Subprocessors and third parties

MultiClaw uses a small, fixed set of third-party services to run its infrastructure. Each one is vetted before onboarding and re-evaluated annually against controls aligned with ISO/IEC 27001:2022.

What is a subprocessor?

A subprocessor is any company that processes your data on MultiClaw's behalf. When you use MultiClaw, your workspace data, account details, and task content may pass through these services to deliver the product. MultiClaw remains responsible for how every subprocessor handles your data. Each one operates under a binding Data Processing Agreement (DPA) with strict limits on what data it can access and how it can use that data.

Current subprocessors

Only services essential to running the product are included. MultiClaw does not share your data with advertising networks, analytics platforms, or any service outside this list.

Subprocessor	Purpose	Data processed	Location
Amazon Web Services (AWS)	Cloud hosting, storage, and CDN (CloudFront)	All workspace data; IP addresses and HTTP metadata for static asset delivery	US (us-east-1) for account and workspace data; ap-southeast-2 (Sydney) for cloud desktops by default; EU region available on request
Postmark	Transactional email	Email address, notification content	US

The authoritative, up-to-date list will be published at multiclaw.io/legal/subprocessors when the Service is generally available.

AI model providers

AI model providers (such as OpenAI, Anthropic, and Google) are separate from MultiClaw's infrastructure subprocessors. How your data reaches these providers depends on your workload type:

Local workloads: Requests go from your machine directly to the provider. MultiClaw does not route or store that traffic.
Cloud workloads (MultiClaw Cloud): Some task context may pass through MultiClaw infrastructure on its way to the provider. When these providers act as subprocessors for cloud-processed data, they will be listed at multiclaw.io/legal/subprocessors when the Service is generally available.

MultiClaw selects AI model providers whose API agreements prohibit using your data to train their models. You have a direct contract with your chosen provider — review the provider's API data-use policy for details on how your data is handled.

How subprocessors are managed

Vetting and onboarding

Before any subprocessor is onboarded, MultiClaw completes a security review covering data handling practices, access controls, incident response capability, and compliance certifications. MultiClaw then signs a DPA with the provider that restricts data use to the specific purpose listed in the table above.

International transfers

For subprocessors outside the UK or EEA, transfers are protected by Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (UK IDTA), as applicable.

Ongoing oversight

MultiClaw re-evaluates each subprocessor annually and grants access only to the minimum data necessary for the subprocessor's stated purpose. If a subprocessor's security posture falls below the required standard, MultiClaw migrates to an alternative provider.

Changes to the subprocessor list

MultiClaw notifies workspace owners by email at least 30 days before adding a new subprocessor and updates the subprocessors page at the same time.

How to object

If you object to a new subprocessor, email legal@multiclaw.io within 30 days of the notification. MultiClaw will work with you to find a resolution, which may include additional safeguards or an alternative data-processing arrangement. If no resolution can be reached, you may terminate your subscription without penalty before the new subprocessor takes effect. Details are in the Data Processing Agreement.

Related articles