Sub-Processor List

Armour Consortium AI - Cart Recovery API
Legal Basis: Article 28(2) UK GDPR / EU GDPR | Last Updated: December 2025

1. Overview

Armour Consortium AI engages the following sub-processors for the Cart Recovery API service. By using our API, you consent to the use of these sub-processors.

2. AI/Ensemble Sub-Processors

These sub-processors are used for content generation:

Sub-Processor	Service	Purpose	Location	Transfer Mechanism	DPA Status
Anthropic	Claude	AI Content Generation	USA	Standard Contractual Clauses	Active
Google	Gemini	AI Content Generation	USA/EU	Standard Contractual Clauses	Active
OpenAI	GPT-4o	AI Content Generation	USA	Standard Contractual Clauses	Active
xAI	Grok 4	AI Content Generation	USA	Standard Contractual Clauses	Active

2.1 Data Minimisation

When data is sent to AI model providers:

Sent to AI Models	NOT Sent to AI Models
First name	Email address
Cart items (titles, prices)	Phone number
Cart value	Customer ID
Brand voice setting	Full address
Currency	Order history

Key protections:

No direct identifiers beyond first name are transmitted
Phone numbers and emails remain on our servers only
Cart data is contextual, not tied to identity

3. Payment Sub-Processors

Sub-Processor	Service	Purpose	Location	Transfer Mechanism	DPA Status
Coinbase	x402 Protocol	Payment verification for API calls	USA	Standard Contractual Clauses	Active
Stripe	Payment Gateway	Subscription billing	USA	Standard Contractual Clauses	Active

4. Infrastructure Sub-Processors

Sub-Processor	Service	Purpose	Location	Transfer Mechanism	DPA Status
Replit	Hosting	API hosting and execution	USA	Standard Contractual Clauses	Active
Neon	PostgreSQL	Analytics database	USA/EU	Standard Contractual Clauses	Active

5. Communication Sub-Processors

These are used by subscription customers (not API-only users):

Sub-Processor	Service	Purpose	Location	Transfer Mechanism	DPA Status
Elastic Email	Email Delivery	Email sending for subscribers	USA/EU	Standard Contractual Clauses	Active
Plivo	SMS Delivery	SMS sending for subscribers	USA	Standard Contractual Clauses	Active

Note: API-only users handle their own message delivery. These sub-processors only apply to specific Armour Consortium AI subscribers where we handle full orchestration.

Note: Merchants using their own ESP/SMS provider (e.g., Klaviyo) bypass these entirely.

6. Security and Transfer Safeguards

6.1 Standard Contractual Clauses

All US-based sub-processors have signed EU Standard Contractual Clauses (SCCs) as approved by the European Commission. The UK IDTA addendum is applied where required.

6.2 Supplementary Measures

Measure	Implementation
Encryption	TLS 1.3 for all transfers
Data Minimisation	Only necessary data transmitted
Transient Processing	No persistent storage at sub-processors
Access Controls	API-based access only

6.3 Transfer Impact Assessment

A Transfer Impact Assessment has been conducted for each sub-processor, considering:

Nature of data transferred
Recipient country legal framework
Supplementary measures in place
Practical enforcement risks

7. Sub-Processor Changes

7.1 Notification

We will update this page when sub-processors change. Material changes will be announced via:

Update to this page
Email to subscription customers (where applicable)

7.2 Objection Right

If you object to a new sub-processor:

Contact us at hello@armourconsortium.ai
We will discuss alternatives where feasible
If no resolution, you may terminate the service

8. Due Diligence

We conduct the following due diligence on sub-processors:

Check	Frequency
Security certifications (SOC 2, ISO 27001)	Annual
DPA/contract review	At engagement, then annual
Privacy policy review	Annual
Incident response capability	At engagement

9. Version History

Version	Date	Changes
1.0	December 2025	Initial sub-processor list

10. Contact

For questions about our sub-processors:

Email: hello@armourconsortium.ai

This list is maintained as required by Article 28(2) UK GDPR and EU GDPR.