AEGIS ISD, LLC logo
Request a demo

Subprocessors

Third parties that process Customer Data or support compliance.

AEGIS ISD, LLC engages the subprocessors listed below to support the delivery of our platform. Each subprocessor is bound by contractual data-protection terms. When Customer Data includes Protected Health Information, the subprocessor must be bound by a downstream Business Associate Agreement before processing PHI. Compliance and audit vendors that are not authorized to process PHI are listed separately for transparency.

Last updated: April 24, 2026

Current subprocessors

Oracle Cloud Infrastructure (OCI)

Entity: Oracle (the specific Oracle contracting entity is identified in the executed Business Associate Agreement and Oracle cloud services agreement).

Purpose: Primary cloud hosting including compute, object storage, block storage, managed database, networking, identity, and key management.

Data processed: All Customer Data, including Protected Health Information.

Processing location: Primary processing in the United States. Authorized Oracle support personnel may access OCI services from other locations as permitted by Oracle's then-current service terms and the executed BAA.

Attestations: Oracle maintains SOC 1, SOC 2, ISO 27001, and HIPAA attestations for OCI services covered by an executed Business Associate Agreement. Our policy is to have a downstream BAA in place with Oracle before any PHI is processed on OCI.

Oracle's compliance documentation is available at oracle.com/corporate/cloud-compliance.

No other Customer Data subprocessors

Oracle Cloud Infrastructure is currently the only subprocessor authorized to process Customer Data, including PHI, on AEGIS ISD's behalf. AEGIS ISD does not currently engage third-party email, support-ticketing, customer-relationship-management, monitoring, observability, code-repository, continuous-integration, endpoint-management, or large-language-model providers as subprocessors of Customer Data. Should any such vendor be engaged for Customer Data in the future, the change-notification policy below will apply, a downstream BAA will be required where PHI may be processed, and this page will be updated before processing begins.

Internal business tooling that does not process Customer Data (for example, business email used for prospect correspondence, code repositories that hold platform source code, and workforce identity providers) is governed by AEGIS ISD's vendor risk-management program but is not a subprocessor for Customer Data and is therefore not listed here.

Compliance and audit vendors not authorized for PHI

The vendors below support our compliance program but are not authorized subprocessors for PHI or production Customer Data unless a separate written agreement, required security review, and, where applicable, BAA are completed. Evidence uploaded to these systems is limited to policies, control metadata, tickets, sanitized screenshots, and redacted audit artifacts.

Sprinto

Purpose: Compliance automation, control tracking, evidence collection, and audit readiness workflow.

Data processed: Compliance-control evidence, policy metadata, employee or vendor compliance status, and redacted operational evidence. No PHI or production Customer Data is authorized.

AtomAudits

Purpose: Independent audit services for SOC 2 Type II and HIPAA readiness or assessment activities.

Data processed: Audit workpapers, control descriptions, policies, interviews, and redacted evidence. No PHI or production Customer Data is authorized unless expressly approved under a written agreement and, where applicable, a BAA.

Change-notification policy

AEGIS ISD will provide customers with at least thirty (30) days advance notice before engaging a new subprocessor that will process Customer Data. Notice is sent to the primary administrative contact on file and reflected on this page.

Customers may object to a new subprocessor for reasonable cause related to data protection. If we cannot accommodate the objection, the customer may terminate the affected portion of the service for the remainder of the then-current subscription term and receive a pro-rata refund of prepaid fees attributable to the terminated period.

Subscribe to subprocessor updates

To receive email notifications when this page changes, email privacy@aegisisd.com with the subject line "Subscribe: Subprocessor Updates." Include the organization name and one or more contact email addresses. To unsubscribe, reply to any notification with "Unsubscribe" in the subject line.

Due-diligence process

Before engaging a subprocessor that may process Customer Data, AEGIS ISD conducts a risk-tiered due-diligence review that considers the subprocessor's security posture, relevant attestations (including SOC 2, HIPAA, and ISO/IEC 27001 where applicable), data-protection contractual terms, data residency, incident-response readiness, and financial stability. The outcome and supporting evidence are documented and retained.

Questions?

Reach our privacy team.

For questions about our subprocessor program, to request a copy of the downstream BAA terms, or to raise an objection to a new subprocessor, email our privacy team.

Subprocessor contact

  • Email: privacy@aegisisd.com
  • AEGIS ISD, LLC
  • 7753 Green Mountain Way
  • Winter Garden, FL 34787
  • United States