Subprocessors and data suppliers
We work with carefully vetted suppliers to deliver Cleared services. Below is a list of subprocessors that handle or store personal data on our behalf.
Current subprocessors
Amazon Web Services (AWS)
Cloud infrastructure, storage, databases, encryption key management
All verification data (documents, biometrics, results, logs)
MongoDB Atlas
Unstructured data storage (verification logs, audit trails)
Verification metadata, audit logs, case notes
Twilio
SMS delivery for OTPs, consent notifications, and alerts
Phone numbers, message content (no ID images or biometrics)
GitHub (Microsoft)
Code repository, CI/CD pipelines (no production data access)
Source code, configuration files (no personal data)
How we vet subprocessors
Security questionnaire and assessment
Every supplier completes a security questionnaire covering encryption, access controls, incident response, and compliance certifications (SOC 2, ISO 27001).
Data processing agreement (DPA)
Suppliers sign DPAs that define data types, retention periods, security obligations, breach notification timelines, and audit rights.
Subprocessor changes and notifications
If we add, remove, or change a subprocessor, we will update this page and notify clients via email at least 30 days before the change takes effect. Clients can object to new subprocessors within the notice period.
Subscribe to subprocessor updates by emailing dpo@cleared.id with subject "Subscribe to subprocessor notifications".