Trust center / Sub-processors
Sub-processors
The complete list of third parties with access to customer data. The list is deliberately short because our architecture is built on your existing M365 tenant rather than on a stack of additional cloud services.
Active sub-processors
Who has access, what they do, where they operate
| sub-processor | Purpose | Region | Applies when |
|---|---|---|---|
| Microsoft Corporation | Hosting platform (Microsoft 365 — SharePoint, Entra, Purview, Graph API) | Your tenant's provisioned region | Always (the underlying platform) |
| DocuSign, Inc. | PAdES e-signature ceremony (document transits for signing, returns to SharePoint) | Configurable — DocuSign EU region recommended for EU tenants | Only when the DocuSign integration is enabled |
| intranet.ai S.r.l. | Vendor-layer operations (service accounts in your tenant, telemetry, support) | Italy (EU) | Always (the vendor itself) |
Note: "Microsoft" is typically not a new sub-processor for our customers because they're already in a direct contractual relationship with Microsoft as their M365 provider. We don't introduce Microsoft; we inherit it from your existing M365 agreement.
What's not on the list
sub-processor categories we deliberately don't use
Analytics vendors
No Mixpanel, Amplitude, or similar. Our product-analytics is metadata only (approval counts, cycle times) and stays within our ISMS boundary.
AI/ML training providers
Customer document content is never sent to AI/ML training providers. Not OpenAI, not Anthropic, not any other. This is a contractual commitment.
CDN or caching providers
Documents aren't cached at a third-party CDN. They're served from your SharePoint tenant via Microsoft's own infrastructure.
Third-party storage
No AWS S3, no Google Cloud Storage, no Backblaze, no custom storage. Your documents live in SharePoint, period.
Marketing automation
No HubSpot, no Marketo with access to customer tenant data. Marketing tools are scoped to our own marketing contacts, not to customer content.
Customer-support platforms
Support tickets are handled through systems scoped to our operations. Customer document content is never uploaded to or processed by a support platform.
Notification policy
How we handle changes to this list
Per GDPR Article 28(2), we notify customers in advance of any intended changes concerning the addition or replacement of sub-processors. The notification window is 30 days minimum, which gives your compliance team time to review, object (if applicable under the contract), or approve the change before it takes effect.
Notifications go to the primary compliance contact on record for each customer tenant. If that contact has moved or is out of date, please email trust@docs365.ai with updated contact information.
DPA
Data processing addendum
Our DPA covers the Article 28 processor responsibilities, incorporates the current sub-processor list, includes the Standard Contractual Clauses for any third-country transfers, and aligns with Microsoft's Online Services DPA for the platform layer. Available to customers during contracting or by request to trust@docs365.ai.
Vendor-risk questionnaire asking about sub-processors?
The list above is usually the complete answer. Send us your specific questionnaire and we'll respond with precise citations — usually under one business day.