A sub-processor is a third-party service Altx engages to process personal data on our behalf as we deliver Notifyce. Every sub-processor with access to your personal data operates under our master Data Processing Agreement (ACPL/DPDPA/R601) in addition to its own DPA where applicable. This page is the source of truth for the current list and is updated whenever we engage a new sub-processor.
The full Record of Processing Activities (RoPA) that maps each sub-processor to the specific activities it serves is maintained internally and made available to regulators and to enterprise customers under NDA.
1. Production Infrastructure
| Sub-Processor | Service Provided | Country of Processing | Safeguards / Attestations |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure — compute, databases (SQL Server), object storage (S3 / altxinvoices bucket), KMS for encryption keys, Secrets Manager, GuardDuty, CloudWatch, SES for transactional email. | India (region ap-south-1, Mumbai) |
SOC 2 Type II; ISO 27001 / 27017 / 27018; PCI-DSS |
2. Government Portals & Tax APIs
| Sub-Processor | Service Provided | Country of Processing | Safeguards / Attestations |
|---|---|---|---|
| Government of India portals (Income Tax e-filing, GST portal, TDS portal) | Automated retrieval of notices and submission of responses on behalf of the CA Firm using credentials the CA Firm provides. | India | Statutory portals operated by the relevant Indian government authority. |
| TaxPro GST API (Chartered Information Systems) | Filing-status checks and GSTR-data retrieval via API. | India | Contractual safeguards; Indian-domiciled provider. |
3. AI Providers
AI providers are invoked only when a CA Firm user uses an AI feature. Prompts (which include notice content) are sent ephemerally to the relevant provider; outputs are returned and stored against the notice record in Altx’s systems. We have contractually instructed each provider that identifiable Customer Data may NOT be used to train shared models without our explicit consent.
| Sub-Processor | Service Provided | Country of Processing | Safeguards / Attestations |
|---|---|---|---|
| Anthropic PBC (Claude API) | Primary AI provider — notice analysis, AI-generated draft responses, case-law citations. | United States | Anthropic DPA; SOC 2 Type II; no training on identifiable customer data. |
| OpenAI | Alternate AI provider per workload configuration. | United States | OpenAI DPA; SOC 2; no training on identifiable customer data without consent. |
| Google LLC (Gemini API) | Fallback AI provider. | United States / Google global regions | Google Cloud DPA; ISO 27001 / 27018; SOC 2. |
4. Corporate & Operational Services
| Sub-Processor | Service Provided | Country of Processing | Safeguards / Attestations |
|---|---|---|---|
| Google LLC (Google Workspace) | Corporate email, calendar, Drive (for support communications, ISMS / DPDPA documentation, HR records). Not used to store Notifyce product data. | Google data regions (subject to Workspace data-region configuration) | Google Workspace DPA; ISO 27001 / 27018; SOC 2. |
| Payment gateway for Notifyce subscriptions (Razorpay, or other Indian gateway as confirmed at sign-up) | Card / UPI / netbanking payment processing for Indian customers. Card data is captured directly by the gateway; Altx sees only transaction metadata. | India | PCI-DSS Level 1; RBI-regulated payment system provider. |
5. Legal & Regulatory Authorities
Where required by law — court orders, lawful statutory requests, regulator inquiries — we may disclose personal data to Indian authorities (Income Tax Department, GSTN / tax authorities, CERT-In, Data Protection Board of India, police and courts). These disclosures are not made on our instructions; they are mandated by law. We log every such disclosure for audit purposes.
6. Cross-Border Processing
ap-south-1 (Mumbai, India). The AI providers (Anthropic,
OpenAI, Google Gemini) and Google Workspace process limited data outside India under
their own Data Processing Agreements. We monitor restricted-country notifications
issued by the Data Protection Board of India under Section 16 of the DPDPA and will
update this page on any change.
7. Notification of Changes
When we engage a new sub-processor that handles personal data, we update this page before the new sub-processor begins processing. For material changes that introduce a new purpose, a new sensitive data category, or a new cross-border transfer, we will notify our customers by email at least 30 days in advance and, where required by law, obtain fresh consent before the change takes effect.
8. Questions
For questions about our sub-processors or to request a copy of an executed DPA under NDA:
Data Protection Officer: dpo@altx.one
Privacy queries: privacy@altx.one