Sub-Processors
Last updated: May 30, 2026
The following third parties process limited CloudPath Academy user data on our behalf. We require each sub-processor to maintain at least the same data-protection standards we apply ourselves, and we maintain an executed Data Processing Agreement with every entity that processes personal data of EU/UK residents. Executed DPAs / SCCs are available on request to privacy@cloudpathportal.com.
We provide 30 days' notice of new or changed sub-processors via this page. To subscribe to changes, email privacy@cloudpathportal.com with the subject “Sub-processor notifications”.
Amazon Web Services (AWS)
privacy policy ↗- Purpose
- Infrastructure hosting: ECS Fargate, RDS Postgres, S3, ALB, CloudWatch.
- Data processed
- All user data stored at rest (Postgres), images / certificates (S3), application logs (CloudWatch).
- Location
- us-east-1 (United States)
- Transfer mechanism
- EU-US Data Privacy Framework certification + Standard Contractual Clauses (Module 2 controller-to-processor).
Neon
privacy policy ↗- Purpose
- Managed serverless PostgreSQL.
- Data processed
- User account records, enrollments, lesson progress, subscriptions, grading verdicts.
- Location
- US region
- Transfer mechanism
- Standard Contractual Clauses per Neon DPA.
Stripe
privacy policy ↗- Purpose
- Payment processing, subscription billing, invoicing.
- Data processed
- Customer email, payment method tokens, billing address, last-4 + brand of card. CloudPath never sees raw card numbers.
- Location
- Global, primary US.
- Transfer mechanism
- EU-US Data Privacy Framework certification + Standard Contractual Clauses. PCI DSS Level 1 service provider.
Anthropic
privacy policy ↗- Purpose
- AI chat / Ask Onyx, AI grading on the four grader paths, content generation.
- Data processed
- Lesson context, student submissions (assignment text, internship artifacts), career-tool prompts. We do NOT pass user names or email to Anthropic.
- Location
- US
- Transfer mechanism
- Standard Contractual Clauses via Anthropic Data Processing Agreement. API request logs may be retained by Anthropic per their published retention schedule (typically up to 30 days for trust-and-safety review); CloudPath does not control upstream retention.
OpenAI
privacy policy ↗- Purpose
- Whisper transcription + TTS for internship dialogue + /tutor voice mode.
- Data processed
- Audio uploads from the voice-tutor + internship simulation surfaces; generated audio responses.
- Location
- US
- Transfer mechanism
- Standard Contractual Clauses via OpenAI Data Processing Agreement.
Resend
privacy policy ↗- Purpose
- Transactional email delivery (welcome, verification, payment-failed, cancellation, weekly digest, founder KPI report, contact form notifications).
- Data processed
- Recipient email address, name, email body content.
- Location
- US (primary)
- Transfer mechanism
- Standard Contractual Clauses via Resend DPA.
PostHog
privacy policy ↗- Purpose
- Product analytics, conversion funnels, session replay (when explicitly enabled).
- Data processed
- Pseudonymous user id (PostHog distinct_id), pageviews, event properties (URL with PII params scrubbed before send), device + browser metadata. Only loaded after analytics cookie consent.
- Location
- EU instance (eu.posthog.com) when configured for EU users; US instance otherwise.
- Transfer mechanism
- Standard Contractual Clauses per PostHog DPA. EU residents are routed to eu.posthog.com to avoid international transfer.
Meta (Facebook)
privacy policy ↗- Purpose
- Advertising pixel for audience targeting on the landing page.
- Data processed
- Pageview events with the URL and standard browser metadata. Only loaded after analytics cookie consent and only if NEXT_PUBLIC_META_PIXEL_ID is configured.
- Location
- Global, primary US.
- Transfer mechanism
- EU-US Data Privacy Framework certification + Standard Contractual Clauses.
- Purpose
- Insight Tag for B2B retargeting on the landing page.
- Data processed
- Pageview events with the URL. Only loaded after analytics cookie consent and only if NEXT_PUBLIC_LINKEDIN_PARTNER_ID is configured.
- Location
- Global, primary US.
- Transfer mechanism
- EU-US Data Privacy Framework certification + Standard Contractual Clauses.
IONOS
privacy policy ↗- Purpose
- DNS hosting for cloudpathportal.com.
- Data processed
- DNS resolution metadata only. No user content.
- Location
- EU (Germany)
- Transfer mechanism
- Not applicable — DNS lookup traffic only.