CaliaLabs Logo

SUBCONTRACTORS LIST

Last updated : February 6, 2026

1. Sub-processing Policy

In accordance with the GDPR and the DPA, CaliaLabs undertakes to:

  • Maintain an up-to-date list of subcontractors
  • Notify clients of any addition or modification
  • Impose the same security obligations on subcontractors
  • Favour partners certified to ISO 27001, SOC 2

2. Active Subcontractors

OVHcloud

Infrastructure Hosting

Service: : Server hosting, database, storage

Location: : France (Gravelines, Roubaix)

Certifications: : ISO 27001, SOC 2 Type II, HDS

Sovereignty: : 100% France, GDPR compliant

Microsoft Azure

Cloud Services

Service: : Cloud gateway for AI API access (OpenAI, Anthropic)

Location: : France (Azure France Central region)

Certifications: : ISO 27001, SOC 2 Type II, SecNumCloud certified

Sovereignty: : 100% sovereign via Azure France

HashiCorp Vault

Security & Secrets Management

Service: : Centralised management of secrets, API keys, certificates

Location: : On our own servers (OVHcloud France)

Certifications: : Audited open-source software

Sovereignty: : 100% sovereign (self-hosted)

OpenAI (via Azure)

GPT AI Models

Service: : GPT-4 API for compliance analysis

Location: : Via Azure France (data processed in France)

Certifications: : SOC 2 Type II

Sovereignty: : Zero Data Retention (Azure France), no storage outside EU

Anthropic (via Azure)

Claude AI Models

Service: : Claude API for compliance analysis

Location: : Via Azure France (data processed in France)

Certifications: : SOC 2 Type II

Sovereignty: : Zero Data Retention (Azure France), no storage outside EU

Mistral AI

Sovereign LLM

Service: : French AI models for analysis

Location: : France (French company)

Certifications: : GDPR compliant, European sovereignty

Sovereignty: : 100% European, data not transferred outside EU

GoCardless

Payment and Billing

Service: : SEPA direct debit processing

Location: : Ireland (EU)

Certifications: : FCA regulated, ISO 27001, PSD2 compliant

Sovereignty: : IBAN only (outside scope of CEREBRO data)

3. Control Measures

  • Annual audit of critical subcontractors
  • Verification of security certifications
  • DPA (Data Processing Agreement) signed with each subcontractor
  • Minimisation of data transmitted (principle of least privilege)
  • Encryption of data in transit (TLS 1.3 minimum)

4. Change Notification

Any addition or replacement of a critical subcontractor is notified to clients by email 30 days before go-live. Clients may object in writing within 15 days.