1. Overview
This register lists all third-party sub-processors engaged by Zeus AI Business Solutions Ltd (“the Supplier”) that process personal data on behalf of customers using the Athena platform.
This register is maintained pursuant to Article 28 of the UK GDPR and forms Annex 3 of the Data Processing Agreement between the Supplier and each Customer.
Customers are notified at least 30 days in advance of any additions or changes to this register, and may exercise their right to object in accordance with the terms of the DPA.
2. Authorised Sub-Processors
| Name | Legal Entity | Processing Purpose | Location | Safeguard | AI Provider |
|---|---|---|---|---|---|
| Supabase | Supabase Inc. | Database hosting, user authentication, file storage, vector search, automated backups | Ireland (eu-west-1) | IDTA / SCCs | No |
| Vercel | Vercel Inc. | Application hosting, serverless API route execution, edge CDN, deployment pipeline | USA (us-east-1) | IDTA / SCCs | No |
| Anthropic | Anthropic PBC | AI-powered document analysis and chat responses (Claude API); technical drawing intelligence (Claude Vision) | USA | IDTA / SCCs | Yes |
| Google (Gemini) | Google LLC | AI document text extraction and processing (Gemini Pro/Flash API) | USA / EU | IDTA / SCCs | Yes |
| OpenAI | OpenAI OpCo LLC | Text embedding generation for semantic search (Embeddings API) | USA | IDTA / SCCs | Yes |
| ElevenLabs | ElevenLabs Inc. | Text-to-speech audio generation for document content playback | USA | IDTA / SCCs | Yes |
| Stripe | Stripe Inc. | Payment processing, subscription management, invoicing | USA / Ireland | IDTA / SCCs | No |
| Resend | Resend Inc. | Transactional email delivery: user invitations, security alerts, system notifications | USA | IDTA / SCCs | No |
| Nango | Nango SAS | OAuth integration broker enabling secure connections to third-party services | EU (France) | UK Adequacy | No |
| Elestio / Hetzner | Elestio SAS / Hetzner Online GmbH | Hosting for workflow automation engine (n8n) | EU (Germany) | UK Adequacy | No |
3. Transfer Safeguards
- IDTA / SCCs: The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses is in place, ensuring equivalent data protection standards.
- UK Adequacy: The sub-processor is located in a country subject to a UK adequacy decision (EU/EEA member states). No additional transfer mechanism is required.
4. AI Sub-Processor Data Handling
The following commitments apply to all AI sub-processors (Anthropic, Google, OpenAI, ElevenLabs):
- Customer data is processed via API calls only and is NOT used to train, fine-tune, or improve any AI models.
- Data is not retained by the AI sub-processor beyond the duration required to process the individual API request.
- The Supplier uses enterprise/API-tier service agreements with each AI provider, which include explicit prohibitions on the use of input data for model training.
- All data transmitted to AI sub-processors is encrypted in transit using TLS 1.3.
5. Payment Processing
Stripe processes payment card data as an independent data controller under its own privacy policy. The Supplier does not store, process, or have access to full payment card numbers. Stripe is PCI DSS Level 1 certified.
6. Change Log
| Date | Version | Change Description | Notified |
|---|---|---|---|
| May 2026 | 1.0 | Initial register published | N/A (initial) |
7. Contact
Questions about this register? Contact us at lee@askathena-ai.co.uk