Subprocessor Protocol // Active Nodes

We utilize a minimal set of trusted subprocessors to execute the Service. Each node is vetted for security and privacy, bound by a data processing agreement (DPA), and restricted to the minimum data privileges necessary for its task.

ENTITY	SCOPE (PURPOSE & DATA)	COMPLIANCE (LOC & SAFEGUARDS)
Google Cloud Platform (Google LLC)	Task: Hosting, storage, networking, backups, logging. Data: Uploads, Outputs, account & usage metadata.	Loc: United States (Regionalized) Def: SCCs, Enterprise Security Program.
Google Vertex AI / Gemini (Google LLC)	Task: Model inference for analysis/generation. Data: Text supplied for inference; derived tokens/embeddings.	Loc: United States (via GCP) Def: SCCs, In-flight & At-rest encryption.
Stripe, Inc. (Fiscal Gateway)	Task: Payment processing & billing. Data: Payment tokens, billing name/email, invoice metadata.	Loc: United States (Global Infra) Def: PCI-DSS; SCCs.

>> SYSTEM NOTE: We do not permit subprocessors to use your data for their own purposes. Access is role-limited and logged.

Selection, Vetting & Oversight

Security Due Diligence: We analyze certifications/reports (SOC 2/ISO 27001), pen-test posture, and breach history.
Contractual Safeguards: Mandatory DPAs with confidentiality, technical/organizational measures, incident notice obligations, and prohibition of secondary use.
Ongoing Review: Annual reassessments, change monitoring, and minimum-privilege access scoping.

Updates & Protocol Options

Advance Notice: We will post changes to this register and notify admins (in-product or via email) before a new subprocessor gains access to personal data, barring emergency security patches.

Objection Protocol: If you have a reasonable data-protection objection to a new subprocessor, transmit a signal to info@soundlegal.ai within 15 days. We will attempt to resolve the conflict or route to alternatives.

Stay Synchronized: To subscribe to real-time updates, email info@soundlegal.ai with the subject header "Subprocessor Updates".