Legal

LLM Sub-Processor Data Flow

Last updated: April 19, 2026

1. Purpose

This page provides data-flow transparency for the LLM sub-processors referenced in our Privacy Policy and Data Processing Agreement. It describes what data Intended may transmit to those sub-processors during intent compilation, how that data is constrained, the contractual safeguards Intended has executed, and how customers can opt out of LLM-assisted processing entirely. Publishing this page satisfies a commitment made in both the Privacy Policy and the Security Addendum; Intended will update it whenever the set of LLM sub-processors, the data categories transmitted, or the contractual posture changes.

2. Current LLM sub-processors

As of the Last Updated date of this page, Intended uses the following LLM sub-processors for the bounded purpose described in Section 3 below:

OpenAI, L.L.C. — https://openai.com — United States — purpose: intent compilation and classification where the natural-language intent cannot be deterministically parsed by Intended's rule-based backend.
Anthropic, PBC — https://anthropic.com — United States — purpose: intent compilation fallback and confidence repair when OpenAI is unavailable or its output fails Intended's confidence threshold.

3. What data is transmitted

Only the natural-language intent string submitted by the customer's agent is transmitted to the LLM sub-processor, together with a fixed system prompt that constrains output to Intended's structured intent schema. The following data categories are NEVER transmitted to LLM sub-processors:

Authority tokens, credentials, API keys, or any other shared secret.
Audit ledger entries, decision records, risk scores, or policy evaluation traces.
Personally Identifiable Information (PII) beyond what is present in the natural-language intent string itself (names, email addresses, or ticket identifiers inside a customer-authored prompt).
Connector credentials, third-party API tokens, or any material stored in Intended's Secrets Manager or KMS-encrypted stores.
Historical intents, prior decisions, or any cross-customer data.
Customer billing, contract, or account metadata.
Any data labelled 'Sensitive' by a deployed domain policy pack unless the policy pack explicitly opts into LLM processing for that data category.

4. Processing boundary

LLM sub-processor calls occur only inside the Intent Compilation stage of the authority runtime and only when the deterministic (rules-based) backend fails to produce a confident classification. The LLM response is parsed into Intended's structured intent schema, validated against a confidence threshold, and discarded from memory at the end of the request. No LLM response material is persisted to the audit ledger; only the structured, post-compilation intent record is persisted. If the LLM response fails the confidence threshold, the request is fail-closed (see docs/security/threat-model.md) and escalated to human review rather than executed.

5. Contractual safeguards

Intended has executed a Data Processing Addendum with each LLM sub-processor. Both DPAs incorporate the following commitments:

No training, fine-tuning, evaluation, or model improvement on Customer Data. Both providers are contractually prohibited from using data submitted via Intended's API to train or improve any model, whether by default or as an opt-in.
Retention limited to the processing window. Data is retained only for the duration necessary to return a response and is then discarded. Provider-side abuse-monitoring windows do not exceed 30 days.
Sub-sub-processor flow-down. Both providers require any downstream sub-processors to meet equivalent data-handling obligations.
Breach notification. Sub-processor must notify Intended within 72 hours of confirmed breach affecting Customer Data.
Deletion on termination. Sub-processor must delete all Customer Data within 90 days of contract termination, subject to any legal-hold obligations.

6. Opt-out mechanism

Customers may opt out of LLM-assisted intent compilation in two ways. Both are supported without contract amendment; the opt-out applies to the entire tenant and may be enabled or disabled by any tenant Owner or Admin role.

Per-tenant feature flag: in the Operator Console, navigate to Settings → Privacy → 'LLM-assisted intent compilation' and toggle off. When off, intent compilation falls back to rules-only mode. Intents that the deterministic backend cannot classify are fail-closed and escalated for human review rather than routed to OpenAI or Anthropic.
Per-request header: inbound API requests may include the header `X-Intended-Disable-LLM: 1` to disable LLM fallback for that specific request. Useful for testing or for a tenant that wants to batch-process without any LLM traffic while keeping the feature enabled for interactive use.

7. Changes and customer notice

Intended treats changes to the LLM sub-processor list, the data categories transmitted, or the opt-out mechanism as material changes to the Subprocessor List, subject to the 30-day advance-notice and objection-rights procedure defined in the Subprocessor List (/legal/subprocessors, Section 2). Customers subscribed to subprocessor notifications will be notified by email; material changes are also logged in the Change Log section of the Subprocessor List.

8. Contact

Questions about this page, about LLM sub-processor data handling, or about exercising the opt-out may be directed to dpa@intended.so. Data-subject rights requests (access, deletion, rectification) follow the process documented at /legal/privacy and are fulfilled within the statutory windows described there.