This page lists the third-party service providers ("Subprocessors") that ElasticD3M, LLC engages to deliver the Enclave AI™ Services. The Data Processing Addendum governs how Subprocessors handle Personal Data. We give Customer at least thirty (30) days' advance notice of any new Subprocessor that will process Customer Personal Data.
Active Subprocessors
| Subprocessor | Purpose | Data Scope | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure for storage, scan execution, and document rendering | Customer Data (configuration metadata, deliverables), identity / contact information | United States (us-east-1, us-west-2) |
| Railway (Railway Corp.) | Application hosting and deployment for the backend service | Customer Data in transit and at rest within the application boundary | United States (multi-region) |
| Cloudflare | CDN, DNS, edge security, web analytics | Technical metadata (IP, user-agent, request paths); no Customer Data payload | United States (global edge) |
| Stripe, Inc. | Payment processing for CMMC Readiness Snapshot™ and monthly subscriptions | Billing identity, payment method (Stripe stores card data; we receive only metadata) | United States |
| Resend | Transactional email delivery (welcome emails, deliverable notifications, support replies) | Identity / contact information, email message contents | United States |
| Google Workspace (Google LLC) | Domain email hosting for ai4cmmc.ai correspondence (agents@, partners@, intro@) | Email content from Customer correspondence with ElasticD3M, LLC | United States |
| Smartlead.ai | Business-development email outreach platform | Identity / contact information for prospects only; no current-Customer Personal Data processed | United States |
| Anthropic, PBC | Large language model inference for AI-driven document generation (Claude API) | Configuration metadata and intake responses passed as model input; outputs are deliverable contents (drafts of SSP sections, POA&M items, evidence-binder narratives) | United States. Per Anthropic's commercial terms, model inputs are not used to train models and outputs are not retained beyond inference except as required for security and abuse detection (30-day rolling retention). |
How We Manage Subprocessors
- Due diligence at onboarding: Each Subprocessor is evaluated for security posture, applicable compliance certifications, and contractual commitments substantially equivalent to those in our DPA.
- Annual review: Active Subprocessors are reviewed at least annually for continued compliance.
- Contractual flow-down: Each Subprocessor is bound by data-protection obligations no less protective than those in our DPA with Customer.
- Change notice: Customer receives at least thirty (30) days' advance notice of any new Subprocessor that will process Customer Personal Data, via update to this page and email to the primary account contact.
Objection Procedure
If Customer objects to a new Subprocessor, Customer may notify ElasticD3M, LLC in writing within thirty (30) days of the notice. The parties will work in good faith to resolve the objection (for example, by configuring the Services to avoid the new Subprocessor for Customer's account). If the parties cannot resolve the objection, Customer may terminate the affected portion of the Services and receive a pro-rata refund of any unused prepaid fees.
Contact
Subprocessor questions or objections: privacy@elasticd3m.com
Last Updated: May 12, 2026 · Version: 2.0