This page lists the third parties ("Sub-processors") that may process Customer Personal Data on behalf of Kosuke, Inc. during a Kosuke Pentest engagement, under the Kosuke Pentest Data Processing Agreement. We provide at least 30 days advance notice before engaging a new Sub-processor, giving Customers the opportunity to object as set forth in the DPA.
The list is intentionally short: pentest engagement artifacts (findings, evidence, draft reports) are stored on Kosuke-controlled infrastructure and are not delegated to third-party storage providers. The only third parties that incidentally process Customer Personal Data during a pentest are the LLM inference providers that power the testing agent.
Current Sub-processors
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic, PBC | LLM inference for the pentest agent (Claude). Target-system responses fed to the agent may incidentally include Personal Data. | United States | SCC + supplementary measures (zero data retention where contractually available) |
| Fireworks AI, Inc. | LLM inference for the pentest agent. Target-system responses fed to the agent may incidentally include Personal Data. | United States | SCC + supplementary measures |
Notifications and objections
We will notify Customers of intended changes to this list (additions or replacements) at least 30 days in advance, in accordance with Section 4 of the DPA and Clause 9, Option 2 of the SCC.
To subscribe to Sub-processor change notifications, or to raise a reasonable objection to a planned change, contact security@kosuke.ai.
What's not on this list, and why
The following third parties are not Sub-processors for Kosuke Pentest engagements:
- Engagement-artifact storage providers (databases, object storage, etc.): pentest artifacts are stored on Kosuke-controlled infrastructure during the engagement and destroyed in accordance with Section 7 of the DPA.
- Authentication and workspace providers (e.g., Clerk): pentest customers are onboarded via a sales-led flow and do not authenticate into a customer portal that would process their Personal Data through a third-party identity service.
- Analytics, marketing, and telemetry providers (e.g., Plausible, PostHog, Sentry, Cookiebot, Reddit, X, Meta): these process visitor data on the public marketing site or Kosuke-internal operational telemetry. They do not process Customer Personal Data from pentest engagements.
The broader list of service providers used in connection with the Kosuke platform (code platform, marketing site, support) is documented separately in our Privacy Policy.
Contact
For questions about Sub-processors or transfer mechanisms, contact security@kosuke.ai.