Sub-processor List

Effective date: July 9, 2026

Company/product
Cracken / https://cracken.ai
Legal entity
CrackenAGI Ltd.
Registered office
3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT
Governing law for self-serve terms
England and Wales

1. What is a sub-processor?

A sub-processor is a third party that Cracken engages to process Customer Personal Data on Cracken's behalf to provide, secure, support or improve the services. Cracken remains responsible for sub-processors as required by the Data Processing Agreement.

2. Cracken commitments

Cracken will:

  • perform risk-based security and privacy diligence before engaging sub-processors;
  • enter into written agreements requiring confidentiality, security and data-protection obligations appropriate to the processing;
  • limit sub-processor access to documented purposes;
  • maintain this list with provider, purpose, data categories and processing location;
  • provide mandatory email notice of material sub-processor changes to the relevant customer contact;
  • allow objections based on legitimate data-protection grounds through the DPA process;
  • prohibit AI sub-processors from using Customer Personal Data for their own model training unless disclosed and authorized by the customer agreement or settings.

3. Customer-data sub-processors

ProviderProduct/servicePurposeData categoriesProcessing locationNotes
Microsoft AzureAzure cloud infrastructureMain hosting, compute, storage, networking, security and operational infrastructureAccount data, customer content, logs, technical metadata, security eventsUK SouthMain infrastructure and primary data-residency location
Amazon Web ServicesAWS Bedrock with Anthropic modelsLLM inference and AI-assisted security-analysis workflowsPrompts, retrieved context, selected customer content, scan artifacts and report context as required by enabled featuresUS East and EU West regionsAI sub-processor; contracts/settings should prohibit AWS/Anthropic provider-side model training on Customer Personal Data
Google Cloud PlatformSelf-hosted LLM infrastructureSelf-hosted model inference, customer-specific adaptation and AI workflow processingPrompts, retrieved context, selected customer content, scan artifacts, telemetry and report context as required by enabled featuresEU West regionAI infrastructure for self-hosted LLM processing

4. Controller-side and website service providers

The following providers may process personal data for website analytics, controller-side business operations or non-customer-content purposes. They are disclosed for transparency but may not be sub-processors for Customer Personal Data in all contexts.

ProviderProduct/servicePurposeData categoriesProcessing locationNotes
GoogleGoogle AnalyticsWebsite analytics and reportingWebsite usage events, page views, referrer, approximate location and device/browser informationGoogle processing locationsAnalytics cookies are optional where consent is required
FeaturebaseSupport ticketing and feedback portal at https://crackenai.featurebase.app/Support requests, feedback, high-risk target approval workflows and customer communicationsContact details, ticket content, comments, attachments, metadata and status information submitted by usersFeaturebase processing locationsUsers should avoid submitting secrets or unnecessary sensitive data in support tickets

Cracken does not currently use third-party marketing or retargeting providers.

5. Export/sanctions processing note

Cracken's self-serve export/sanctions baseline restricts access from, for the benefit of, or in connection with: Russia; Belarus; Cuba; Iran; North Korea / DPRK; Syria; Crimea / Sevastopol / occupied or non-government-controlled Ukrainian territories, including Donetsk, Luhansk, Kherson and Zaporizhzhia areas; and any other restricted party, end use, sector, transaction or territory under applicable EAR, ITAR, OFAC, EU, UK, UN or similar rules. Sub-processors may process compliance, logging, security and location signals where needed to operate these controls.

6. AI sub-processor special notice

AI sub-processors may receive prompts, retrieved context, vulnerability evidence, report drafts or other customer content only as needed to provide enabled features. Cracken must contractually restrict AI sub-processors from using Customer Personal Data for their own model training unless the customer has authorized that use or the applicable agreement clearly permits it.

Cracken's self-serve posture is aggregated/de-identified telemetry for self-serve product and system improvement, and separate negotiated permission or applicable customer setting for customer-content training for cross-customer model improvement. Customer content may be used during the subscription for customer-specific model adaptation and customer-specific service improvement. For plans below Pro, optional improvement storage is enabled by default; for Pro plan and higher subscriptions, customers may opt out of optional improvement storage where Cracken makes that control available, subject to operational, security, legal, export/sanctions, abuse-prevention, incident-response and service-delivery retention.

7. Change notice and objections

Cracken will provide mandatory email notice of material sub-processor changes to the relevant customer contact. Customers may object on legitimate data-protection grounds by contacting privacy@cracken.ai. Cracken will work in good faith to address the objection, provide a reasonable alternative where feasible, or handle the affected service according to the Agreement and DPA.

Contact: privacy@cracken.ai