Last Updated: March 21, 2026
VikingCloud uses a small number of carefully selected third-party services to operate the platform. Each of these "sub-processors" processes specific categories of customer data on our behalf, under written data-processing agreements that flow our security and confidentiality obligations through to them.
The list below is current as of the date above. We will update this page before adding a new sub-processor that has access to customer data.
For the purposes of this page, customer data is anything you provide to VikingCloud that we then process — your account information, the cloud credentials you connect, the metadata returned by scans of your cloud environments, and any data you generate by using the platform (saved queries, marked issues, comments).
What is not on this list: services we use only for internal operations that never touch customer data (for example, our internal source-control hosting, our CI/CD provider, or our internal-only documentation tools). If a service ever touches customer data, it goes on this list.
| Sub-processor | Purpose | Data type processed | Region | Vendor security |
|---|---|---|---|---|
| Google Cloud Platform | Application hosting (Cloud Run), worker compute (Compute Engine), database (Cloud SQL PostgreSQL), object storage (Cloud Storage for SBOM/KBOM artifacts), secret management (Secret Manager), scheduled jobs (Cloud Scheduler), and resource discovery (Cloud Asset Inventory). | Customer cloud-resource metadata returned by your provider APIs, scan results, encrypted credentials, application logs. | asia-northeast1 (Tokyo) | Security · Privacy |
| Google Vertex AI (Gemini) | Powers our Viking AI agents (Compliance Assessor, Issue Curator, Exposure Analyst, Scan Briefer, Viking Analyst, Executive Summarizer). Receives summaries of your scan data to produce analysis, prioritization, and remediation guidance. | Aggregated scan findings, resource counts, IAM binding summaries, vulnerability records sent at inference time. Inputs are not used by Google to train foundation models per Vertex AI terms. | asia-northeast1 (Tokyo) primary; us-central1 fallback for endpoints not yet available in Tokyo. | Security · Privacy |
| Supabase | User authentication and authentication-related metadata (accounts, team memberships, subscription state, entitlement overrides, account-level preferences such as language). | Email address, hashed password (when password auth is used), team account names and slugs, subscription tier, audit timestamps. No customer cloud credentials or scan data are stored in Supabase. | ap-northeast-1 (Tokyo). | Security · Privacy |
| Stripe | Subscription billing, payment processing, customer portal, invoice generation, webhook-driven entitlement updates. | Billing email, company name, subscription history, last-four payment-card digits (full card data is tokenized by Stripe and never reaches our infrastructure). No scan data sent to Stripe. | United States (Stripe primary). Stripe is PCI DSS Level 1 certified. | Security · Privacy |
| Resend | Transactional email delivery: account verification, password reset, magic links, contact-form receipts, scan-completion notices, soft-cap overage notifications to support@vikingstrike.com. | Recipient email address, sender, subject, message body. No scan data, credentials, or detailed cloud-resource information sent in emails. | United States (Resend primary). Reach out for a regional alternative if data-residency requires it. | Security · Privacy |
| Sentry | Error monitoring and performance tracing across application code (frontend + worker). Captures stack traces and request context when application errors occur. Captures session replays only when an error is thrown (not on healthy traffic) at the rate documented in our Sentry sample-rate configuration. | Error stack traces, request URL paths, sanitized request headers, sanitized request bodies (PII scrubbing applied via Sentry SDK config), authenticated user ID for error correlation. Customer cloud credentials are never logged. | United States (Sentry primary). | Security · Privacy |
Application infrastructure that processes scan data — Cloud Run, worker compute, the primary PostgreSQL database, secret manager, and scheduled jobs — is deployed exclusively in Google Cloud Platform's asia-northeast1 (Tokyo) region. Authentication metadata at Supabase is hosted in their ap-northeast-1 (Tokyo) region.
Stripe (billing), Resend (email), and Sentry (error monitoring) are operated primarily from the United States. None of these three services receives scan data or cloud credentials. If your organisation requires that all categories of personal data stay in the EU/EEA or in a specific national jurisdiction, contact us so we can confirm whether the platform meets that requirement before you sign.
Before we send any customer data to a third-party service, we evaluate:
When a sub-processor is added, removed, or replaced, we update this page and bump the "Last Updated" date above. Customers under signed Enterprise contracts that require advance written notification will receive an email to the contractual notice address before the change takes effect.
If your security team has questions about a specific sub-processor, or if you object to a planned change to this list, email contact@vikingstrike.com and we will respond promptly.