BETA Hydrate is in beta. Register during beta and lock $5/mo Pro forever - free during beta + 1 month after v1 launches. Join the waitlist →
Legal / Compliance
← Compliance

Vendor risk.

Third-party vendors used by Hydrate, their DPA status, data handling, certifications, and risk assessment. Reviewed annually or when a vendor updates their DPA or reports an incident.

Version 1.0 · Effective: 2026-04-24 · Owner: Seamus Waldron · Covers: SOC2 CC8 · Cadence: annual

OpenAI

LLM provider for fact extraction (gpt-4o-mini) and embedding (text-embedding-3-small). Pro tier only. User-configured BYOK.

DPA
Available at platform.openai.com/privacy. No training on API data when DPA is in place (Enterprise or explicit opt-out).
Sub-processors
Published at openai.com/policies/sub-processors. Major: Microsoft Azure (compute/storage), AWS.
Breach notification
72 hours to notify affected customers per GDPR Art.33 commitments in DPA.
Data residency
US-based by default. EU data residency available on request for Enterprise plans.
Certifications
SOC2 Type II, ISO 27001
Risk rating
Medium Session narrative text is transmitted for extraction. Mitigated by: scrubber runs before transmission; BYOK means users operate under their own DPA; local LLM alternative available to avoid any data leaving the machine.
Last reviewed
2026-04-24

Anthropic

Alternative LLM provider for fact extraction (user-configured). Also the platform Hydrate runs alongside, Claude Code.

DPA
Available via Anthropic's privacy page. No training on API data under Business/Enterprise terms.
Sub-processors
Published at anthropic.com/legal/subprocessors.
Breach notification
Per DPA commitments.
Certifications
SOC2 Type II
Risk rating
Medium Same as OpenAI: session narrative text sent for extraction. Same mitigations apply: scrubber, BYOK, local LLM alternative.
Last reviewed
2026-04-24

Cloudflare

CDN for gethydrate.dev (static assets), Pro/Enterprise licence key validation, Pages deployment.

DPA
Available in Cloudflare's data processing agreements.
Sub-processors
Published at cloudflare.com/gdpr/subprocessors/.
Data handled
Static asset delivery (no personal data). Licence key token (an anonymised token, not linkable to session content).
Certifications
ISO 27001, SOC2 Type II, PCI DSS
Risk rating
Low No session content transits Cloudflare. Licence key token is not linkable to session data.
Last reviewed
2026-04-24

GitHub / GitHub Actions

Source code hosting, CI/CD, release artefact publishing, encrypted secrets for release signing.

DPA
GitHub's DPA is embedded in their Terms of Service for enterprise accounts.
Sub-processors
Published at docs.github.com/en/site-policy/privacy-policies/github-subprocessors.
Certifications
SOC2 Type II, ISO 27001
Data handled
Source code, CI build logs, encrypted secrets (signing certificates). No user session data.
Risk rating
Low Signing credentials stored as encrypted secrets. No user PII in CI.
Last reviewed
2026-04-24

Payment processor

Assessment pending vendor selection. A payment processor has not yet been selected for Pro tier billing. Candidates: Paddle (merchant of record, simplifies EU VAT handling) and Stripe (direct processor, requires more EU VAT compliance overhead). When selected, assessment will cover: DPA, PCI DSS certification, sub-processor list, breach notification SLA, and data minimisation scope. No billing or payment data is processed by Hydrate today.

Review process

Each vendor entry is reviewed annually. Out-of-cycle review is triggered when a vendor announces a security incident, publishes significant changes to their DPA or sub-processor list, or when regulatory guidance changes (e.g. new SCCs, adequacy decisions). Review outcome is documented by updating the "Last reviewed" date and noting any changes to risk assessment.

← Incident Response Risk Assessment →