What this page covers
A sub-processor is a third party we engage to process personal data on behalf of customers under GDPR Article 28. Every vendor below is named explicitly, with the purpose they serve, where data lives, and the legal mechanism we rely on for any transfers outside the EEA.
We prefer EU-resident service tiers whenever they exist and are contractually viable. We run on a deliberately small stack — the table below is the complete list, not a highlight reel.
Current sub-processors
| Vendor | Purpose | Data processed | Region | Transfer mechanism |
|---|---|---|---|---|
| Microsoft | Azure hosting, Entra identity, Microsoft Graph, M365 collaboration | Account data, engagement content, operational logs, auth events | EU — West/North Europe | EU-resident; SCCs available as fallback |
| Anthropic | Claude models for agent reasoning | Message content in transit only; not retained for training | US | EU-US Data Privacy Framework (DPF) + SCCs |
| Gemini models (text, audio, video) where engagement requires | Message / audio content in transit only | US / EU | DPF + SCCs | |
| OpenAI (via Azure OpenAI) | GPT models as contracted backup | Message content in transit only | EU (Azure) | EU-resident; no transfer outside EEA |
| GitHub (Microsoft subsidiary) | Code + issue hosting for the agent platform | Source code, operational metadata; no customer content | US | DPF + SCCs |
| Microsoft Azure Application Insights | Cookieless website analytics for public pages only (page views, referrers, performance, JS errors) | IP address (masked at ingestion), User-Agent, URL path, referrer, timing metrics; no cookies, no persistent identifier, no cross-session linkage | EU — Sweden Central | EU-resident; no transfer outside EEA |
Notification of changes
When we intend to add or replace a sub-processor that handles customer personal data, we notify customers at least 30 days in advance. Notification goes to the operational contact named in the engagement contract.
You may object to a new sub-processor for documented reasons. If we cannot resolve the objection, you may terminate the affected service with written notice; the standard termination and data-return clauses in the engagement contract apply.
How to get notified
Customers on an active engagement receive notifications via their operational contact. Others: email privacy@runi.services to be added to a low-volume notification list — only sub-processor changes, nothing else.
Changelog
Added Microsoft Azure Application Insights (Sweden Central) as a sub-processor for cookieless website analytics on public pages only. No cookies are set, no persistent identifier is written, and Do Not Track / Global Privacy Control signals are respected. Resource: runi-services-analytics; retention 90 days.
Initial public list. Includes Microsoft, Anthropic, Google, OpenAI (via Azure), GitHub.