01Our commitments
- The raw records Custosa inspects are never sent to third parties. The managed control plane processes only content-free metadata and verdict evidence.
- There are no analytics SDKs or marketing pixels in the Custosa product, ever.
- We provide at least 30 days' notice before adding or changing a sub-processor, and you may object as provided under GDPR Article 28.
02Where your data lives
The Custosa data plane runs inside your own environment. In on-premises and air-gapped deployments, no Custosa sub-processor touches your data at all. In Custosa Cloud, the data plane still runs in your boundary; the managed control plane handles only content-free metadata and the verdict evidence ledger, never record content.
03Current sub-processors (Custosa Cloud)
| Sub-processor | Purpose | Data |
|---|---|---|
| Amazon Web Services | Cloud hosting and managed database for the control plane (region-matched) | Content-free metadata and verdict evidence only |
Operational vendors for transactional email, error monitoring, and observability are being finalized ahead of general availability. We will list each one here, with its purpose and the data it touches, before it processes any customer data, and we will give 30 days' notice of changes. The current list is available to customers on request.
04Systems you configure (not Custosa sub-processors)
Some systems Custosa connects to are operated by you, under your control, and are not Custosa sub-processors: your identity provider (for example Okta, Azure AD, or LDAP), your relationship store (for example SpiceDB or OpenFGA), and any key-management service or vault you bring. Custosa reads from these to make decisions; it does not control them.