Subprocessor List

This page is the canonical, authoritative list of sub-processors that

Layer Zero Studios engages to process Customer Data on your behalf when

you use the AXIS Business Operating System ("AXIS").

A sub-processor is a third party we use to perform a specific function

in delivering AXIS — for example, to host the database, to deliver email,

to process card payments, or to run AI inference. Where a sub-processor

processes Personal Data, the processing is governed by our

Data Processing Agreement (DPA).

We publish this list as a single source of truth so that customers and

their advisors can monitor it for changes. **Lawyer review required before

publication.**

Primary-source references:

• POPIA — Act No. 4 of 2013, s21 (operator obligations)
• GDPR — Regulation (EU) 2016/679, Art. 28(2), Art. 28(4)
• EU Standard Contractual Clauses (2021) — Commission Implementing Decision (EU) 2021/914

1. Notification commitment

Per DPA §4.4, you provide a general written authorisation for

Layer Zero to engage the sub-processors listed below. We commit to:

• Provide at least 30 days' written notice before adding or replacing

any sub-processor that will process Personal Data on your behalf.

• Notify you by email to the billing contact on file and by updating

this page; the date at the top of the page is always the most recent

revision.

• Maintain a public changelog of additions and removals (see §3

below).

• Allow you to object on reasonable data-protection grounds during

the notice period. If we cannot mitigate your objection together, you

may terminate the affected Service with a pro-rata refund of pre-paid

fees.

To subscribe to change notifications outside the customer email channel,

email privacy@layerzerostudios.com.

2. Current sub-processors

The list below is identical to the one in DPA §6 and supersedes any

older list shipped with a prior version of the DPA where there is a

conflict.

| Sub-processor | Purpose | Location | Personal Data categories |

|---|---|---|---|

| Supabase Inc. | Database, Auth, Vault, Storage | EU-West (Ireland), US control plane | All Customer Data |

| Hostinger International Ltd. | Compute hosting (production VPS) | France | All Customer Data at rest on the application server |

| Anthropic, PBC | AI inference (Claude API) — primary | United States | Customer Data sent in handler prompts (industry, business context, drafts) |

| DeepSeek | AI inference (cost-optimised, sanitised prompts only) | China — see Privacy Policy §6 | NO Personal Data; sanitised prompts only |

| Google LLC | AI (Gemini); customer-connected Calendar / Workspace integrations | United States / Global | AI-prompt content; calendar metadata when customer connects |

| Sendinblue SAS (dba "Brevo") | Transactional and marketing email delivery | European Union (France) | Recipient email, name, message body, delivery and open events |

| Polar Software Inc. | Billing, subscription management, payments | United States | Billing name, email, payment-method last-4, billing address |

| BetterStack (Veriteer Ltd.) | Uptime monitoring and incident alerting | European Union | Operational telemetry; no Customer Data in monitoring payloads |

| Cloudflare, Inc. | DNS, DDoS protection, Turnstile captcha (signup) | Global | Visitor IP address; user-agent at signup time |

| Cal.com, Inc. | Booking and scheduling (when customer integrates) | United States | Attendee name, email, booking time, calendar metadata |

| Slack Technologies, LLC | Operator-internal notifications; customer-connected workspace integrations | United States | Account event metadata for operator alerts; customer-controlled when integrated |

For each sub-processor located outside the EEA, UK, or South Africa, the

legal basis for transfer relies on (a) the **EU 2021 Standard Contractual

Clauses** entered into directly between Layer Zero and the sub-processor,

(b) an adequacy decision under GDPR Art. 45 where one exists, or

(c) explicit consent recorded at the time of integration connection.

Full mechanics are set out in DPA §7 — International data transfers.

3. Changelog

| Date | Change | Reason |

|---|---|---|

| 2026-05-06 | List published as a standalone page (canonical source). Reconciled against DPA §6 — no additions, no removals. | DPA §4.4 references this URL; the page now exists. |

This changelog is append-only. We do not edit historical entries; if a

correction is needed, a new row is added explaining the correction.

4. How to object

If a current or proposed sub-processor is not acceptable to you on

data-protection grounds, write to

privacy@layerzerostudios.com within

the 30-day notice window (or at any time, for a current sub-processor).

Tell us:

• Which sub-processor you object to
• The specific data-protection ground (e.g. cross-border-transfer concern,

jurisdiction, sector-specific rule)

• The Service surfaces or handlers that should be migrated off the

sub-processor

We will respond within 30 calendar days with a mitigation plan

(routing your traffic to an alternative provider where possible) or, if

no mitigation is feasible, with confirmation of your right to terminate

the affected Service with a pro-rata refund.

5. Contact

• privacy@layerzerostudios.com — sub-processor queries, objections, change-notification subscriptions
• hello@layerzerostudios.com — general
• Layer Zero Studios — operator of AXIS