Sub-Processors
Last updated: March 26, 2026
Kosmatic Inc. ("Kosmatic") uses the following third-party sub-processors to deliver the Auraflow platform. Each sub-processor has been vetted for appropriate data protection practices and is bound by data processing agreements consistent with GDPR, CCPA, and other applicable privacy laws.
We will provide 30 days' written notice before adding a new sub-processor. Customers may object within 14 days of notice per the terms of our Data Processing Agreement.
Infrastructure
| Sub-Processor | Service | Location | Data Processed | DPA/Certifications |
|---|
| Render | Cloud hosting (compute, storage, managed PostgreSQL, managed Redis) | United States (Oregon) | All platform data (encrypted at rest AES-256, in transit TLS 1.3) | SOC 2 Type II |
E-Commerce Platform
| Sub-Processor | Service | Location | Data Processed | DPA/Certifications |
|---|
| Shopify Inc. | E-commerce platform integration, OAuth, Billing API, webhooks | United States / Canada | Store metadata, customer data (as authorized), order history, Script Tag hosting | Shopify DPA |
Marketing Integrations
| Sub-Processor | Service | Location | Data Processed | DPA/Certifications |
|---|
| Klaviyo | Email marketing automation | United States | Email address, behavioral archetype, segment membership, CLV estimate, suggested playbook | Klaviyo DPA, SOC 2 |
| HubSpot | CRM integration | United States | Email address, name, archetype, segment, CLV, engagement data | HubSpot DPA, SOC 2 |
| Meta Platforms (Facebook) | Advertising optimization via Conversions API (server-side) | United States | Hashed email (SHA-256), hashed phone (if available), conversion events. No raw behavioral data. | Meta Data Processing Terms |
| Google LLC | Google Analytics 4 (Measurement Protocol), Google OAuth, Google Ads (audience sync) | United States | Anonymized usage events, OAuth profile (name, email), hashed identifiers for audience matching | Google DPA |
| Slack (Salesforce) | Merchant notifications | United States | High-intent visitor alerts (archetype, score) sent to Merchant's own Slack workspace via incoming webhook | Slack DPA |
AI Processing
| Sub-Processor | Service | Location | Data Processed | DPA/Certifications |
|---|
| Anthropic | AI processing via MCP for AI Workflows and chat-based analytics | United States | Merchant-scoped analytics queries. No End User PII used for model training. | Anthropic Terms |
Transactional Email
| Sub-Processor | Service | Location | Data Processed | DPA/Certifications |
|---|
| SMTP Provider | Transactional email delivery (login codes, password resets, breach notifications) | Varies by configuration | Merchant email address, email content (codes/links) | Configured per merchant |
Changes to This List
| Date | Change |
|---|
| March 26, 2026 | Updated Privacy Policy, Terms of Service, and Cookie Policy with automated decision-making disclosures per GDPR Article 22. |
| March 23, 2026 | Added Anthropic (MCP AI processing), SMTP Provider (transactional email). Added DPA links for all processors. |
| March 4, 2026 | Initial list published. |
Questions?
If you have questions about our sub-processors or wish to object to a new sub-processor, contact support@kosmatic.com.