Annexo
← Home
Legal

Sub-processors

Last updated: 2026-06-23

To run Annexo we rely on a small number of third-party providers that process personal data on our behalf and under our instructions. Under Article 28 of the EU General Data Protection Regulation (GDPR) these are our sub-processors. Each is bound by a data-processing agreement, may only process data for the purpose listed below, and may not use it for its own ends.

The list below is complete and current. We keep it deliberately small and honest: there are no advertising trackers, no third-party analytics cookies, and no data brokers in it. Our only analytics are Vercel Web Analytics, which is cookieless and aggregate and builds no cross-site profile.

Current sub-processors

NameService / purposeLocation / regionTransfer safeguard
Vercel Inc.Application hosting, content delivery, serverless function logs, and cookieless aggregate usage analytics (Vercel Web Analytics — no cookies, no cross-site profiling)USA (EU compute region pinned: fra1 / Frankfurt)EU Standard Contractual Clauses / EU–US Data Privacy Framework where certified
Upstash, Inc.Managed Redis store for the Fleet platform — registered-agent records and monitoring state (the customer's agent API key is never written to it)EU region (Frankfurt)EU region pinned; EU Standard Contractual Clauses for any provider-side support access
Resend (Plus Five Five, Inc.)Transactional & lead-notification email deliveryUSAEU Standard Contractual Clauses
OpenAI, L.L.C.LLM evaluation (judging) of agent probe responses in the verification & readiness engines (API; not used to train models)USAEU Standard Contractual Clauses
ImprovMX SASInbound email forwarding for annexo.eu (hello@ / legal@)EU / USAEU Standard Contractual Clauses

Where a provider is based in or routes data through the United States, the transfer outside the EU/EEA is protected by the safeguard named in the final column — the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or the EU–US Data Privacy Framework where the provider is certified. Application compute is pinned to the EU region (fra1, Frankfurt), and the Fleet platform's durable store (Upstash) is pinned to an EU region. A customer's agent API key in the verification console is held only in memory for a single request and is never written to any sub-processor.

Notice of new sub-processors

Before we add or replace a sub-processor that processes customer personal data, we will give reasonable advance noticeby updating this page and the “last updated” date above. If you have a data-processing agreement with us, you may object on reasonable data-protection grounds within the notice period; we will work with you in good faith to address the concern, and if it cannot be resolved you may terminate the affected service.

Related documents

This page forms part of, and should be read together with, our Data Processing Agreement (Art. 28 GDPR terms and security measures) and our Privacy Policy (what we process, why, and your rights). For our legal entity and contact details, see the Impressum.

← All legal documents·Home

About Annexo

Annexo is the independent trust layer for AI agents: it verifies how a third party’s AI agent actually behaves with live tests, watches it for drift, and produces audit-ready evidence for buyers, regulators and insurers. Every result is observed behaviour at the time of testing — never a certification, conformity assessment, guarantee, or legal advice. Annexo is not a notified body.

Frequently asked questions

What is Annexo?
Annexo is an independent trust layer for AI agents. It verifies how a third party’s AI agent actually behaves with live behavioural probes, watches it for drift over time, and produces audit-ready assurance evidence a buyer, regulator or insurer can rely on. The thesis is simple: a builder cannot credibly grade its own homework, so verification has to be independent.
Who is Annexo for?
EU and DACH enterprises deploying AI agents in regulated settings — insurance, banking, industrial — and the consultancies that build agents for them. Later, insurers underwriting agent risk.
How does Annexo verify an AI agent?
Point the verify console at your own AI agent endpoint or run a built-in sample agent. A live probe battery runs against it — prompt injection, tool poisoning, guardrails under pressure, AI disclosure, PII handling, request logging — and resolves into an evidence dashboard. Your agent’s API key is held in memory for that one request only and is never stored.
Does Annexo certify or guarantee that an AI agent is compliant?
No. Annexo is not a notified body and does not certify, guarantee, or give legal advice. Every result is observed behaviour at the time of testing, reported as a status — holding, watch, or surfaced — never a pass/fail verdict or a conformity assessment.
What about EU regulations like the EU AI Act, GDPR, DORA and NIS2?
Annexo also produces done-for-you EU conformity dossiers — the evidence and technical documentation mapped to the EU AI Act, GDPR, DORA and NIS2, produced from your system and audit-ready. It is the deliverable, not a substitute for your own counsel or a conformity assessment body.
Where is Annexo’s data processed?
In the EU. Compute runs in the Frankfurt (fra1) region and persisted data uses an EU-region store, in line with EU data-residency expectations.