Subprocessors
This page lists the third-party subprocessors Fimil, Inc. engages to Process Customer Personal Data in connection with the Service, as referenced in our Data Processing Agreement and Privacy Policy. We impose data-protection obligations on each subprocessor that are no less protective than those in our DPA.
Subprocessors that process customer data
| Subprocessor | Role | Location | Reference |
|---|---|---|---|
| DigitalOcean | Cloud infrastructure: compute, Kubernetes, managed PostgreSQL, container registry, and backup storage | United States | DPA |
| Cloudflare | CDN, DNS, edge security, and cookieless traffic analytics | Global (anycast) | DPA |
| Anthropic | LLM inference for AI-assisted features (penetration-test agent reasoning, finding triage, remediation suggestions, security chat) | United States | Terms |
| Stripe | Payment processing and billing | United States | DPA |
| GitHub | Source-code integration (OAuth/App), CI/CD, and pull-request automation | United States | DPA |
| GitLab | Source-code integration (OAuth) | United States | Privacy |
| Atlassian (Bitbucket) | Source-code integration (OAuth) | Global | DPA |
| Resend | Transactional email delivery | United States | DPA |
| PostHog | Product analytics (consent-gated) | United States | DPA |
| Telegram | Operational alert delivery for security/scope events | Global | Privacy |
An alternative LLM provider, DigitalOcean Gradient AI (United States), may be configured in place of Anthropic for self-hosted deployments. It is covered by the DigitalOcean DPA above.
Services that do not process customer personal data
For transparency, the Service also relies on the following third parties, which do not receive Customer Personal Data:
- FIRST.org (EPSS) — vulnerability exploit-probability lookups by CVE identifier only.
- PyPI and Docker Hub — public distribution of software packages and scanner container images.
Changes and notice
We will update this page when we add or replace a subprocessor. Customers under our DPA may subscribe to notice of changes and may object on reasonable data-protection grounds as described in the Data Processing Agreement. Questions: privacy@fimil.dev.