SOC 1/2/3, ISO 27001/17/18, PCI DSS Level 1, FedRAMP, HIPAA-eligible |
| OpenAI, L.L.C. | Large language model inference for SAQ determination, combined-question generation, and per-control compliance analysis | Payment-method descriptions, merchant answers to combined questions, PCI control text. No cardholder data. | US | SOC 2 Type II. DPA in force between CAT and OpenAI (org-JZrfeV5ZWRQ4S6T7MfWaO4pC), effective February 3, 2026. API inputs/outputs are not used to train OpenAI models and are retained by OpenAI for a maximum of 30 days (abuse monitoring) before deletion. |
| Amazon SES (sub-component of AWS) | Transactional email — finalized SAQ + AoC PDF delivery to merchants | Merchant email address, attachment links | US — us-east-1 | Covered by AWS SOC 2 |
| Amazon Route 53 (sub-component of AWS) | DNS resolution for complianceassessmenttool.com | DNS-only — no application data | Global (AWS edge) | Covered by AWS SOC 2 |
Not currently used
The following common SaaS sub-processors are not in our data path today. If we add any of them, you will receive 30 days' notice:
- Google (no GCP, no Workspace for customer data)
- Microsoft Azure / Office 365 for customer data
- Snowflake, BigQuery, or other data warehouses
- Customer support tools (Zendesk, Intercom) — support is handled via direct email to chris.larson@complianceassessmenttool.com
- Analytics or ad tracking (no Mixpanel, Segment, Google Analytics, Meta Pixel, etc.)
Sub-processor selection criteria
Before engaging a sub-processor we verify (a) they hold a current SOC 2 Type II or equivalent attestation, (b) they offer a GDPR-compliant DPA with SCCs and a UK Addendum, (c) their data-residency commitments align with our customer commitments, and (d) their breach-notification SLA is ≤ 72 hours.
Notification preferences
Email chris.larson@complianceassessmenttool.com with the subject line "Subprocessor notifications" to be added to our advance-notice mailing list.