Sub-processors¶
AuditForge is operated by Base2ML LLC and uses the following sub-processors to deliver the service. Each sub-processor is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguard.
Last reviewed: 2026-05-10
| Sub-processor | Purpose | Data accessed | Region | DPA |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Compute (ECS Fargate), storage (S3 per-engagement isolated buckets), networking (ALB), logging (CloudWatch), key management (SSM Parameter Store) | All customer-provided source documents and derived artifacts (findings, audit logs, deliverables) | us-east-1 | AWS Customer Agreement DPA |
| Anthropic | Large-language-model inference (Claude Opus 4.7 for reasoning + adversarial verification; Claude Sonnet 4.6 for catalog/investigate) | Excerpts of customer source documents passed as prompt context to the API; outputs returned | US (Anthropic data centers) | Anthropic Commercial Terms (data not used for training in default mode) |
| OpenAI | Large-language-model inference for high-volume mechanical work (cluster labeling, embeddings via gpt-4o-mini) | Document excerpts and chunk-level metadata; outputs returned | US (OpenAI data centers) | OpenAI Enterprise / API Terms (data not used for training in API mode) |
| Vercel | Documentation site hosting (docs.base2ml.com) | No customer data — only public documentation pages | Global edge network | Vercel DPA |
| GitHub | Source code repository hosting | No customer data — only AuditForge source code | Global | GitHub DPA |
What we do not use¶
For clarity:
- No analytics SDKs (no Google Analytics, Segment, Mixpanel, Heap, etc.) in the AuditForge web application
- No third-party error trackers (no Sentry, Rollbar) — errors are logged to AWS CloudWatch only
- No third-party authentication providers today — TOTP MFA is implemented in-house against the
pyotplibrary; password hashing uses argon2id - No payment processors as of 2026-05-10 — invoicing is handled out-of-band
- No email service in production — AWS SES is sandboxed in the account; transactional email (password reset notifications, etc.) is not currently dispatched. Recovery flows use admin-issued out-of-band channels per Phase 16.
Data residency¶
All customer data — source documents, derived chunks, FAISS indexes, findings, audit logs, deliverables, engagement metadata — is stored in AWS S3 in the us-east-1 region. Compute runs in the same region via ECS Fargate. There is no cross-region replication and no edge caching of customer data.
How we notify of changes¶
Material changes to the sub-processor list (adding a new sub-processor, changing the region of an existing one) are announced via this page with the Last reviewed date updated. Annual platform-license customers receive an email notification at least 30 days before a material change takes effect.
Contact¶
For questions or to request a copy of any sub-processor DPA, email chris@base2ml.com.