AskVault sub-processors

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 4 min read

TL;DR

AskVault uses a small set of SOC 2 Type II certified sub-processors across database, compute, edge, and LLM categories. Specific providers disclosed under NDA via your AskVault Account Manager. Changes notified 30 days in advance per our DPA. Available across all 13 channels.

Sub-processor categories

A sub-processor is a third party that processes customer data on AskVault's behalf. We use a small set, organized into six categories:

• Database and vector storage. Holds workspace content, embeddings, conversations, audit logs.
• Application compute. Runs the AskVault application servers and background workers.
• Edge, DDoS, and DNS. Terminates TLS, mitigates DDoS, routes traffic to our region.
• LLM providers. Used per-query for the generation step in retrieval-augmented answers. Contractually opted out of training on your data.
• Email and notification delivery. Transactional emails (password reset, account confirmation, alerts).
• Payment processing. Subscription billing. We never see card details; the payment processor handles PCI scope.

Each category has a single primary provider plus optional fallbacks for resilience.

Why we don't publish specific provider names publicly

Two reasons:

1. Competitive surface area. Publicly advertising our exact stack helps competitors copy our architecture without investment. We prefer to discuss specifics under NDA.
2. Security through opacity is not security. All providers we use are SOC 2 Type II certified, AES-256 encrypting at rest, TLS 1.3 in transit. The compliance posture is the same regardless of who's underneath. Knowing the specific provider doesn't change the security profile materially.

Procurement teams that need the full list for vendor management can get it under NDA. Email security@askvault.co with your point of contact and timeline.

Where data flows

For a typical AskVault customer query:

1. Visitor message arrives at our edge provider, terminates TLS, forwards to application compute.
2. Application compute authenticates, validates, and forwards to our database for retrieval.
3. Database returns matching content chunks based on vector similarity.
4. Application compute assembles a prompt with the retrieved chunks plus the question, sends to an LLM provider.
5. LLM provider generates the response, returns to application compute.
6. Application compute assembles the final response with citations, returns through the edge to the visitor.

Total data flow: edge -> compute -> database -> compute -> LLM -> compute -> edge -> visitor. All in TLS 1.3 transit.

LLM provider handling

LLM providers are the most-asked-about sub-processor category. Three things to know:

• Contractually opted out of training. Every LLM provider AskVault uses is contracted with their training-opt-out terms in effect. Your data is not used to improve their models.
• Per-query routing. Each query may route to a different LLM provider depending on plan tier, query type, and provider availability. The relationship is per-query, not per-customer.
• Zero retention beyond inference. LLM providers don't retain prompts or responses beyond the duration of the inference call. Confirmed in our DPA with each provider.

For customers requiring private-deployment LLM (data never leaves your infrastructure), Enterprise contracts support self-hosted open-source models.

Geographic data flow

Customer data flows through:

• Primary processing region. Asia-Pacific by default. Compute and database deployed in the same regulatory zone for performance and compliance.
• LLM provider region. Typically US-East or EU, depending on the provider and query. Data crosses regions for the inference step but is not stored at the LLM provider.
• Edge region. Distributed globally via our edge provider's POPs.

For EU data-residency commitments, Enterprise customers can deploy in our EU region (Frankfurt). Available under annual contract.

Change notification process

Per our DPA, AskVault notifies customers 30 days in advance when:

• A sub-processor is added.
• A sub-processor is removed.
• A sub-processor's scope changes materially (e.g., we expand the LLM provider relationship to include training).

Notification methods:

• Email to the workspace owner's account email.
• In-product notification in the dashboard under Settings > Notifications.
• Public changelog entry at askvault.co/legal/sub-processors-changelog (the public version, sanitized for competitive sensitivity).

Customers can object to a sub-processor change. If we cannot resolve the objection within 30 days, you can terminate the affected workspace with data export per our DPA.

Audit reports per sub-processor

Each sub-processor's audit report (SOC 2, ISO 27001, etc.) is available under NDA via your Account Manager. Most enterprise procurement teams want:

• Database provider SOC 2 Type II. Confirms storage-layer encryption, access controls, availability.
• Compute provider SOC 2 Type II. Confirms infrastructure isolation.
• Edge provider SOC 2 Type II + ISO 27001. Confirms network-layer controls.
• LLM provider DPA + opt-out evidence. Confirms your data isn't used for training.

Some sub-processors restrict their audit reports to direct customers only. In those cases AskVault provides a Letter of Confirmation summarizing the relevant controls.

Per-region sub-processor variants

Enterprise customers deploying in non-default regions may have different sub-processor lists. For EU-region deployments:

• Database stays with same provider, EU region.
• Compute stays with same provider, Frankfurt region.
• Edge stays with same provider, EU POPs.
• LLM provider may shift to EU-region inference where available.

The variant list is documented in your Enterprise contract.

How customer data is segregated

Within each sub-processor, AskVault's data is segregated from any other tenant data the sub-processor handles. Database tenancy: separate database instance for Enterprise customers; multi-tenant on a shared instance with hard workspace-level partitioning for standard plans. Compute: per-process isolation; no shared memory across customer requests.

Common questions

Do customer logos show up on the sub-processor's marketing pages?

No. AskVault doesn't share customer information with sub-processors beyond what's required for the service. Customer logos and case studies require explicit customer permission and don't flow through sub-processors.

Are PHI sub-processors covered under our HIPAA BAA?

Yes for Enterprise HIPAA customers. The BAA chain extends from AskVault to each PHI-touching sub-processor with appropriate provider-level BAAs in place.

Can I exclude a specific sub-processor?

For most customers, no. The sub-processor stack is integrated and per-customer exclusion isn't feasible. Enterprise contracts can request specific sub-processor exclusions; we evaluate case by case.

What happens if a sub-processor has a security incident?

AskVault's incident response runbook activates. Customers affected are notified within 24 hours of confirmed breach. Post-incident review is shared on Enterprise plans.

How often does the sub-processor list change?

Rarely. Typically 1 to 2 changes per year. Each change goes through the 30-day notification process.

Related guides

• Security overview
• SOC 2 Type II posture
• GDPR at AskVault
• HIPAA at AskVault
• SLA breakdown per plan

Talk to our compliance team

We can sign DPA, support BAA, and configure SSO for Enterprise contracts.

Talk to sales → View pricing

Was this page helpful? Yes No