SUB-PROCESSOR LIST
Cognitiva Systems Inc.
Last Updated: 15 April 2026
Effective: 15 April 2026
INTRODUCTION
This document lists the sub-processors Cognitiva Systems Inc. ("Cognitiva") uses to process personal data on behalf of our customers.
What is a Sub-processor?
A sub-processor is a third-party service provider that processes personal data on behalf of Cognitiva to help us provide our Services.
Why We Disclose This:
- GDPR Article 28(3)(d) requires data processors to inform customers of sub-processors
- Transparency and trust
- Customer due diligence
CURRENT SUB-PROCESSORS
1. CLOUD INFRASTRUCTURE
Amazon Web Services (AWS)
Entity: Amazon Web Services, Inc.
Purpose: Cloud infrastructure hosting, compute, storage, database services
Data Processed: All customer data stored on platform (campaign data, user accounts, files)
Location: United States (us-east-1, us-west-2), European Union (eu-west-1, eu-central-1) - customer selectable
Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
Certifications: ISO 27001, SOC 2 Type II, ISO 27017, ISO 27018
Privacy Policy: https://aws.amazon.com/privacy/
Website: https://aws.amazon.com
Google Cloud Platform (GCP)
Entity: Google LLC
Purpose: Cloud infrastructure, machine learning infrastructure, BigQuery analytics
Data Processed: Anonymized datasets (for AI training), analytics data, backup storage
Location: United States (us-central1), European Union (europe-west1) - customer selectable
Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
Certifications: ISO 27001, SOC 2 Type II, ISO 27017, ISO 27018
Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
Website: https://cloud.google.com
2. PAYMENT PROCESSING
Stripe, Inc.
Entity: Stripe, Inc.
Purpose: Payment processing, subscription billing, payment method storage
Data Processed: Payment card data, billing information, transaction records
Location: United States (primary), global payment network
Data Transfer Mechanism: Stripe acts as independent data controller for payment data (not sub-processor under GDPR)
Certifications: PCI DSS Level 1 Service Provider, SOC 2 Type II
Privacy Policy: https://stripe.com/privacy
Website: https://stripe.com
Important Note:
Stripe is an independent data controller for payment processing. You have a direct legal relationship with Stripe. Cognitiva is not responsible for Stripe's data processing. Refer to Stripe's privacy policy for details.
3. COMMUNICATION & SUPPORT
SendGrid (Twilio)
Entity: Twilio Inc.
Purpose: Transactional email delivery (password resets, notifications, receipts)
Data Processed: Email addresses, email content (transactional only), delivery logs
Location: United States
Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
Data Retention: Email logs retained for 30 days
Certifications: SOC 2 Type II, ISO 27001
Privacy Policy: https://www.twilio.com/legal/privacy
Website: https://sendgrid.com
Intercom, Inc.
Entity: Intercom R&D Unlimited Company (Ireland)
Purpose: Customer support, in-app messaging, help center
Data Processed: Support tickets, user messages, account information, usage data
Location: European Union (Ireland - primary), United States (backup)
Data Transfer Mechanism: EU-U.S. Data Privacy Framework, EU SCCs
Certifications: SOC 2 Type II, ISO 27001
Privacy Policy: https://www.intercom.com/legal/privacy
Website: https://www.intercom.com
4. ANALYTICS & MONITORING
Google Analytics
Entity: Google LLC
Purpose: Website analytics, user behavior analysis
Data Processed: IP addresses (anonymized), browser information, page views, user interactions
Location: United States
Data Transfer Mechanism: EU-U.S. Data Privacy Framework, EU SCCs
IP Anonymization: Enabled (last octet removed before storage)
Data Retention: 14 months
Privacy Policy: https://policies.google.com/privacy
Opt-Out: https://tools.google.com/dlpage/gaoptout
Sentry
Entity: Functional Software, Inc. dba Sentry
Purpose: Error tracking, application monitoring, debugging
Data Processed: Error logs, stack traces, user IDs (hashed), IP addresses (scrubbed)
Location: United States
Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs)
PII Scrubbing: Enabled (personally identifiable information automatically redacted)
Data Retention: 90 days
Certifications: SOC 2 Type II
Privacy Policy: https://sentry.io/privacy/
Website: https://sentry.io
5. SECURITY & INFRASTRUCTURE
Cloudflare, Inc.
Entity: Cloudflare, Inc.
Purpose: Content delivery network (CDN), DDoS protection, web application firewall
Data Processed: IP addresses, HTTP headers, cached content
Location: Global edge network (100+ countries)
Data Transfer Mechanism: EU Standard Contractual Clauses (SCCs), Cloudflare EU Data Localization Suite (for EU customers)
Data Retention: Logs retained for 24 hours (security logs up to 30 days)
Certifications: ISO 27001, SOC 2 Type II
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Website: https://www.cloudflare.com
CHANGE MANAGEMENT
Notification of Changes
30-Day Advance Notice:
We will notify customers at least 30 days in advance before:
- Adding a new sub-processor
- Changing an existing sub-processor's purpose or data processing scope
- Replacing a sub-processor with a different entity
Notification Method:
- Email to account administrator
- In-app notification
- Update to this page (check "Last Updated" date)
Customer Objection Rights
You have the right to object to new sub-processors or changes.
How to Object:
- Email: dpa@cognitiva.systems
- Subject: "Sub-Processor Objection - [Company Name]"
- Within: 15 days of notification
- Include: Specific objection reasons (data protection grounds)
If We Cannot Accommodate Objection:
- Good faith discussion to resolve concerns
- If unresolved, you may terminate Services Agreement with 30 days notice
- Pro-rated refund of prepaid fees
If No Objection:
Failure to object within 15 days constitutes acceptance.
DATA PROTECTION SAFEGUARDS
Contractual Protections
All sub-processors are contractually obligated to:
✓ Process data only on Cognitiva's instructions
✓ Maintain confidentiality
✓ Implement appropriate technical and organizational security measures
✓ Assist with data subject rights requests
✓ Notify Cognitiva of personal data breaches
✓ Delete or return data upon termination
✓ Submit to audits and inspections
International Data Transfers
For sub-processors located outside the European Economic Area:
✓ EU Standard Contractual Clauses (SCCs): Executed with all non-EU sub-processors
✓ UK International Data Transfer Addendum (IDTA): For UK personal data
✓ Transfer Impact Assessments (TIAs): Conducted per Schrems II requirements
✓ Supplementary Measures: Encryption in transit (TLS 1.3) and at rest (AES-256)
Security Measures
All sub-processors must implement:
✓ Encryption in transit and at rest
✓ Access controls and authentication
✓ Regular security assessments
✓ Incident response procedures
✓ Employee training on data protection
✓ Industry-standard certifications (ISO 27001, SOC 2, etc.)
SUB-PROCESSOR CATEGORIES
Processing Activities
| Sub-Processor | Hosting | Analytics | Communication | Payment | Security |
|---|---|---|---|---|---|
| AWS | ✅ | ||||
| GCP | ✅ | ✅ | |||
| Stripe | ✅ | ||||
| SendGrid | ✅ | ||||
| Intercom | ✅ | ||||
| Google Analytics | ✅ | ||||
| Sentry | ✅ | ||||
| Cloudflare | ✅ | ✅ |
DATA LOCATIONS
Where Your Data May Be Processed
United States:
- AWS (us-east-1, us-west-2)
- GCP (us-central1)
- Stripe (global payment network)
- SendGrid
- Sentry
- Google Analytics
European Union:
- AWS (eu-west-1, eu-central-1)
- GCP (europe-west1)
- Intercom (Ireland - primary)
Global Edge Networks:
- Cloudflare (100+ locations, customer choice for data residency)
Customer Control:
Enterprise customers can specify data residency preferences (US-only, EU-only, or multi-region).
FREQUENTLY ASKED QUESTIONS
Q1: Can I request that my data only be processed in the EU?
A: Yes. Enterprise customers can request EU-only data residency. This limits sub-processors to AWS (EU regions), GCP (EU regions), and Intercom (Ireland). Some features may have limited availability.
Contact: sales@cognitiva.systems for EU data residency options
Q2: What happens if a sub-processor has a data breach?
A: Sub-processors are contractually required to notify us within 24-48 hours. We then:
- Assess impact on customer data
- Notify affected customers within 48 hours (per GDPR Article 33)
- Cooperate with investigation and remediation
- Evaluate continued relationship with sub-processor
Q3: Can I audit sub-processors?
A: Customers can audit Cognitiva's compliance (including sub-processor management). Direct sub-processor audits typically require:
- Reasonable advance notice
- Confidentiality agreements
- Coordination with Cognitiva
- Or: Review of sub-processor's SOC 2 / ISO 27001 reports (substitute for on-site audit)
Contact: dpa@cognitiva.systems to arrange audit
Q4: Does Cognitiva use any sub-processors in China, Russia, or other high-risk countries?
A: No. We do not use sub-processors located in or subject to laws of countries deemed high-risk for data protection. All sub-processors are in US, EU, or equivalent jurisdictions with strong data protection frameworks.
Q5: What if I object to a sub-processor on GDPR Article 28 grounds?
A: You have the right to object. We will:
- Discuss your concerns in good faith
- Seek alternative sub-processor if feasible
- If we cannot accommodate, you may terminate agreement with 30 days notice and receive pro-rated refund
This is a legal right under GDPR Article 28(9).
Q6: Are sub-processors in the US subject to CLOUD Act or FISA 702?
A: Yes, US-based sub-processors may be subject to US government access requests under:
- CLOUD Act (cross-border lawful access)
- FISA Section 702 (foreign intelligence surveillance)
Our Safeguards:
- Encryption prevents government access to plaintext data
- Transfer Impact Assessments conducted
- Contractual commitments to challenge overbroad requests
- Transparency reporting of government requests (annual)
Read More: Privacy Policy Section 12.3 (Schrems II Compliance)
CONTACT INFORMATION
For Sub-Processor Questions:
Email: dpa@cognitiva.systems
Subject: "Sub-Processor Inquiry - [Company Name]"
Response Time: 5 business days
To Object to Sub-Processor:
Email: dpa@cognitiva.systems
Subject: "Sub-Processor Objection - [Company Name]"
Deadline: Within 15 days of notification
For Data Processing Agreement:
Email: dpa@cognitiva.systems
Request: Full Data Processing Agreement (DPA) template
LEGAL REFERENCES
This sub-processor list is maintained pursuant to:
- GDPR Article 28(3)(d): Processor must inform controller of sub-processors
- GDPR Article 28(2): Prior written authorization required for sub-processors
- GDPR Article 28(4): Processor remains liable for sub-processor performance
DOCUMENT HISTORY
| Version | Date | Changes |
|---|---|---|
| 1.0 | 15 April 2026 | Initial publication |
Next Review: October 2026
TRANSPARENCY COMMITMENT
We are committed to transparency about our data processing practices. This sub-processor list is updated promptly when changes occur.
Subscribe to Updates:
Email dpa@cognitiva.systems with subject "Subscribe to Sub-Processor Updates" to receive automatic notifications.
END OF SUB-PROCESSOR LIST
Published: 15 April 2026
Maintained by: Legal & Compliance Team
Contact: dpa@cognitiva.systems