HackZero Subprocessor List

Effective date: 2026-06-02 Last updated: 2026-06-02

Plain-language summary. A “subprocessor” is a company we engage to help us run our service, where that company may process some of your data on our behalf (for example, the cloud provider that hosts our servers). This page lists every such company we currently use or plan to use, what it does, what categories of data it handles, and where it processes that data. We publish this list because you have a right to know who touches your data. When we add a new subprocessor or replace an existing one, we give advance notice and an opportunity to object, as described in our Data Processing Addendum at /legal/dpa. You can subscribe to change notifications using the address in Section 9. If you run HackZero inside your own infrastructure (our Compliance or Enterprise self-hosted deployment), several of the subprocessors below do not apply to you (see Section 8).

1. Purpose and scope of this document

This Subprocessor List is published by Agentic Security, Inc., a Delaware corporation, doing business as “HackZero” (“HackZero”, “we”, “us”, or “our”), with its principal place of business at 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States. It applies to the HackZero website at hackzero.ai, the customer dashboard at dashboard.hackzero.ai, and the autonomous penetration-testing and red-team services we provide (together, the “Services”).

This document identifies the third parties (“Subprocessors”) that HackZero engages to process Personal Data and Customer Data in connection with the Services. It is a companion to, and is incorporated by reference into, our Data Processing Addendum at /legal/dpa (the “DPA”), our Privacy Policy at /legal/privacy, and our AI Transparency Notice at /legal/ai. Where this list and the DPA differ, the DPA governs the contractual rights and obligations between HackZero and a Customer; this page is the current, dated, public statement of who those Subprocessors are.

Capitalized terms used but not defined here have the meaning given to them in the DPA. In this document:

“Customer” means an organization that has entered into an agreement with HackZero for the Services, including under our Terms of Service at /legal/terms, a Rules of Engagement (“RoE”), or, for Enterprise customers, a Master Services Agreement (“MSA”).
“Customer Data” means data a Customer submits to, or that the Services generate or capture during an authorized engagement on behalf of, the Customer, including source code accessed through our read-only GitHub App, target hosts and scan configuration, vulnerability findings and exploit reproductions, captured request and response artifacts, and contract and signing metadata.
“Personal Data” means information relating to an identified or identifiable natural person, as that term (and its local equivalents, such as “personal information,” “datos personales,” and “dados pessoais”) is defined under the applicable laws referenced in Section 7.
“you” means the individual or organization reading this page, including a website visitor, an Account holder, or a Customer.

2. What a subprocessor is, and our role

When HackZero processes Personal Data on behalf of a Customer, HackZero typically acts as a processor (under Brazil’s Lei Geral de Proteção de Dados, Lei nº 13.709/2018 (“LGPD”), an “operador”; under Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares (DOF 20-Mar-2025) (“LFPDPPP”), an “encargado”; under the California Consumer Privacy Act as amended (Cal. Civ. Code §§ 1798.100 to 1798.199.100) (“CCPA/CPRA”), a “service provider”; and under Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), a third party to whom data is transferred “for processing”). The Customer is the controller (the “responsable” in Mexico, the “controlador” in Brazil, the “responsable de archivo” in Argentina).

A “Subprocessor” is a third party that HackZero in turn engages to process Personal Data or Customer Data so that HackZero can deliver the Services. The cloud provider that hosts our application and database, the object-storage provider that holds our backups and your reports, and the model provider that performs the artificial-intelligence (“AI”) inference behind our autonomous agents are all examples of Subprocessors.

Under PIPEDA, a transfer of Personal Data to a Subprocessor is treated as a “use” of that data rather than a “disclosure,” which does not require separate consent, but transparency about it is mandatory (Office of the Privacy Commissioner of Canada, Guidelines for processing personal data across borders, 2009, reaffirmed October 2019); this page provides that transparency. HackZero remains accountable for Personal Data transferred to a Subprocessor (PIPEDA, Schedule 1, clause 4.1.3), and our agreements impose data-protection obligations on each Subprocessor that are no less protective than those in the DPA.

No Subprocessor listed in Section 5 receives Personal Data for monetary or other valuable consideration, and HackZero does not “sell” or “share” Personal Data with any Subprocessor as those terms are defined under the CCPA/CPRA. Each Subprocessor is engaged as a service provider that processes Personal Data only to perform the Services on HackZero’s behalf and is contractually restricted from using it for any other purpose. The full description of your opt-out and other rights is in our Privacy Policy at /legal/privacy.

3. Our commitment: advance notice and a right to object

We commit to the following process for changes to this list, which is also stated in the DPA at /legal/dpa:

General authorization. When you enter into the DPA, you provide a general authorization for HackZero to engage the Subprocessors listed in Section 5 and to add or replace Subprocessors in accordance with this Section 3.
Advance notice. Before we authorize a new Subprocessor to process Customer Data, or replace an existing Subprocessor, we will give notice at least thirty (30) days in advance. We provide notice by updating this page (with a revised “Last updated” date) and by sending an email to subscribers (see Section 9). Where a change is material to a Customer’s own regulatory position, that Customer may rely on the same notice to exercise the termination right described in our AI Transparency Notice at /legal/ai for material AI-component changes.
Objection window. A Customer may object to a new or replacement Subprocessor on reasonable, good-faith data-protection grounds by sending written notice to [email protected] within the thirty (30) day notice period. We will work with the objecting Customer in good faith to address the objection, for example by describing additional safeguards or offering an alternative configuration where one is available. If we cannot resolve the objection within a reasonable time, the Customer may, as its sole remedy for the objection, terminate the affected part of the Services in accordance with the DPA, without penalty for that termination. The detailed objection mechanism, including how it interacts with order terms and any minimum commitment, is set out in the DPA at /legal/dpa.
Urgent replacements. If a Subprocessor must be replaced on an emergency basis (for example, because the Subprocessor ceases operations or presents an immediate security or legal risk), we may engage a replacement on shorter notice and will inform subscribers and update this page as soon as reasonably practicable, with the reason for the expedited change.

4. How to read the table

The table in Section 5 lists each Subprocessor with the following columns:

Subprocessor: the legal or commonly used name of the third party.
Purpose / service: what the Subprocessor does for HackZero.
Categories of data processed: the categories of Personal Data and Customer Data the Subprocessor may process. “Customer Data” here may include highly sensitive material, such as source code excerpts and captured request and response artifacts, which can contain confidential information and Personal Data of the Customer’s own users (see Section 6).
Processing location(s): the country or region where processing occurs.
Status: “In use” means the Subprocessor is engaged today; “Planned” means the Subprocessor is being onboarded and is not yet processing production data.

5. Current and planned subprocessors

Subprocessor	Purpose / service	Categories of data processed	Processing location(s)	Status
Fly.io, Inc.	Cloud compute and managed PostgreSQL database hosting; runs the HackZero application and primary datastore.	All application, Account, and product data, including names, emails, hashed passwords, organization and workspace information, session data, target and scan configuration, vulnerability findings, and captured artifacts.	United States (region “sjc,” San Jose, California). An EU region is available but is not used for production today.	In use
Tigris	S3-compatible object storage for database backups, shipped application and audit logs, signed contract PDFs, and generated reports.	Database backups, audit logs, executed Rules of Engagement and contract documents, and generated findings reports, which may contain Personal Data and Customer confidential information. Encrypted at rest with per-object server-side encryption.	United States.	In use
Cloudflare, Inc.	DNS, content delivery network (CDN), TLS 1.3 termination, web application firewall (WAF), and origin-lock (rejecting traffic that does not pass through Cloudflare).	Traffic metadata, IP address, user-agent, and request routing data for visitors and Account holders. May set strictly-necessary or security cookies at the edge.	Global edge network; traffic is routed through Cloudflare points of presence worldwide.	In use
Foundation model / LLM inference provider(s)	AI model inference powering the autonomous testing agents and report-narrative generation.	Target and scan context and source-code excerpts provided for inference, prompts, and generated outputs. Such source excerpts and scan context may incidentally contain Personal Data of the Customer’s own end users (for example, identifiers embedded in code, configuration, or captured request and response artifacts), as described generically in Section 4. Subject to the no-training and confidentiality posture in Section 6.	United States	In use
Resend	Transactional and confirmation email delivery (for example, account and engagement notifications).	Recipient email address and message metadata.	United States	In use
Google LLC	Optional OAuth sign-in using a Google or Google Workspace identity; HackZero staff email and productivity (Google Workspace).	For OAuth: email address and basic profile used for authentication. For staff email: inbound contact and inquiry email (name, email, company, message) sent to HackZero mailboxes.	Global; United States-based provider with global infrastructure.	In use (OAuth is optional for end users)
GitHub, Inc.	Read-only GitHub App that provides the autonomous agents with access to the Customer-authorized source code that is core to the Services.	The contents of the repositories the Customer explicitly authorizes, accessed on a read-only basis.	Global; United States-based provider with global infrastructure.	In use
Stripe	Payment processing and subscription billing for self-serve plans.	Billing contact details and payment and card data entered directly with Stripe. HackZero does not store full payment-card numbers. PCI-DSS Level 1 service provider.	United States; global processing.	Planned

Note on transactional email. Our transactional email is delivered through Resend. If we engage an additional or replacement email provider for any transactional email, it will appear as a separate row above, with the same advance-notice and objection process described in Section 3 applying to its addition.

6. The upstream AI model provider: no-training and confidentiality posture

Because our Services use autonomous AI agents, the upstream foundation-model provider or providers are Subprocessors and are listed in Section 5. HackZero uses one or more enterprise-grade foundation models, provided by reputable third parties and/or operated by HackZero, to power its autonomous testing agents and to generate report narratives. HackZero selects, configures, and maintains these models, and the specific models and configurations may evolve over time as the technology matures. Whichever model is used, the data-protection and confidentiality commitments stated here apply.

We treat this relationship with particular care, and we make the following commitments, which are also stated in our AI Transparency Notice at /legal/ai:

No training on your data. We do not use your Customer Data, source code, or findings to train or fine-tune foundation models, and we require any third-party model provider we engage to apply the same restriction. You retain ownership of your Inputs and of the findings and reports the Services generate for you.
Service quality and evaluation. We may process de-identified and aggregated information derived from use of the Services to operate, secure, evaluate, benchmark, and improve the quality, accuracy, and reliability of the Services, including our detection capabilities and our internal model and system evaluations. De-identified and aggregated information does not identify you, your organization, or any individual, and is not used to train third-party foundation models on your identifiable data.
Written evidence on request. HackZero will provide written evidence of this no-training and confidentiality posture upon a Customer’s reasonable request, subject to confidentiality obligations. A Customer may also, no more than once per year, request a third-party attestation (such as a SOC 2 Type II or ISO/IEC 27001 report, or equivalent) evidencing this posture, as described in the AI Transparency Notice at /legal/ai.

7. International processing and transfer disclosures

The Services are operated principally from the United States. When you use the Services, your Personal Data and Customer Data may be processed in the United States and in the other locations identified in Section 5.

This processing involves a transfer of Personal Data outside your country. Personal Data processed in the United States may be subject to access by United States government authorities under United States law, including the CLOUD Act (18 U.S.C. §§ 2701 et seq.) and the Foreign Intelligence Surveillance Act, section 702 (50 U.S.C. § 1881a). We disclose this so that you can make an informed assessment of the transfer. The specific safeguards and transfer mechanisms for each market are addressed in the DPA at /legal/dpa and summarized below.

Canada (PIPEDA; Alberta PIPA; BC PIPA). Personal Data is processed by Subprocessors located outside Canada, principally in the United States. Consistent with Alberta’s Personal Information Protection Act, S.A. 2003, c. P-6.5, section 13.1, you may obtain written information about how we use foreign Subprocessors and the countries in which processing occurs, and the contact details of the individual able to answer questions about that processing, by writing to our Privacy Officer, who can be reached at [email protected].
Quebec (Law 25). Quebec’s Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, as amended by S.Q. 2021, c. 25 (“Law 25”), requires an assessment before Personal Data is communicated outside Quebec (which includes the rest of Canada and the United States), under Article 17. HackZero conducts that assessment as part of the DPA process. This page discloses the destinations of processing for that purpose.
Mexico (LFPDPPP). Transfers of Personal Data to the Subprocessors above are disclosed in our Privacy Notice (“Aviso de Privacidad”) at /legal/privacy and are governed by written instruments consistent with the LFPDPPP, Articles 35 and 36.
Brazil (LGPD). International transfers of dados pessoais to the United States rely on the Brazilian Standard Contractual Clauses adopted by ANPD Resolution CD/ANPD No. 19/2024 (controlling in Portuguese as Resolução CD/ANPD nº 19/2024), which are mandatory for such transfers since 23 August 2025 absent an adequacy decision by the Autoridade Nacional de Proteção de Dados (“ANPD”). The DPA at /legal/dpa sets out the transfer mechanism in full.
Argentina (Ley 25.326), Colombia (Ley 1581/2012), Chile (Ley 19.628, transitioning to Ley 21.719 on 1 December 2026), Peru (Ley 29733 and DS 016-2024-JUS). Transfers to the United States rely on Standard Contractual Clauses or the equivalent approved clauses for the relevant country, or other lawful bases recognized in each jurisdiction, as detailed in the DPA. We note that Peru’s data-protection regime applies extraterritorially to providers offering services to data subjects in Peru (DS 016-2024-JUS, Article 5). Where a local data-protection officer or database registration is required (for example, in Peru), HackZero complies with that requirement.
European Economic Area and United Kingdom. Our architecture supports an EU region, but the EEA is not a launch market today, and HackZero does not assert an EEA establishment. The EEA is not a market HackZero serves today, and HackZero has not appointed an EU/UK Article 27 representative. Where European personal data is nonetheless processed, transfers rely on the European Commission’s Standard Contractual Clauses or another lawful mechanism, as set out in the DPA. Under the Standard Contractual Clauses, the governing law is the law of Ireland and the competent supervisory authority is the Irish Data Protection Commission (Clauses 17 and 18 and the corresponding Annex selections).

8. Self-hosted deployments reduce or eliminate certain subprocessors

Our Compliance and Enterprise tiers can be deployed inside the Customer’s own virtual private cloud (“VPC”). In that self-hosted mode, Customer Data does not leave the Customer’s perimeter, which reduces or eliminates HackZero’s reliance on several of the Subprocessors listed in Section 5 for that Customer’s data.

The cloud-hosting and object-storage Subprocessors (Fly.io and Tigris) are typically replaced by the Customer’s own infrastructure, because the application, database, backups, logs, and reports remain inside the Customer’s VPC.
The CDN, DNS, and edge Subprocessor (Cloudflare) may not apply where the deployment is not exposed through HackZero’s public edge.
Email and billing Subprocessors (Resend, Stripe) may still be used for notifications and billing where the Customer chooses, or may be replaced by the Customer’s own channels and invoicing.
The foundation-model / LLM inference provider(s) and the source-code access mechanism (GitHub) may still be involved depending on how the self-hosted deployment is configured (for example, whether model inference is routed to the provider(s) or to a model endpoint the Customer controls).

The precise Subprocessor footprint for a self-hosted deployment is established in the applicable MSA and the deployment configuration. A self-hosted Customer should refer to its MSA and to the DPA at /legal/dpa for the list that applies to it.

To receive advance notice of changes to this Subprocessor List, including the addition or replacement of a Subprocessor, subscribe by sending an email to [email protected] with the subject line “Subscribe.” We will add the address you write from to our subprocessor-change notification list. You can unsubscribe at any time by replying with the subject line “Unsubscribe,” or by using the unsubscribe link in any notification email.

Subscribing to these notifications does not, by itself, create or change any contractual relationship with HackZero. The contractual right to receive notice and to object is governed by the DPA at /legal/dpa.

10. How to object to a subprocessor

A Customer that wishes to object to a new or replacement Subprocessor should follow the process in Section 3: send written notice to [email protected] within the thirty (30) day notice period, stating the reasonable, good-faith data-protection grounds for the objection. We will acknowledge the objection and work with the Customer to address it as described in Section 3 and in the DPA at /legal/dpa.

Questions about this list that are not objections may be sent to [email protected] (privacy matters) or [email protected] (legal and contractual matters).

11. Relationship to our other policies

This Subprocessor List should be read together with:

our Privacy Policy at /legal/privacy;
our Data Processing Addendum at /legal/dpa;
our AI Transparency Notice at /legal/ai;
our Cookie Policy at /legal/cookies;
our Terms of Service at /legal/terms;
our Acceptable Use Policy at /legal/acceptable-use;
our Vulnerability Disclosure Policy at /legal/security; and
our Refund and Cancellation Policy at /legal/refunds.

If any term of this list conflicts with the DPA, the DPA controls as between HackZero and a Customer.

12. Changes to this list

We review and update this list whenever we add, replace, or remove a Subprocessor, and otherwise as needed. Each update is reflected in the “Last updated” date at the top of this page, and material changes are notified to subscribers as described in Sections 3 and 9. We keep this list current and dated so that it remains an accurate statement of the Subprocessors we use.

Agentic Security, Inc. (d/b/a HackZero) · 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States · [email protected] · [email protected] · [email protected]