Keygraph engages the third-party service providers listed below ("Subprocessors") in connection with the Keygraph Cloud Service. Each Subprocessor is contractually bound to data-protection obligations substantially equivalent to those applicable to Keygraph under the Keygraph Data Processing Agreement.
The Subprocessors listed below include both (a) Subprocessors that Process Customer Personal Data today in delivering the Cloud Service, and (b) Subprocessors authorized upon execution of the Agreement for potential future use. Customer's general authorization at the time of executing the Agreement extends to all Subprocessors listed below. Additions to or replacements of entries on this list are subject to the notice and objection procedure in the Data Processing Agreement.
Each Subprocessor is grouped by category:
(Note: Third-party service providers used for Keygraph's internal business operations—such as payment processing, CRM, and billing—act as our own processors while we act as the Data Controller. Because they do not process Customer Content, they are not Subprocessors under the DPA and are not listed here. For information on how we handle account and billing data, please see our Privacy Policy.)
This page is the authoritative source for Keygraph's current Subprocessor list. How customers receive notice of changes depends on the agreement under which they use the Cloud Service:
In either case, Customer may email legal@keygraph.io to confirm the current list or ask questions about Keygraph's Subprocessor program.
These Subprocessors Process Customer Content and operational data in delivering the Cloud Service. Where Customer has elected the EU Data Residency option, only EU-region facilities of the infrastructure Subprocessors (AWS, GCP, Azure, ClickHouse, Temporal) are used for Customer's tenant. Certain Subprocessors in this category process Customer Content only when Customer initiates support or troubleshooting communications (e.g., by emailing support, opening a ticket, or sharing content in a support channel); for those Subprocessors, processing follows the global service of the Subprocessor and is not constrained by the EU Data Residency election.
Single-Cloud Provisioning: By default, Keygraph provisions Customer tenants on Amazon Web Services (AWS). Customers may explicitly opt to provision their tenant on Google Cloud Platform (GCP) or Microsoft Azure instead. A single tenant is provisioned on only one of these three primary cloud hosts; Customer Content is not replicated across AWS, GCP, and Azure simultaneously.
| Subprocessor | Purpose | Entity Location | EU Data Residency Option |
|---|---|---|---|
| Amazon Web Services, Inc. | Primary cloud hosting and infrastructure (Default) | USA (with EU regions available) | Yes — tenant data stored in AWS EU regions |
| Google Cloud Platform (Google LLC) | Primary cloud hosting and infrastructure (Explicit opt-in alternative to AWS) | USA (with EU regions available) | Yes — EU regions used for EU-resident tenants where applicable |
| Microsoft Azure (Microsoft Corporation) | Primary cloud hosting and infrastructure (Explicit opt-in alternative to AWS) | USA (with EU regions available) | Yes — EU regions used for EU-resident tenants where applicable |
| Cloudflare, Inc. | Global CDN, DNS, DDoS protection, edge security, and edge compute (Cloudflare Workers) | Global edge network | Edge traffic served globally from nearest POP; geographic data localization features available where configured by Keygraph |
| ClickHouse, Inc. | Real-time analytics and data warehousing | USA (with EU regions available) | Yes — EU regions used for EU-resident tenants |
| Temporal Technologies, Inc. | Workflow orchestration | USA (with EU regions available) | Yes — EU regions used for EU-resident tenants |
| Resend (Resend, Inc.) | Transactional email delivery (product notifications, alerts, account emails) | USA (with EU region available) | Yes — emails to recipients in the EEA are processed within Resend's EEA infrastructure |
| Plain (Plain Inc.) | Customer support and ticketing system (may process Customer Content if submitted by Customer for support or troubleshooting purposes) | UK / USA | Not applicable — handles ad-hoc support communications initiated by Customer outside the Cloud Service, not Customer Content stored in the Cloud Service tenant |
| Google LLC (Google Workspace) | Corporate email and document hosting (may process Customer Content if submitted by Customer via email for support or troubleshooting purposes) | USA | Not applicable — handles ad-hoc support communications initiated by Customer outside the Cloud Service, not Customer Content stored in the Cloud Service tenant |
| Slack Technologies, LLC (a Salesforce company) | Customer support communications and alerting via shared channels (may process Customer Content if submitted by Customer for support or troubleshooting purposes) | USA | Not applicable — handles ad-hoc support communications initiated by Customer outside the Cloud Service, not Customer Content stored in the Cloud Service tenant |
Strict BYOK Default: The default configuration for the Keygraph Cloud Service is strict BYOK (Bring-Your-Own-Key). Today, AI features operate against large language model endpoints designated and controlled by Customer. Under the BYOK architecture, the LLM provider Customer designates is Customer's direct vendor, not Keygraph's Subprocessor, and no Customer Content is routed to the providers listed below.
Explicit Opt-In for Keygraph-Managed AI: Keygraph may offer AI features that operate against Keygraph-managed LLM endpoints rather than Customer-designated endpoints. Use of these Keygraph-managed AI Subprocessors is strictly opt-in. Keygraph will not route Customer Content to the Subprocessors in this category unless Customer explicitly enables these features within the Cloud Service dashboard or via an Order Form.
Why these entries are listed: These providers are listed to authorize their use only if and when Customer chooses to opt-in to Keygraph-managed AI features. Because activation requires Customer's explicit opt-in, standard Subprocessor objection periods do not apply to the initial activation of these features; Customer controls whether data is shared by choosing whether to enable the feature.
Current handling: Keygraph's handling of AI request and response data — including under the current BYOK architecture — is further described in Keygraph's Code Security Posture.
| Subprocessor | Purpose (if explicitly enabled by Customer) | Entity Location |
|---|---|---|
| Anthropic PBC | Large language model service | USA |
| OpenAI, L.L.C. | Large language model service | USA |
| OpenRouter, Inc. | LLM gateway and routing | USA |
| Fireworks AI, Inc. | LLM inference platform | USA |
For customers with an executed Keygraph Data Processing Agreement, the right to object to new Subprocessors is governed by Section 3.1 of that agreement. For customers using the Keygraph Standard Data Processing Terms (available at keygraph.io/dpa), the right to object is governed by Section 3.3 of those terms. (Note: As detailed in Categories A and B, objection procedures do not apply to opt-in primary cloud hosts or opt-in AI features, as Customers may simply decline to opt-in.)
Email legal@keygraph.io with questions about Keygraph's Subprocessor program or to confirm the current list of Subprocessors.
Keygraph, Inc. | © 2026 All rights reserved. This page is updated regularly. For the most current information, refer to this URL directly.