Sub-Processors
Last updated: 2026-05-15
This page lists the third-party data processors ("Sub-Processors") that LunaRabbit Inc. engages to process customer personal data on our behalf, together with the category of data they receive and the relevant Data Processing Agreement (DPA) or privacy policy. It supplements Section 3 of our Privacy Policy and supports our obligations under GDPR Art. 28, UK GDPR, CCPA, and Korea's PIPA Article 26.
1. AI Model Processors
These processors receive your conversation text and document content to generate model responses. All operate under their commercial API terms; default behavior is no training on customer data.
| Sub-Processor | Purpose | Data Categories | Region | DPA / Policy |
|---|---|---|---|---|
| OpenAI, L.L.C. | GPT model inference | Conversation text, document content, system prompts | United States | Privacy · DPA |
| Anthropic, PBC | Claude model inference | Conversation text, document content, system prompts | United States | Privacy · Commercial Terms |
| Google LLC | Gemini model inference (via Vertex AI) | Conversation text, document content | United States (multi-region) | DPA |
| Perplexity AI, Inc. | Real-time web-aware search (sonar / sonar-pro models) when LR.WEB or web-search tool is invoked | Search query strings (not full conversation) | United States | Privacy |
2. Web Search and Fetch Processors
These processors are invoked when a real-time information lookup or URL extraction is necessary.
| Sub-Processor | Purpose | Data Categories | Region | DPA / Policy |
|---|---|---|---|---|
| Serper LLC (serper.dev) | Google Search proxy on lower-cost search tiers | Search query strings | United States | Privacy |
| Jina AI GmbH (r.jina.ai) | URL content fetch and text extraction (webFetch tool) for URLs you have explicitly referenced | Target URL string, page content fetched on our behalf | Singapore / Germany | Privacy |
3. Infrastructure Processors
These processors host our infrastructure and receive request metadata. They do not see decrypted conversation content beyond what TLS termination requires.
| Sub-Processor | Purpose | Data Categories | Region | DPA / Policy |
|---|---|---|---|---|
| Amazon Web Services, Inc. | EC2 compute, RDS PostgreSQL, ElastiCache Redis, WAF, S3 object storage | Application data at rest, request metadata, logs | ap-northeast-2 (Seoul) | Service Terms · DPA |
| Cloudflare, Inc. | CDN, DNS, TLS termination, DDoS protection, Pages hosting | IP addresses, request paths, timestamps, cached static assets | Global edge network | DPA |
| Qdrant Solutions GmbH (Qdrant Cloud) | Vector database for fewshot retrieval — stores de-identified embeddings only, never raw text | Embedding vectors (de-identified) | Frankfurt (EU) | Privacy |
| Microsoft Corporation | Azure AD identity provider for Single Sign-On; Office.js host for Office Add-in surface | Email, display name, tenant ID at sign-in | United States (multi-region) | DPA |
4. Payment Processors (when active)
Payment processors are engaged only when paid subscriptions are active. As of the "Last updated" date above, paid plans are not generally available; payment processors listed below will be engaged once paid plans launch.
| Sub-Processor | Purpose | Data Categories | Region | DPA / Policy |
|---|---|---|---|---|
| Paddle.com Market Limited | Merchant of Record for global subscription billing; tax handling, payment method support (cards, KakaoPay, Naver Pay) | Name, email, billing address, payment method, transaction history | United Kingdom (with sub-processors in US/EU) | DPA |
5. Notification of New Sub-Processors
We will provide at least 30 days' advance notice on this page before adding a new sub-processor that materially changes the categories of data we share. Users who are subscribed to update notifications (via [email protected]) will also receive email notice. If you object to a new sub-processor, you may terminate your subscription before that sub-processor begins processing your data.
6. Internal Access
In addition to the sub-processors above, authorized LunaRabbit personnel access stored customer data only for limited operational purposes — debugging regressions, investigating user-submitted error reports, security incident response, and statutorily required disclosures. Access is gated by single sign-on, IP allowlist, and logged for audit. This human access is described further in Section 3.5 of the Privacy Policy.
7. Contact
For questions about our sub-processors or to request a copy of any DPA we cannot share publicly, contact [email protected].