Every third party that touches customer data. Listed by name.
Under the DPA, STRATUS engages a small number of sub-processors to deliver the platform. Customers are notified at least 30 days before any new sub-processor is added, and may object on reasonable grounds.
This list represents subprocessors currently authorized to process customer data under the STRATUS service.
| Sub-processor | Role | Data Categories | Region |
|---|---|---|---|
| Amazon Web Services, Inc. | Infrastructure | All customer data — encrypted at rest, customer-managed KMS available | us-west-2 (primary) · us-east-1 (DR) |
| Cloudflare, Inc. | Edge / DDoS / WAF | TLS terminated at Cloudflare edge for public web traffic (stratusaccessgov.com). The Hybrid Connector Gateway tunnel runs end-to-end mTLS direct to origin and does not pass through Cloudflare. Cloudflare WAF/Workers inspect only public-web traffic, never customer-data plane traffic. | Global edge · WAF rules deployed to us-west-2 |
| Datadog, Inc. | Observability | Operational metrics and scrubbed application logs; no intentional customer PII | US-1 |
| HashiCorp, Inc. | Secrets | STRATUS-internal credentials only — customer credentials pass-through, never stored | Self-hosted in our AWS |
| Sentry.io (Functional Software, Inc.) | Error tracking | Stack traces and error context (PII scrubbed at SDK layer) | US |
| PagerDuty, Inc. (in setup) | Incident response | Incident metadata, on-call routing (no customer data) | US |
| Stripe, Inc. | Billing | Customer billing contacts and payment information (Founding Partners use direct invoicing; self-serve billing infrastructure in place for future customers) | US |
| Google Workspace | Internal email | STRATUS team correspondence with customers | US |
To be notified of changes to this list, email [email protected] with the subject line "Subprocessor notifications." We send change notices at least 30 days before activation.