Sub-processors
This page explains the third-party providers that Senex Intelligence Ltd (Senex) uses to process Customer Data for Mosaic Theory AI.
1. Current default posture
Cloudflare is Senex's core infrastructure provider and the sole Approved Sub-processor for the default locked pilot and Entry-tier configuration.
Senex configures Customer Content storage and other persistent data stores for European Union jurisdiction where supported by the relevant Cloudflare service and confirmed in Senex's technical configuration.
This is not a blanket European-Union-only processing claim. Cloudflare edge compute, artificial-intelligence inference, vector search, queues, logs, analytics, operational metadata, support, and administrative processing may be subject to Cloudflare's global network, service-specific regional controls, and documented exceptions. Unless an Order Form expressly states otherwise, Senex does not represent that every Cloudflare processing operation, metadata item, log, inference operation, or vector-search operation occurs only in the European Union.
2. Approved Sub-processor
| Sub-processor | Purpose | Location and regional posture | Customer Data processed | Status |
|---|---|---|---|---|
| Cloudflare | Core application infrastructure, edge compute, Workers AI inference, databases, object storage, vector search-index infrastructure, key-value storage, queues, Durable Objects, security controls, analytics/logging, and audit-log storage | Cloudflare global network with service-specific regional controls. Senex configures Customer Content storage, audit archives, D1 control-plane data, the document-parsing compute containers, and the consolidation-scheduler and parser-pool-scheduler Durable Objects for European Union jurisdiction where supported and confirmed. Worker-log storage is also European Union-resident, but by a different mechanism - the log-export job's delivery endpoint, not a jurisdiction binding. Other processing, including edge compute, artificial-intelligence inference, vector search, key-value storage, queues, Durable Object compute other than those two schedulers, analytics, support, administrative processing, and operational metadata, may be global or subject to documented service-specific exceptions. | Customer Content, extracted text, derived search data, prompts, questions, retrieved passages, Outputs, user/account data, audit and security logs, operational metadata, and support data where applicable | Approved for the Cloudflare-only default configuration |
3. Cloudflare service-by-service map
| Cloudflare service | Mosaic Theory AI usage | Current publication position |
|---|---|---|
| R2 object storage | Customer documents and immutable audit archives | European Union-jurisdiction buckets where supported and confirmed. Audit bucket uses write-once retention controls. |
| D1 | Per-tenant control plane, settings, audit index, billing and metadata | European Union-jurisdiction databases where supported and confirmed. Workers may still access a jurisdiction-constrained database from Cloudflare's global network. |
| Workers | Gateway and per-tenant application compute | Global edge network unless a separate Order Form expressly states and configures a narrower commitment. |
| Workers AI | Query embeddings and answer generation in the default Cloudflare-only configuration | Cloudflare service-specific/global processing. Not represented as European-Union-only. |
| Vectorize | Per-tenant vector search | Cloudflare service-specific/global processing. Not represented as European-Union-only. |
| KV | Transient cache and state | Cloudflare service-specific/global processing. Not represented as European-Union-only. |
| Queues | Asynchronous ingest dispatch | Cloudflare service-specific/global processing. Queue messages are intended to contain operational metadata, such as tenant identifiers, document identifiers, and job state, not raw Customer Content. |
| Durable Objects and container hosts | Scheduling, debounce state, and transient document-processing hosts | The consolidation-scheduler and parser-pool-scheduler Durable Objects are configured for the European Union jurisdiction (a Cloudflare jurisdiction-restricted Durable Object namespace), and the document-parsing compute containers are pinned to the European Union jurisdiction by a Cloudflare container constraint. Scheduler state is intended to contain operational metadata. Certain transient document-processing components may process Customer Content temporarily but are not intended to persist it. |
| Logpush to R2 | Worker logs | R2-backed worker-log storage is European Union-resident. Its residency rests on the log-export job's delivery endpoint, which is set to a European Union storage endpoint, rather than on a Cloudflare jurisdiction binding - no such binding exists for this bucket. Log generation, analytics, support, and administrative handling may be service-specific or global. |
4. Conditional Sub-processors — optional, DPA-gated features
The providers below are not part of the Cloudflare-only default configuration. Senex uses them for Customer Data only where the Customer has expressly enabled the relevant feature and Senex has recorded a valid DPA Reference, current DPA version, and matching disclosure hash.
| Provider | Feature key | Purpose | Location / regional posture | Customer Data processed | Required DPA terms | Status |
|---|---|---|---|---|---|---|
| Anthropic | anthropic_platform | Senex-managed artificial-intelligence model processing using a Senex-held Anthropic API/platform account, including answer generation, summarisation, classification, extraction, reasoning, and citation-aware response generation. | Anthropic service locations, including the United States and other locations used by Anthropic. Not Cloudflare-only and not represented as European-Union-only or Swiss-only. | Prompts, questions, retrieved passages, document excerpts, source metadata, outputs, request metadata, and operational metadata needed for the authorised feature. | anthropic-platform-dpa-v2026-07-07 at
/legal/dpa/amendments/anthropic-platform-v2026-07-07 | Conditional only. Disabled unless Customer has accepted the current feature DPA terms and Senex has a non-empty signed DPA Reference. |
| Modal Labs, Inc. | modal_ingest | Optional ingest processing, document conversion, parsing, text extraction, table/layout extraction, file normalisation, and transient job execution. | United States or other Modal service locations, subject to configured region settings where available and expressly committed. Not Cloudflare-only and not represented as European-Union-only or Swiss-only unless an Order Form expressly says so. | Uploaded documents, filenames, file metadata, document identifiers, job identifiers, extracted text, conversion outputs, parse errors, and operational metadata needed for the authorised ingest job. | modal-ingest-dpa-v2026-07-07 at
/legal/dpa/amendments/modal-ingest-v2026-07-07 | Conditional only. Disabled unless Customer has accepted the current feature DPA terms and Senex has a non-empty signed DPA Reference. |
Not valid consent. A placeholder page, stale version, missing DPA Reference, mismatched disclosure hash, or "terms coming soon" disclosure is not valid Customer authorisation for these providers.
5. Not approved or enabled by default
The following providers are not approved for the Cloudflare-only default configuration unless separately authorised under the customer agreement, Data Processing Agreement, product setting, or Order Form.
| Provider | Potential purpose | Status |
|---|---|---|
| Anthropic BYOK | Customer-enabled answer generation using Customer's own Anthropic account and application programming interface key | Not enabled by default. Customer must expressly authorise transmission to Anthropic, accept Anthropic's commercial and data-processing terms, and assess transfer consequences before use. |
| Anthropic platform key | Senex-appointed artificial-intelligence model provider using a Senex-held Anthropic account or key | Not approved by default. Would be treated as a conditional Senex Sub-processor requiring separate customer authorisation and transfer safeguards. |
| Modal Labs | Optional document conversion or transient processing | Not approved by default. Requires separate customer authorisation and transfer safeguards before use. |
| cloudscale.ch or another Swiss-sovereign hosting provider | Future Enterprise-tier hosting and compute substrate | Not active for the default Entry tier. Enterprise-specific terms require separate review before first Enterprise customer signature. |
| OpenAI or Google artificial-intelligence services | Artificial-intelligence model processing | Not used for Customer Data unless Customer expressly authorises the provider in writing or through an agreed product setting. |
6. New or replacement Sub-processors
Senex will notify Customers at least 30 days before appointing a new or replacement Approved Sub-processor, unless shorter notice is reasonably necessary to maintain the security, availability, or continuity of the Service.
Customers may object to a new or replacement Approved Sub-processor on reasonable data-protection grounds by notifying Senex within 15 days after receiving notice. The parties will work in good faith to resolve the objection.
7. Contact
Questions about sub-processors or data-processing terms can be sent to hello@senex.ch.