Skip to main content
CognitaGRC
PlatformAIUC-1 ReadinessMarketplacePricingDocsNewsroomTrust
Sign inOpen product →
Cognita

The intelligence layer for AI compliance. Built for the post-EU-AI-Act world.

ISO 42001EU AI ActNIST AI RMF
Product
PricingTrust CenterDocumentation
Frameworks
ISO/IEC 42001EU AI ActNIST AI RMF
Resources
NewsroomProduct demoDocsTrustSecurity
Company
SecurityPrivacySub-processorsContact
© 2026 Cognita, Inc. · cognitagrc.ioChecking status…
DATA PROCESSING

Sub-processors

To provide the Cognita platform we rely on a small set of third-party providers that may process personal data on our behalf. This page lists them and is kept current. Last updated 21 June 2026.

Our sub-processors

Each is engaged under a data-processing agreement and only for the purpose shown.

Sub-processorPurposePersonal dataEntity location
Amazon Web ServicesCloud infrastructure — encryption keys (KMS) & evidence storage (S3)Stored content, which may include personal dataUnited States (global regions)
AnthropicAI model (Claude) powering AI-assisted featuresContent submitted to AI featuresUnited States
ClerkAccount authentication & identityName, email, authentication metadataUnited States
DubsadoInvoicing for partner engagementsPartner contact & invoice detailsUnited States
Google (Workspace)Corporate email — incl. inbound privacy/data-rights requestsEmail content & addressesUnited States (global infrastructure)
InngestBackground job orchestration (incl. newsletter delivery scheduling)Job event payloadsUnited States
PostHogProduct & funnel analyticsPseudonymous usage eventsEuropean Union (EU Cloud)
RailwayApplication hosting & primary databaseAll stored personal dataUnited States
ResendTransactional & newsletter email deliveryRecipient email address & message contentUnited States (us-east-1, N. Virginia)
SentryApplication error monitoringDiagnostic data, which may incidentally include personal dataUnited States
StripePayments & billingBilling contact & payment metadataUnited States
WorkOSEnterprise SSO & directory sync (when enabled by a customer)Workforce identity (name, email)United States

International transfers

Where a sub-processor processes data outside the European Economic Area or the United Kingdom, that transfer is protected by appropriate safeguards — typically the EU Standard Contractual Clauses (and the UK Addendum) incorporated into our agreement with the provider.

Changes & notice

We update this page before a new sub-processor begins processing personal data. Customers with a data-processing agreement may subscribe to change notifications — email [email protected] to be added. For the newsletter specifically, see how we handle your data on the privacy notice.

Questions

Data-protection questions, or a GDPR access / erasure request? Email [email protected].

Back to home
Sub-processors — Cognita GRC · Cognita GRC