Sub-processor List
Effective date: July 9, 2026
- Company/product
- Cracken / https://cracken.ai
- Legal entity
- CrackenAGI Ltd.
- Registered office
- 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT
- Governing law for self-serve terms
- England and Wales
1. What is a sub-processor?
A sub-processor is a third party that Cracken engages to process Customer Personal Data on Cracken's behalf to provide, secure, support or improve the services. Cracken remains responsible for sub-processors as required by the Data Processing Agreement.
2. Cracken commitments
Cracken will:
- perform risk-based security and privacy diligence before engaging sub-processors;
- enter into written agreements requiring confidentiality, security and data-protection obligations appropriate to the processing;
- limit sub-processor access to documented purposes;
- maintain this list with provider, purpose, data categories and processing location;
- provide mandatory email notice of material sub-processor changes to the relevant customer contact;
- allow objections based on legitimate data-protection grounds through the DPA process;
- prohibit AI sub-processors from using Customer Personal Data for their own model training unless disclosed and authorized by the customer agreement or settings.
3. Customer-data sub-processors
| Provider | Product/service | Purpose | Data categories | Processing location | Notes |
|---|---|---|---|---|---|
| Microsoft Azure | Azure cloud infrastructure | Main hosting, compute, storage, networking, security and operational infrastructure | Account data, customer content, logs, technical metadata, security events | UK South | Main infrastructure and primary data-residency location |
| Amazon Web Services | AWS Bedrock with Anthropic models | LLM inference and AI-assisted security-analysis workflows | Prompts, retrieved context, selected customer content, scan artifacts and report context as required by enabled features | US East and EU West regions | AI sub-processor; contracts/settings should prohibit AWS/Anthropic provider-side model training on Customer Personal Data |
| Google Cloud Platform | Self-hosted LLM infrastructure | Self-hosted model inference, customer-specific adaptation and AI workflow processing | Prompts, retrieved context, selected customer content, scan artifacts, telemetry and report context as required by enabled features | EU West region | AI infrastructure for self-hosted LLM processing |
4. Controller-side and website service providers
The following providers may process personal data for website analytics, controller-side business operations or non-customer-content purposes. They are disclosed for transparency but may not be sub-processors for Customer Personal Data in all contexts.
| Provider | Product/service | Purpose | Data categories | Processing location | Notes |
|---|---|---|---|---|---|
| Google Analytics | Website analytics and reporting | Website usage events, page views, referrer, approximate location and device/browser information | Google processing locations | Analytics cookies are optional where consent is required | |
| Featurebase | Support ticketing and feedback portal at https://crackenai.featurebase.app/ | Support requests, feedback, high-risk target approval workflows and customer communications | Contact details, ticket content, comments, attachments, metadata and status information submitted by users | Featurebase processing locations | Users should avoid submitting secrets or unnecessary sensitive data in support tickets |
Cracken does not currently use third-party marketing or retargeting providers.
5. Export/sanctions processing note
Cracken's self-serve export/sanctions baseline restricts access from, for the benefit of, or in connection with: Russia; Belarus; Cuba; Iran; North Korea / DPRK; Syria; Crimea / Sevastopol / occupied or non-government-controlled Ukrainian territories, including Donetsk, Luhansk, Kherson and Zaporizhzhia areas; and any other restricted party, end use, sector, transaction or territory under applicable EAR, ITAR, OFAC, EU, UK, UN or similar rules. Sub-processors may process compliance, logging, security and location signals where needed to operate these controls.
6. AI sub-processor special notice
AI sub-processors may receive prompts, retrieved context, vulnerability evidence, report drafts or other customer content only as needed to provide enabled features. Cracken must contractually restrict AI sub-processors from using Customer Personal Data for their own model training unless the customer has authorized that use or the applicable agreement clearly permits it.
Cracken's self-serve posture is aggregated/de-identified telemetry for self-serve product and system improvement, and separate negotiated permission or applicable customer setting for customer-content training for cross-customer model improvement. Customer content may be used during the subscription for customer-specific model adaptation and customer-specific service improvement. For plans below Pro, optional improvement storage is enabled by default; for Pro plan and higher subscriptions, customers may opt out of optional improvement storage where Cracken makes that control available, subject to operational, security, legal, export/sanctions, abuse-prevention, incident-response and service-delivery retention.
7. Change notice and objections
Cracken will provide mandatory email notice of material sub-processor changes to the relevant customer contact. Customers may object on legitimate data-protection grounds by contacting privacy@cracken.ai. Cracken will work in good faith to address the objection, provide a reasonable alternative where feasible, or handle the affected service according to the Agreement and DPA.
Contact: privacy@cracken.ai
