Sub-Processors List
Effective Date: 14 April 2026
Last Updated: 17 May 2026
Owner: Privacy Officer
Review Frequency: On engagement of any new sub-processor, and at minimum quarterly during the management review
This page lists every sub-processor engaged by Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (ABN 61 633 823 792), trading as Provii, in the delivery of the Provii age verification platform and the docs interactive sandbox. It is the canonical sub-processor list referenced by Annex III of the SCC Addendum and by the Standard DPA, Enterprise DPA, and the DPA Docs Sandbox Addendum.
Customers acting as data controllers are deemed to have given general written authorisation under SCC Module 2 Clause 9(a) Option 2 to the sub-processors listed below. Maelstrom AI will give at least 30 days’ advance notice of changes to this list (additions, removals, and material scope changes), with the notification mechanism described under Notification of Changes.
Completeness attestation
As of 17 May 2026, this list enumerates every sub-processor currently engaged in production. The inventory was cross-checked against the following sources:
- Worker runtime bindings in
admin-portal/wrangler.toml, provii-management/wrangler.toml, provii-credit-management/wrangler.toml, provii-verifier/wrangler.toml, provii-issuer/wrangler.toml, provii-demos/demo-web-provii-agegate/wrangler.toml, and provii-status/wrangler.toml.
- Secrets Store bindings and the canonical Secrets Store namespace
6e32e830825542ef86170c1b634df9e6.
- Email and authentication integrations in
provii-management/src/services/email-service.ts, provii-management/src/routes/email.ts, admin-portal/src/utils/logto.ts.
- Observability bindings (
grafana-logs and grafana-traces) present in provii-verifier/wrangler.toml, provii-issuer/wrangler.toml, provii-management/wrangler.toml, provii-credit-management/wrangler.toml, admin-portal/wrangler.toml, and provii-status/wrangler.toml.
- Existing privacy artefacts: Privacy Policy, DPIA, DPIA Docs Sandbox, ROPA (maintained internally; available to auditors and enterprise customers on request), Third-Party Vendor Evidence.
Stripe appears in earlier ISMS drafts as a planned payment processor for verifier billing; no Stripe integration is live in production code at the time of this attestation and no payment card data is currently processed. Stripe will be added to this list, and the Effective Date will advance, when the billing integration lands.
1. Infrastructure sub-processors
1.1 Cloudflare, Inc.
| Field | Detail |
|---|
| Sub-processor | Cloudflare, Inc. |
| Address | 101 Townsend Street, San Francisco, CA 94107, USA |
| Services delivered | Cloudflare Workers (Workers Paid plan), Cloudflare R2 object storage, Cloudflare KV, Cloudflare Durable Objects, Cloudflare Workers Logs, Cloudflare managed challenge (CAPTCHA replacement), Cloudflare Super Bot Fight Mode, Cloudflare WAF, Cloudflare Secrets Store, Cloudflare DNS |
| Purpose | Hosting and execution of all Provii Workers (provii-verifier including hosted mode, provii-issuer, provii-management, provii-credit-management, provii-status, provii-agegate, provii-demos gateway), KV-backed challenge and rate-limiter state, R2-backed backup exports from provii-backup, structured console.log JSON shipment via Workers Logs to the Grafana Loki sink for audit and operational telemetry, Cloudflare managed challenge-protected credential mint endpoints on the docs sandbox, Super Bot Fight Mode passive bot mitigation on docs.provii.app/api/* and preview.docs-sandbox.provii.app |
| Data shared | Hashed source IP addresses (HMAC-SHA-256 keyed by PII_HASH_KEY), pseudonymous session identifiers including __Host-docs_session, challenge nonces, sandbox credential identifiers carrying the docs-sbx-* and mwallet-sbx-* prefixes, request and response bodies traversing the Workers runtime, audit and security telemetry events. Raw IP addresses are not expected to be persisted server-side. No real dates of birth or names are processed by the docs sandbox surface; fixture-only schema rejection is designed to enforce this at the gateway. |
| Processing locations | Cloudflare global edge network. Traffic is served from the data centre nearest the requester. |
| Certifications | SOC 2 Type II, ISO 27001, ISO 27018 (cloud PII processor extension), PCI DSS Level 1 (for the relevant services), GDPR-compliant data processing |
| DPA in place | Yes. Cloudflare master Data Processing Addendum is the binding instrument. EU Standard Contractual Clauses (Decision 2021/914, Module 2: controller to processor) apply for transfers out of the EEA. The UK International Data Transfer Addendum (UK IDTA) applies for transfers out of the UK. |
| DPA reference | Cloudflare Data Processing Addendum, current version, accepted via the Cloudflare dashboard. Mirror of the operative version retained at compliance/evidence/vendors/third-party-evidence.md. |
| Sub-processor of Cloudflare | Cloudflare maintains its own published sub-processor list at https://www.cloudflare.com/cloudflare-customer-subprocessors/. Maelstrom AI monitors this list as part of supplier management. |
| Audit rights | Right to audit incorporated by reference into the DPA. Cloudflare publishes SOC 2 Type II reports under NDA. |
| Onward transfer | Cloudflare may sub-process within its own corporate group and to its named sub-processors; covered under its own DPA. |
2. Mobile attestation sub-processors
2.1 Apple App Attest service (Apple Inc.)
| Field | Detail |
|---|
| Sub-processor | Apple Inc. (App Attest service) |
| Address | One Apple Park Way, Cupertino, CA 95014, USA |
| Services delivered | App Attest hardware-backed attestation for the iOS Provii wallet. Apple’s attestation service issues a hardware-bound key pair and signs assertions that the wallet relays to the Provii provii-issuer during credential issuance. |
| Purpose | Verify that issuance and refresh requests originate from a genuine Provii iOS wallet binary running on a non-rooted Apple device, mitigating credential cloning and emulator abuse. |
| Data shared | Apple-issued attestation public key, attestation receipt, app bundle identifier, key identifier. No user identity, no Apple ID, no device serial number, no IDFA, no email address. Apple processes the attestation request server-side; Maelstrom AI never sees the underlying device key material. |
| Processing locations | Apple-operated infrastructure. Apple does not publish a single fixed processing region for App Attest; transfers are governed by Apple’s own controller-to-controller and processor agreements with iOS developers. |
| Certifications | Apple maintains SOC 2 Type II for the relevant operational services. App Attest specifically is described in Apple’s developer documentation; security guarantees rest on the Secure Enclave and Apple’s attestation infrastructure. |
| DPA in place | Apple Developer Program Licence Agreement with the Apple Developer Program Schedule 2 (Data Processing Addendum) applicable where Maelstrom AI is acting as a data controller and Apple is acting as a processor. For App Attest, Apple operates as an independent controller for the device-attestation telemetry it collects on its own behalf, and as a service provider for the attestation result returned to Maelstrom AI. |
| DPA reference | Apple Developer Program Licence Agreement and Schedule 2 (Data Processing Addendum), accepted in the Apple Developer portal. |
| Audit rights | Per the Apple Developer Program Licence Agreement; limited audit rights typical of platform-attestation services. |
| Onward transfer | Apple may sub-process within its corporate group; covered under Apple’s own published terms. |
2.2 Google Play Integrity service (Google LLC)
| Field | Detail |
|---|
| Sub-processor | Google LLC (Play Integrity API) |
| Address | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
| Services delivered | Play Integrity attestation tokens for the Android Provii wallet. The wallet requests a Play Integrity verdict covering app integrity, device integrity, licence verdict, and Play Protect verdict signals; the wallet relays the verdict to the Provii provii-issuer during credential issuance. |
| Purpose | Verify that issuance and refresh requests originate from a genuine, unmodified Provii Android wallet binary running on a non-rooted Play-certified device, mitigating credential cloning, repackaging attacks, and emulator abuse. |
| Data shared | Play Integrity verdict (app integrity, device integrity, licence verdict, Play Protect verdict), nonce supplied by the provii-issuer, package name, certificate hash. No Google account identifier, no advertising identifier, no email address, no precise location. The Play Integrity API processes the device-integrity check server-side; Maelstrom AI never sees the underlying device key material. |
| Processing locations | Google global infrastructure. Google operates Play services from regional data centres; transfers are governed by Google’s own data-processing instruments. |
| Certifications | Google maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and ISO 27701 for Google Cloud Platform. Play Integrity specifically rides on Google Play services infrastructure; security guarantees rest on the Trusted Execution Environment, Google’s hardware-backed key attestation, and Play Protect. |
| DPA in place | Google Play Developer Distribution Agreement and the Google Play Developer Distribution Agreement Data Processing and Security Terms, applicable where Maelstrom AI is acting as a data controller and Google is acting as a processor. The Play Integrity API specifically operates under the Google APIs Terms of Service and Google’s data processing terms for Google Cloud customers where applicable. |
| DPA reference | Google Play Developer Distribution Agreement, Data Processing and Security Terms (Google Play), accepted in the Google Play Console. |
| Audit rights | Per the Google data processing terms; limited audit rights typical of platform-attestation services. |
| Onward transfer | Google may sub-process within its corporate group; covered under Google’s own published terms. |
3. Transactional email sub-processors
3.1 Resend (Resend, Inc.)
| Field | Detail |
|---|
| Sub-processor | Resend, Inc. |
| Address | 2261 Market Street #5039, San Francisco, CA 94114, USA |
| Services delivered | Transactional email delivery (API-based) for verifier welcome emails, organisation invitation emails, and operational notifications issued by provii-management and admin-portal. |
| Purpose | Send low-volume transactional email tied to administrator onboarding and verifier account provisioning. Resend is not used for marketing or bulk mailing. |
| Data shared | Recipient email address, recipient display name where present, plain-text and HTML email body, sender address. No age verification data, no wallet identifiers, no attestations, no children’s data. The __Host-docs_session cookie is never forwarded to Resend. |
| Code references | provii-management/src/services/email-service.ts:524 (hardcoded https://api.resend.com/emails endpoint, no dynamic URL construction), provii-management/src/routes/email.ts:192-209 (API key retrieval via cached Secrets Store binding), admin-portal/wrangler.toml:132-134 (RESEND_API_KEY binding on Secrets Store namespace 6e32e830825542ef86170c1b634df9e6). |
| Processing locations | Resend operates primarily from US-based infrastructure. |
| Certifications | Resend publishes SOC 2 Type II; relevant compliance documentation available from Resend on request. |
| DPA in place | Yes. Resend publishes a standard Data Processing Addendum that applies by default to API-key customers and incorporates EU SCCs for transfers out of the EEA. |
| DPA reference | Resend Data Processing Addendum, accepted via the Resend dashboard. Mirror retained at compliance/evidence/vendors/third-party-evidence.md when next refreshed. |
| Audit rights | Per the Resend DPA; SOC 2 Type II report available under NDA. |
| Onward transfer | Resend relies on its own infrastructure providers; covered under Resend’s published terms. |
4. Authentication sub-processors
4.1 Logto (Silverhand Inc.)
| Field | Detail |
|---|
| Sub-processor | Silverhand Inc., operator of Logto |
| Address | Per Silverhand’s published corporate record |
| Services delivered | OAuth 2.0 and OpenID Connect identity provider for the Provii administrator surface (admin-portal) and for officer authentication in provii-issuer. Delivers authentication, MFA enrolment and enforcement (TOTP, email OTP, SMS OTP, WebAuthn), role and organisation membership, and session lifecycle. |
| Purpose | Authenticate Maelstrom AI staff and verifier organisation administrators. Not used for end-user wallet flows; wallet users never interact with Logto. |
| Data shared | Administrator email address, Logto user identifier, organisation membership, role assignments, MFA factor metadata (TOTP seed reference, WebAuthn credential identifier, phone number for SMS OTP where enabled), session and refresh tokens, sign-in events. No wallet data, no age verification data, no children’s data. |
| Code references | admin-portal/src/utils/logto.ts (OAuth 2.0 + OIDC integration), admin-portal/wrangler.toml:15-20 (LOGTO_ENDPOINT, LOGTO_APP_ID configuration), admin-portal/wrangler.toml:112-114 (LOGTO_APP_SECRET Secrets Store binding), provii-management/src/types/logto.ts (management API types), provii-management/src/types/index.ts:54-57 (LOGTO_M2M_APP_ID and LOGTO_M2M_APP_SECRET bindings). |
| Processing locations | Logto offers cloud and self-hosted deployments. Maelstrom AI currently runs against the Logto hosted tenant at auth.provii.app, which is deployed on infrastructure managed by Silverhand per Logto’s published hosting terms. |
| Certifications | Logto publishes its compliance posture on its website; Maelstrom AI tracks changes to that posture as part of supplier management. Additional certifications are requested on engagement renewal. |
| DPA in place | Yes. Logto publishes a Data Processing Addendum that applies to hosted-tenant customers and incorporates EU SCCs for transfers out of the EEA. |
| DPA reference | Logto Data Processing Addendum, accepted during tenant provisioning. Mirror retained at compliance/evidence/vendors/third-party-evidence.md when next refreshed. |
| Audit rights | Per the Logto DPA; available security artefacts requested at engagement renewal. |
| Onward transfer | Logto relies on its own hosting infrastructure provider(s); covered under Logto’s published terms. |
5. Observability sub-processors
5.1 Grafana Labs Inc.
| Field | Detail |
|---|
| Sub-processor | Grafana Labs Inc. |
| Address | 3 Park Avenue, 29th Floor, New York, NY 10016, USA |
| Services delivered | Grafana Cloud: Loki (log aggregation) and Tempo (distributed trace collection) |
| Purpose | Centralised observability for verification, issuance, and administrative services. Logs and traces are used for incident response, security investigation, and service reliability monitoring. |
| Data shared | HMAC-SHA-256 hashed (salted) IP addresses (keyed by PII_HASH_KEY), pseudonymous session identifiers, request metadata (method, path, status code, latency), audit event metadata, trace spans. Raw IP addresses are not expected to be transmitted. No dates of birth, names, wallet credentials, or attestation payloads are included in log or trace payloads. |
| Legal basis | Legitimate interest (service reliability and incident response). Balancing test documented in the Legitimate Interest Assessment. |
| Retention | 90 days (Grafana Cloud Loki and Tempo tenant retention policy). Automatic deletion; no manual intervention required. Critical security event logs are retained for up to 365 days. |
| Controls | SOC 2 Type II, ISO 27001 (supplier-held, via Grafana Labs). Data is encrypted in transit (TLS 1.3) and at rest. |
| Transfer mechanism | EU Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: controller-to-processor). See SCC Addendum Annex III for the full transfer record. |
| DPA in place | Yes. Grafana Labs publishes a standard Data Processing Addendum incorporated into the Grafana Cloud terms of service. Maelstrom AI relies on that published DPA, which incorporates EU Standard Contractual Clauses for transfers out of the EEA to the US. No separate bespoke agreement is required or in place. |
| DPA reference | Grafana Labs Data Processing Addendum, as published and incorporated into the Grafana Cloud terms of service. Mirror retained at compliance/evidence/vendors/third-party-evidence.md. |
| Audit rights | Per the Grafana Labs DPA; SOC 2 Type II report available under NDA. |
| Onward transfer | Grafana Labs may sub-process within its own infrastructure providers; covered under Grafana Labs published terms. |
| Code references | grafana-logs and grafana-traces observability bindings present in provii-verifier/wrangler.toml, provii-issuer/wrangler.toml, provii-management/wrangler.toml, provii-credit-management/wrangler.toml, admin-portal/wrangler.toml, and provii-status/wrangler.toml. |
6. Notification of changes
Maelstrom AI will notify customer-controllers of additions, removals, or material scope changes to this list via:
- Update to this page (
/legal/sub-processors), with a dated entry in the Changelog below.
- Direct email notification to the controller’s nominated privacy contact for any change that triggers SCC Clause 9(a) Option 2 prior-notice obligations, no later than 30 days before the new sub-processor begins processing.
A controller may object to a new sub-processor under the procedure documented in the Standard DPA and the Enterprise DPA.
7. Cross-references
| Document | Relationship |
|---|
| Standard DPA | This list satisfies the sub-processor disclosure obligation in the Standard DPA. |
| Enterprise DPA | This list satisfies the sub-processor disclosure obligation in the Enterprise DPA. |
| SCC Addendum | Annex III of the SCC Addendum points at this list as the authoritative sub-processor inventory. |
| DPA Docs Sandbox Addendum | The Docs Sandbox Addendum incorporates this list for the additional processing surfaces introduced by the docs gateway. |
| ROPA (maintained internally; available to auditors and enterprise customers on request) | Activity records reference the relevant sub-processor entries here. |
| Third-Party Vendor Evidence | Operational vendor inventory and security assessment for ISMS audit purposes. |
| Supplier Management Procedure | Procedural framework for sub-processor onboarding, monitoring, and offboarding. |
Changelog
| Version | Date | Summary |
|---|
| 1.0 | 2026-04-13 | Initial publication. Lists Cloudflare (infrastructure), Apple App Attest service (iOS attestation), and Google Play Integrity service (Android attestation). |
| 1.1 | 2026-04-14 | Added Resend (transactional email) and Logto (OIDC administrator authentication) after a production source-code sweep surfaced two engaged sub-processors missing from v1.0. Added a completeness attestation at the top of the document naming the sources cross-checked. Noted that Stripe remains planned, not live, and will be added when the billing integration lands. |
| 1.2 | 2026-05-17 | Added Section 5 “Observability sub-processors” with entry 5.1 Grafana Labs Inc. (Grafana Cloud Loki and Tempo). A source-code sweep identified grafana-logs and grafana-traces bindings present in all six production Workers. Updated completeness attestation date and cross-check sources. Added Grafana Labs to SCC Addendum Annex III. Resolved the pending flag in the DPA Docs Sandbox Addendum Section 5. |
Document Information
| Field | Value |
|---|
| Owner | Privacy Officer |
| Version | 1.2 |
| Effective date | 14 April 2026 |
| Last updated | 17 May 2026 |
| Next review | On engagement of any new sub-processor, and at minimum at the next quarterly management review |
| Classification | Public |