Appearance
Sub-processors
A sub-processor is any third party that Term Tracker engages to process customer data on its behalf. This page lists every sub-processor, what data they receive, and the data-protection agreements that govern their use. Enterprise security reviewers and customers with DPA obligations should review this list before signing up.
See also: Security & Compliance.
Effective date: 2026-05-19
Sub-processor List
| Sub-processor | Purpose | Data accessed | Region(s) | DPA status |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Primary infrastructure: compute (Lambda), database (Aurora Serverless v2 PostgreSQL), file storage (S3), authentication (Cognito), queuing (SQS), email delivery (SES), key management (KMS), and security monitoring (CloudTrail, Config, Security Hub, GuardDuty, Inspector) | All customer data: contract files, extracted terms, account information, audit logs | us-east-1 (United States) | AWS Customer Agreement + AWS GDPR DPA (self-service download from AWS console) |
| Anthropic | AI extraction: contract text is sent to the Claude API to identify and extract terms specified in the project template | Contract text submitted for AI extraction (no account information or metadata) | United States | Standard DPA in procurement (see Anthropic Retention below) |
| AI extraction (when a Gemini model is selected for a project): contract text is sent to the Gemini API to identify and extract terms specified in the project template | Contract text submitted for AI extraction (no account information or metadata) | United States (multi-region) | Covered by Google Cloud DPA | |
| GoatCounter | Privacy-respecting, cookie-free page-view analytics for docs.trmtrk.com only. The app at trmtrk.com does not use GoatCounter. | Anonymized page-view events from docs.trmtrk.com only (no personal data, no cross-site tracking) | Belgium / EU | Privacy-respecting by design; no personal data transferred; no DPA required |
The chat feature ("Ask") reaches Anthropic Claude through Amazon Bedrock under AWS's standard service contract. The Anthropic sub-processor entry above covers the direct API usage by the contract-extraction pipeline.
Anthropic Retention
Anthropic retains API request and response data for up to 30 days per their standard data-handling policy. This data is not used to train Anthropic's models. A Zero-Data-Retention (ZDR) addendum is on the roadmap for when an enterprise customer requires it.
Notification of Changes
Material additions to this list will be reflected on this page. Customers with a signed Data Processing Agreement that includes a notification clause will receive notice per the terms of that agreement.