Last updated: 23 May 2026
Sub-processors
Template under legal review. This document is a working draft and has not yet been reviewed by qualified counsel. It must not be published externally without review and should not be relied upon as legal advice.
CLMSpace engages the sub-processors listed below to provide the Service. We give at least 30 days’ notice before onboarding a new sub-processor or materially expanding the scope of an existing one. Subscribe to change notices by emailing privacy@clmspace.com.
The architectural principle is that your contract content stays in your Microsoft 365 tenant (SharePoint) and the derived obligation graph lives in your own Dataverse environment. CLMSpace itself operates the inference layer (Anthropic, via a zero-retention enterprise contract) and the API + UI hosting (Azure + Vercel).
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Microsoft Azure | Primary cloud infrastructure: Azure Container Apps (API runtime), Azure Container Registry, Azure Key Vault, Azure Storage, Microsoft Entra ID for service-to-service identity | Container runtime + secrets; transient request/response payloads; no contract content at rest beyond Dataverse / SharePoint | UK South (primary); EU regions on request at onboarding |
| Microsoft Dataverse | Structured data store for the obligation graph (agreements, obligations, citations, lifecycle events, playbook, tenant config) | Extracted contract metadata, verbatim citations, scoped playbook entries, audit-trail records. One environment per customer tenant | Microsoft data centre matching the customer's M365 tenant region |
| Microsoft 365 (SharePoint + OneDrive) | Source-of-truth document store for signed agreements and templates. Read via Microsoft Graph using the customer's bound folders | The contract PDFs / DOCX files themselves. They never leave the customer's M365 tenant | Customer's M365 tenant region |
| Microsoft Entra ID (Azure AD) | Authentication for end users into the app and for service-to-service tokens (Graph, Dataverse). SSO via SAML / OIDC where configured | Account metadata only (object id, UPN, group claims as configured) | Microsoft global identity service |
| Anthropic | LLM inference for obligation extraction (claude-haiku-4-5) and analysis (claude-sonnet-4-6). Verbatim-citation enforcement plus scoped-playbook reasoning | Request payloads (prompts + retrieved obligation snippets). Zero-retention enterprise contract; no training on customer data | Anthropic enterprise endpoint (US-based). Restricted transfers governed by SCCs / UK IDTA with Schrems II supplementary measures |
| Vercel — marketing + portal hosting | Edge hosting for clmspace.com (marketing) and app.clmspace.com (product portal + /docs) | Request metadata; static + cached server-rendered pages. No contract content; no Dataverse data passes through Vercel infrastructure | Vercel Edge (London / Dublin primary for UK + EU traffic; US fallback) |
| Vercel · Web Analytics + Speed Insights | Optional, consent-gated traffic analytics and Core Web Vitals (LCP, TTFB, CLS) on clmspace.com and app.clmspace.com | Anonymous, hashed visitor identifiers (derived from IP + user-agent server-side; no cookies, no personal data, no cross-site tracking) | Vercel US, transferred under SCCs / UK IDTA where applicable |
Optional, contract-time integrations
Several first-class integrations are available but only activated at the customer’s instruction. They appear in this register only when enabled for your tenant:
- HubSpot / Salesforce — counterparty sync (inbound + outbound) where the CRM is the master record of vendors / customers.
- Xero / QuickBooks / Sage — accounting ledger attachment so Payment obligations cross-reference live invoices.
- Coupa / SAP Ariba (and equivalent procurement platforms) — purchase-order-against-framework checks for spend-cap enforcement.
- Microsoft Teams Approvals + Power Automate — used where a customer wants to keep approvals in Teams rather than the in-app Review Queue.
Review cadence
Sub-processors are re-assessed at least annually against their SOC 2, ISO 27001, or equivalent attestations. Microsoft Azure / Microsoft 365 / Dataverse and Anthropic enterprise are covered by their own ongoing attestations (SOC 2 Type 2, ISO 27001, ISO 27018) which we monitor for material changes. Where an attestation is not available, CLMSpace conducts its own risk assessment and records the outcome in the internal vendor register.