vmp.one
Sub-processors
Last updated: May 2, 2026
A "sub-processor" is a third party that processes customer personal data on our
behalf. This page lists every such service vmp.one uses, what data it sees, where
it processes that data, and the legal basis for the transfer.
Our commitment. We give 30 days' advance notice
before adding a new sub-processor. To receive that notice automatically, contact
your account manager. Customers retain the right to object as set out in the DPA.
Infrastructure & hosting
| Vendor | Purpose | Data processed | Region |
|---|
| Amazon Web Services |
Production hosting (compute, storage, network), database backups |
All customer data at rest and in transit while in our infrastructure |
US (us-east-1) |
| Cloudflare |
DNS, CDN, DDoS protection, edge TLS termination |
HTTP request metadata (headers, IP, URL); does not see decrypted application data beyond TLS |
Global edge / US origin |
Identity & authentication
| Vendor | Purpose | Data processed | Region |
|---|
| Keycloak (self-hosted) |
Authentication, session management, federation |
Email, display name, role assignments |
Same region as our hosting |
Keycloak is software we run, not a vendor we hand data to. Listed for transparency.
AI / large language models
| Vendor | Purpose | Data processed | Region |
|---|
| Anthropic |
AI copilot, remediation suggestions (Claude API) |
Vulnerability descriptions, asset metadata, finding context — only when the user invokes the copilot. Not used for training. |
US |
Customers can disable AI copilot per-tenant in settings. When disabled, no data
flows to Anthropic.
Billing & payments
| Vendor | Purpose | Data processed | Region |
|---|
| Stripe |
Payment processing, subscription billing, invoicing |
Tenant admin email, billing address, last 4 of card (Stripe holds the full PAN) |
US |
Communications
| Vendor | Purpose | Data processed | Region |
|---|
| SendGrid (Twilio) |
Transactional email (notifications, invitations, password resets) |
Recipient email, subject, body |
US (regional EU endpoint available) |
Conditional sub-processors
These sub-processors only handle data when a tenant uses the specific feature. No
data flows to them otherwise.
| Vendor | Trigger | Data processed | Region |
|---|
| GitHub |
Tenant connects a GitHub repository for PR check-runs |
Repository metadata, commit SHAs, vuln context posted as a check-run comment |
US |
What we do NOT do
For clarity — these are common questions in customer security questionnaires:
- We do not sell, lease, or share customer data with third-party advertising or marketing networks.
- We do not use customer data to train AI models. The Anthropic API call referenced above runs under Anthropic's commercial API terms, which do not train on inputs.
- We do not ship customer data to analytics SaaS (no Segment, Heap, FullStory, etc. on the application surface).
Cross-border transfers
VMP is hosted in the United States today. For European customers, we operate
under Standard Contractual Clauses (SCCs) as published by the
European Commission. The DPA includes the SCC module appropriate for processor
transfers (Module Two). EU data residency is on the roadmap.
Contact
Questions about this list, or to subscribe to advance-notice emails:
privacy@vmpone.com.
For the full Data Processing Addendum (DPA), contact your account manager.