Compliance Assessment Tool · Trust & Legal

Sub-processor List

Last updated: 2026-05-15 · Classification: Public

Compliance Assessment Tool, LLC engages the following sub-processors to deliver the service. We commit to providing at least 30 days' notice of any addition or change to this list. Customers may object to a new sub-processor per the procedure in our Data Processing Addendum.

Sub-processorPurposeData processedLocationCompliance
Amazon Web Services, Inc. Infrastructure: compute (Lambda), storage (DynamoDB, S3), networking, KMS, IAM, CloudWatch All customer data at rest and in flight US — us-east-1 (N. Virginia) SOC 1/2/3, ISO 27001/17/18, PCI DSS Level 1, FedRAMP, HIPAA-eligible
OpenAI, L.L.C. Large language model inference for SAQ determination, combined-question generation, and per-control compliance analysis Payment-method descriptions, merchant answers to combined questions, PCI control text. No cardholder data. US SOC 2 Type II. DPA in force between CAT and OpenAI (org-JZrfeV5ZWRQ4S6T7MfWaO4pC), effective February 3, 2026. API inputs/outputs are not used to train OpenAI models and are retained by OpenAI for a maximum of 30 days (abuse monitoring) before deletion.
Amazon SES (sub-component of AWS) Transactional email — finalized SAQ + AoC PDF delivery to merchants Merchant email address, attachment links US — us-east-1 Covered by AWS SOC 2
Amazon Route 53 (sub-component of AWS) DNS resolution for complianceassessmenttool.com DNS-only — no application data Global (AWS edge) Covered by AWS SOC 2

Not currently used

The following common SaaS sub-processors are not in our data path today. If we add any of them, you will receive 30 days' notice:

Sub-processor selection criteria

Before engaging a sub-processor we verify (a) they hold a current SOC 2 Type II or equivalent attestation, (b) they offer a GDPR-compliant DPA with SCCs and a UK Addendum, (c) their data-residency commitments align with our customer commitments, and (d) their breach-notification SLA is ≤ 72 hours.

Notification preferences

Email chris.larson@complianceassessmenttool.com with the subject line "Subprocessor notifications" to be added to our advance-notice mailing list.