Skip to content

Legal

Subprocessor List

Last updated: April 17, 2026

Third parties that process Intended Customer Data on behalf of Intended, Inc., in accordance with the Data Processing Agreement.

1. Purpose and scope

This page enumerates third parties that process Customer Data on Intended's behalf, in accordance with the Data Processing Agreement (available at /legal/dpa) and in furtherance of GDPR Article 28, UK GDPR Article 28, CCPA/CPRA service-provider requirements, LGPD Article 32, and comparable state and international data protection laws. This Subprocessor List identifies all active subprocessors engaged by Intended, together with their purpose and location. The list is updated from time to time, and changes are notified to Customers in accordance with the procedures set forth in Section 2 below.

2. Notification mechanism and objection rights

Intended notifies Customers of subprocessor changes as follows:

  • Subscription: Customers may subscribe to notifications of subprocessor changes by sending an email to dpa@intended.so with the subject line "SUBPROCESSOR NOTIFICATIONS" from an authorized account administrator.
  • Notice: Intended will post changes to this page with a dated entry in the Change Log (Section 9) and send email notification to all subscribed Customers.
  • Material changes: For material changes to existing subprocessors (e.g., change of subprocessor, significant change in processing scope or location), Intended provides thirty (30) days' advance written notice.
  • Objection rights: Upon notice of a material change, Customer may object in writing to dpa@intended.so within twenty (20) days, with a reasonable basis for the objection. If the parties cannot agree on an alternate subprocessor or arrangement, Customer may terminate the affected Services without penalty, with a pro-rata refund of prepaid fees for the affected Services, in accordance with DPA Section 6.
  • Non-material changes: Changes that do not materially expand processing scope or change location (e.g., sub-subprocessor updates, security certifications) may be posted to this page without advance notice.

3. Active subprocessors

The following subprocessors are actively engaged and may receive Customer Data in accordance with the purposes and safeguards described below.

  • Amazon Web Services, Inc.

    Purpose: Cloud infrastructure hosting, compute, storage, databases (RDS PostgreSQL), key management (AWS KMS), and managed services (S3, CloudWatch, CloudTrail)

    Location: United States (primary: us-east-1 region; enterprise customers may select additional AWS regions)

    Safeguards: AWS maintains SOC 2 Type II attestation, ISO 27001 certification, PCI DSS Level 1 compliance, and HIPAA eligibility. Intended has executed the AWS Customer Agreement, Data Processing Addendum, and incorporated Standard Contractual Clauses (Module Two, Processor-to-Processor) for sub-subprocessor arrangements. Encryption at rest (AES-256-GCM) and in transit (TLS 1.3) enforced.

  • Stripe, Inc.

    Purpose: Payment processing, subscription billing, tax calculation (Stripe Tax), and payment method tokenization

    Location: United States

    Safeguards: Stripe maintains PCI DSS Level 1 certification, SOC 1 Type 2 and SOC 2 Type 2 attestations. Intended has executed Stripe's Data Processing Agreement. Stripe does not retain full payment card data; Intended stores only tokens.

  • Resend, Inc.

    Purpose: Transactional email delivery (account notifications, password resets, MFA codes, audit alerts, and policy escalation notifications)

    Location: United States

    Safeguards: Intended has executed a Data Processing Addendum with Resend. Email transmission secured with TLS. SPF, DKIM, and DMARC configured. Resend does not train models on email content.

  • Twilio Inc.

    Purpose: SMS notifications and delivery (optional; used only when Customer enables SMS-based multi-factor authentication (MFA) or SMS escalation notifications)

    Location: United States

    Safeguards: Twilio maintains SOC 2 Type 2 certification. Intended has executed Twilio's Data Processing Agreement. Processing limited to phone number and message content. SMS data encrypted in transit.

4. Conditional subprocessors

The following subprocessors are invoked only when Customer explicitly enables or uses optional features. These subprocessors receive Customer Data only when the feature is active. Intended notifies Customers of conditional subprocessor engagement via the notification mechanism in Section 2.

  • OpenAI, L.L.C.

    Purpose: Natural-language intent compilation: LLM processing of intent descriptions to produce structured IntentRequest objects for policy evaluation. Invoked only when Customer uses natural-language intent compilation feature.

    Location: United States

    Safeguards: Intended has executed OpenAI's API Data Processing Addendum. OpenAI does not train models on Customer Data and does not retain API request data by default (30-day retention policy applies per OpenAI DPA). Standard Contractual Clauses (Module Two) incorporated for transfers from EEA/UK/Switzerland. Customer Data is never logged or stored by OpenAI beyond the API request window.

    Opt-out: Customer may opt out of LLM-based intent compilation and instead use rules-only mode, in which Customer Data is not forwarded to OpenAI.

  • Anthropic, PBC

    Purpose: Alternative/pluggable large language model (LLM) backend for natural-language intent compilation. Invoked only when Customer selects Anthropic as the LLM provider (instead of or in addition to OpenAI).

    Location: United States

    Safeguards: Intended has executed Anthropic's Commercial Terms and Data Processing Addendum. Anthropic does not train models on Customer Data and does not retain API request data where zero-retention is configured. Standard Contractual Clauses incorporated for transfers from EEA/UK/Switzerland. Customer Data is never logged or stored by Anthropic beyond the API request window.

    Opt-out: Customer may opt out of LLM-based intent compilation and instead use rules-only mode.

5. Reserved subprocessors (not currently active)

The following subprocessors are integrated into Intended's codebase and available for future use, but are NOT active in production as of the Last Updated date. No Customer Data is currently forwarded to these subprocessors. Any future activation will be preceded by Customer notification in accordance with Section 2 before any Customer Data is processed.

  • PostHog, Inc. — Product analytics and event collection. Status: Environment configuration disables all data forwarding; integration present in code but inactive.
  • Twilio Segment / Segment.io, Inc. — Event pipeline and data warehouse routing. Status: Environment configuration disables all data forwarding; integration present in code but inactive.

As of the Last Updated date, no analytics, event pipeline, or similar subprocessors receive Customer Data. Any future activation will be preceded by the notification procedure in Section 2 and updates to this List.

6. Intended group entities

Intended, Inc. (a Delaware corporation, registered office 2261 Market Street, San Francisco, CA 94114, USA) is the primary contracting entity and acts as the data processor on behalf of Customer (the data controller).

  • Future affiliates: Any future affiliates or subsidiaries of Intended that access Customer Data will be bound by intra-group data transfer agreements providing equivalent data protection obligations to those in this List and the DPA. Such additions will be notified via the mechanism in Section 2.

7. International data transfer safeguards

Intended processes Customer Data in the United States. For Customers whose operations are based in jurisdictions with legal transfer restrictions (European Economic Area, United Kingdom, Switzerland), Intended implements the following safeguards:

  • European Economic Area: Intended relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor), incorporated by reference in the DPA Section 8.
  • United Kingdom: Intended relies on the UK International Data Transfer Addendum (UK IDTA), Version B1.0, Module Two, as issued by the UK Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018, supplementing the SCCs.
  • Switzerland: Intended relies on SCCs as recognized under the Swiss Federal Act on Data Protection (FADP / nDSG), with modifications required by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
  • Supplementary measures: Encryption at rest (AES-256-GCM) and in transit (TLS 1.3), per-tenant database isolation, role-based access control, and fail-closed architecture (as described in DPA Section 5 and Appendix TOMs) provide additional safeguards against government access.
  • Sub-subprocessor transfers: Subprocessors (e.g., AWS) that themselves use sub-subprocessors (e.g., AWS sub-services in other geographies) are contractually required to flow down equivalent SCCs and safeguards per DPA Section 6.1.

8. Post-Schrems II supplementary measures

In addition to Standard Contractual Clauses and UK IDTA, Intended implements the following supplementary technical and organizational measures to address Schrems II requirements and government access risks:

  • Encryption and key management: Customer Data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Encryption keys are managed per-tenant with separate RSA key pairs. US government authorities cannot decrypt Customer Data without Intended's active cooperation.
  • Data isolation: Per-tenant database isolation and separate key material prevent aggregation of EU Customer Data with other customers' data, limiting scope of potential government access.
  • Fail-closed architecture: Unresolvable authority evaluations result in denial by default, not approval or bypass, preventing over-inclusive government access through authority decisions.
  • Government access notification: Intended will notify affected Customers of any legal demand (subpoena, FISA order, National Security Letter, or equivalent) requiring disclosure of Customer Data, unless Intended is legally prohibited from doing so. Notification will be sent to dpa@intended.so and to the Customer's designated security contact as soon as legally permissible.
  • Transparency reporting: Intended commits to publishing an annual transparency report for calendar year 2026 and each subsequent year, detailing (in aggregate, non-identifying form): number of government access requests, jurisdiction, type of process, and whether the request was complied with or challenged.
  • Objection and termination rights: Upon notification of government access demands, Customer may object to the compelled disclosure. If Intended cannot accommodate the objection (due to legal prohibition), either party may terminate the affected Services without penalty, with a pro-rata refund.
  • These measures substantially reduce risk of compelled government access but do not eliminate it entirely. Customers with heightened concerns should contact dpa@intended.so to discuss further options (e.g., on-premise deployment, data residency restrictions).

9. Enterprise customizations and opt-outs

Intended supports flexible data governance for enterprise customers.

  • Subprocessor restrictions: Enterprise Customers may, in their Order Form or Master Service Agreement, restrict permitted subprocessors (e.g., 'no LLM subprocessor may process this Customer's data'; 'AWS-only infrastructure'; 'no cross-border transfers'). Intended will honor such restrictions and configure systems accordingly.
  • Rules-only mode: Intended supports a rules-only policy evaluation mode in which Customer Data is not forwarded to any LLM subprocessor (OpenAI or Anthropic). Customers may opt into rules-only mode, limiting processing to Intended-operated systems only.
  • Single-tenant and on-premise deployments: Enterprise customers may negotiate single-tenant deployments or on-premise installation (on Customer-provided infrastructure) to eliminate cloud subprocessor engagement or enforce data residency in specific regions.
  • Bring-your-own-key (BYOK) arrangements: Customers may provide their own encryption keys for at-rest encryption, limiting Intended's access to plaintext data and providing Customer with key material control.
  • Contact Intended's sales or legal team at dpa@intended.so or legal@intended.so to discuss enterprise customizations.

10. Change log

This Change Log tracks updates to the Subprocessor List, including new subprocessors, material changes, and status updates.

  • 2026-04-17: Initial publication of standalone Subprocessor List page. Content migrated from DPA Section 6 inline list. No change in active subprocessor set. Replaces previous inline subprocessor disclosure in DPA.

11. Contact and support

For questions about this Subprocessor List, the DPA, data protection, and privacy:

  • DPA and subprocessor questions: dpa@intended.so
  • General privacy inquiries: privacy@intended.so
  • EU/UK/Swiss data protection authority responses and GDPR/UK GDPR/FDPIC inquiries: eu-privacy@intended.so
  • Legal and contractual matters: legal@intended.so
  • EU Representative (GDPR Art. 27): To be published at /legal/representatives
  • UK Representative (UK GDPR Art. 27): To be published at /legal/representatives
  • Swiss Representative (FADP / nDSG): To be published at /legal/representatives
Subprocessor List | Intended