Overview
This page lists all third parties that process personal data on behalf of CIOS Technology AG as sub-processors in the provision of the CIOS AI Personality platform. It is published in line with Article 28(2) and 28(4) GDPR and equivalent provisions of the Swiss revFADP, and is incorporated by reference into the CIOS Data Processing Addendum (DPA) with each customer.
Scope. This list covers sub-processors of the CIOS product. Visitors to the cios.app website are addressed separately in the website Privacy Policy.
Sub-processors
| Sub-processor | Purpose of processing | Hosting region | DPA reference |
|---|---|---|---|
| Google LLC / Google Ireland Ltd | Cloud infrastructure (compute, storage, logging, secrets) and Vertex AI Gemini API for conversation generation. | EU (europe-west); Vertex AI EU endpoints | cloud.google.com/terms/data-processing-addendum |
| Weaviate B.V. | Managed vector database for memory embeddings and retrieval. | EU | weaviate.io/dpa |
| MongoDB Ltd / MongoDB, Inc. | Managed document database for identity, profile, consent and audit records. | EU (Frankfurt or Ireland) | mongodb.com/legal/data-processing-agreement |
| Okta, Inc. (Auth0) | Authentication, session management, multi-factor authentication. | EU tenant region | okta.com / Auth0 DPA |
| Cloudflare, Inc. | CDN, DDoS protection, WAF, DNS. No application payloads at rest. | Global edge; EU routing preferred | cloudflare.com/cloudflare-customer-dpa |
| Anthropic, PBC | Backup large-language-model provider (Claude) for conversation generation. | EU where available; otherwise US under Zero Data Retention | anthropic.com/legal/data-processing-addendum |
| OpenAI Ireland Ltd / OpenAI, L.L.C. | Embedding generation for short topic strings (no generative calls). | OpenAI Ireland (EEA contracting entity); EU residency | openai.com/policies/data-processing-addendum |
Transfer mechanisms
All sub-processors above are either established in the EEA, covered by an EU adequacy decision, or contracted under the EU Standard Contractual Clauses. Where US-based, supplementary safeguards apply, including (where certified) the EU–US Data Privacy Framework and the CIOS PII-redaction layer that minimises personal data sent to LLM providers. UK and Swiss addenda are incorporated where applicable.
How we keep this list current
- New sub-processors require a completed Transfer Impact Assessment, a signed DPA, an updated entry on this page, and at least 30 days’ notice to affected customers before processing begins.
- Vendor references are re-verified at least annually and after any vendor-announced change.
- Customers may subscribe to change notifications via the channel set out in the master DPA.
Contact
Questions, change requests, or DPA queries: [email protected] · CIOS Technology AG, Canton Schwyz, Switzerland.