Overview
mixus uses a carefully vetted set of subprocessors to deliver the platform. All subprocessors are contractually bound to protect your data under our Data Processing Agreement (DPA), which incorporates Standard Contractual Clauses (SCCs) for EU and UK personal data transfers. We notify customers of any intended addition or replacement of subprocessors at least 10 business days in advance. Customers with an active DPA may object to a new subprocessor within 10 business days of notice.Approved Subprocessors
Infrastructure & Hosting
Infrastructure & Hosting
| Name | Country | Processing Task | |---|---|---| | Vercel | United
States | Hosting infrastructure and logging. Processes metadata and deployment
data that may include customer-related diagnostic information. | | AWS |
United States | Cloud infrastructure and storage provider. Hosts application
services and stores data that may include customer personal data. | | Render
Inc. | United States | Cloud compute platform hosting background worker
services. Executes job processing tasks — including document redlining, email
processing, and agent orchestration — that handle Customer Personal Data as
part of service delivery. |
Database & Storage
Database & Storage
| Name | Country | Processing Task | |---|---|---| | MongoDB Atlas |
United States | Cloud-hosted database services for storing and retrieving
structured customer data. | | Pinecone | United States | Managed vector
database service for semantic search and recommendation features. Stores
customer-specific embeddings in logically isolated indexes and does not use
such data for model training. |
AI & Machine Learning
AI & Machine Learning
| Name | Country | Processing Task | |---|---|---| | Anthropic PBC |
United States | AI inference provider. Processes natural language inputs
including customer email content, chat messages, and document text to generate
AI-powered responses as part of the service. Does not use customer data for
model training or fine-tuning per Anthropic’s API terms of service. | |
Composio Inc. | United States | Third-party application integration
platform. Processes OAuth-authenticated customer data — including email
content, calendar events, and productivity tool data — to execute AI-directed
actions on behalf of users. Composio acts as a subprocessor when accessing,
reading, or modifying data in connected third-party accounts. |
Authentication & Identity
Authentication & Identity
| Name | Country | Processing Task | |---|---|---| | Clerk.dev | United
States | User authentication and session management services. Handles and
stores user identity data including names, emails, and profile photos. |
Observability & Communications
Observability & Communications
| Name | Country | Processing Task | |---|---|---| | Axiom | United States
| Observability and log aggregation platform. Receives structured application
logs that may include user identifiers (userId, chatId), IP addresses, and
request metadata for the purpose of monitoring, debugging, and performance
analysis. | | Sentry | United States | Error tracking and performance
monitoring, including logging application errors that may contain user
metadata or identifiers. | | Postmark (ActiveCampaign) | United States |
Transactional email delivery service. Processes email addresses and email
message content when delivering notifications, alerts, and service-related
communications to end users. | | Inngest Inc. | United States |
Event-driven job queue and orchestration platform. Routes and manages job
payloads — which may contain user identifiers and data references — to
coordinate background processing tasks across the service infrastructure. |
Compliance & Security
Compliance & Security
| Name | Country | Processing Task | |---|---|---| | Vanta | United States
| Compliance automation services, including continuous security monitoring and
evidence collection related to customer data. |
Data Transfer Safeguards
All subprocessors are located in the United States. For customers subject to GDPR (EU) or UK GDPR, mixus has Data Processing Agreements in place with its subprocessors including Standard Contractual Clauses (SCCs) from the European Commission and the UK International Data Transfer Addendum where personal data is transferred to third countries.Subprocessor Change Notification
When we add or replace a subprocessor, we will:- Update this page at least 10 business days before the change takes effect
- Send written notice to the legal notice address on file for customers with an active DPA
DPA & Compliance
For enterprise customers requiring a Data Processing Agreement:- Contact us at security@mixus.ai to request our standard DPA
- Our DPA is based on the Common Paper DPA Standard Terms Version 1.1
- Reviewed and approved by our compliance partner, Insight Assurance, LLC