Subprocessors
Hive Bastion LLC · Version 1.0 · Effective 24 June 2026
1. Purpose and Scope
This Subprocessor List provides transparency into the third-party service providers ("Subprocessors") that Hive Bastion LLC ("Hive Bastion," "we," "us," or "our") engages to support the delivery, operation, security, and administration of our services. We publish this list as a good-faith transparency measure aligned with the SOC 2 Trust Services Criteria CC9 (Risk Mitigation) and consistent with the disclosure expectations of enterprise procurement, vendor-risk, and privacy reviewers.
A Subprocessor is a third party engaged by Hive Bastion that may store, process, transmit, or have access to data in connection with our delivery of services. This page identifies those providers, the services they perform, the categories of data involved, their processing location, and relevant notes.
This list is maintained as a living document. It reflects the providers Hive Bastion uses in the ordinary course of business. Hive Bastion's default data architecture is data-minimizing and transient-pass-through: in many engagements, customer and consumer personal data remains on the customer's own systems and accounts, and Hive Bastion does not retain such data on its side. Where this is the case, the Subprocessors below process Hive Bastion's own operational data (e.g., business communications, source code, network metadata) rather than customer/consumer personal data.
Relationship to contracts (gateway, not the contract). This published list is a good-faith baseline provided for transparency. It does not by itself create contractual rights or obligations, and no person may rely on it as a warranty or representation. Your access to and use of Hive Bastion's website and services is offered on the condition that you accept the applicable published Terms of Service; any engagement with Hive Bastion is governed by a separate signed written agreement between the parties, which controls in the event of any conflict with this page. To the maximum extent permitted by applicable law, Hive Bastion's aggregate liability arising out of or relating to this Policy or your access to or use of the Services is limited as set forth in your separate signed agreement (if any) and, where no fees have been paid by you, to one hundred U.S. dollars (US$100). Nothing in this Policy limits or expands either party's liability beyond what a separate signed agreement provides; in the event of any conflict, the signed agreement controls. To the extent permitted by law, Hive Bastion will not be liable for indirect, incidental, consequential, special, exemplary, or punitive damages.
No third-party warranty; information accuracy. The Subprocessors listed are independent third parties. Hive Bastion does not control and is not responsible for the independent acts, omissions, security practices, or service availability of any Subprocessor; each Subprocessor is governed by its own agreement with Hive Bastion and its own terms. Descriptions of Subprocessor services, data practices, residency, and security postures are provided in good faith based on information available to Hive Bastion as of the date shown and are subject to change without notice. This list is provided "as is" for transparency; Hive Bastion does not warrant that it is complete, current, or error-free at any given moment, and any binding commitment regarding Subprocessors is set out only in the applicable signed agreement.
2. About Hive Bastion LLC
Hive Bastion LLC is a Tennessee limited liability company and a disregarded entity for U.S. federal income-tax purposes. Hive Bastion is veteran-owned; it is led by a retired U.S. Army Special Forces veteran. Subcontractors, where engaged, are engaged under written agreement.
| Field | Detail |
|---|---|
| Legal entity | Hive Bastion LLC |
| Entity type | Tennessee LLC; disregarded entity for U.S. federal income-tax purposes |
| Mailing / notice address | 1556 Hankook Rd Suite A, PMB 1021, Clarksville, TN 37043 |
| Website | https://hivebastion.com |
| Contact | david@hivebastion.com |
3. How to Read This List
Each row describes a single Subprocessor across the following columns:
- Subprocessor — the legal name of the provider.
- Service provided — the function the provider performs for Hive Bastion.
- Data categories — the categories of data the provider may process in performing that service.
- Location — the primary processing/data-residency region. Hive Bastion is designed to process and store data in the United States. Certain global infrastructure providers (for example, Google, Cloudflare, and GitHub/Microsoft) may process limited operational or transit metadata outside the United States in the ordinary operation of their global networks. Where an engagement requires strict US-only processing or restricts international transfers, that requirement is addressed in the governing Data Processing Addendum, including any applicable transfer mechanism (such as the EU Standard Contractual Clauses or the UK IDTA).
- Notes — relevant context, including AI-training posture and data-minimization notes.
Providers we may use but have not confirmed for a given engagement are listed separately in Section 5 (Potential Subprocessors).
4. Current Subprocessors
The following Subprocessors are engaged by Hive Bastion to deliver, host, secure, and administer its services. Each is bound by the data-protection and confidentiality terms of its respective customer agreement, data-processing terms, and/or terms of service. Where an engagement involves Hive Bastion processing customer or consumer personal data, Hive Bastion engages each Subprocessor under written terms (e.g., the provider's data-processing addendum) that impose data-protection obligations designed to be no less protective than those Hive Bastion owes the customer under the applicable signed agreement, to the extent the provider offers such terms. Hive Bastion selects and reviews Subprocessors under its Vendor & Subprocessor Risk Management Policy, which applies risk-based due-diligence criteria appropriate to the service and data involved. Hive Bastion strives to engage providers that maintain commercially reasonable security and privacy practices appropriate to the service performed.
Each Subprocessor may engage its own subprocessors (sub-subprocessors) under that Subprocessor's data-protection terms. Hive Bastion relies on each Subprocessor's contractual obligations to govern its onward subprocessing; Hive Bastion does not separately enumerate sub-subprocessors on this page.
| Subprocessor | Service provided | Data categories | Location | Notes |
|---|---|---|---|---|
| Google LLC / Google Cloud Platform | Cloud hosting and compute (Cloud Run, Artifact Registry), logging (Cloud Logging) | Operational data. In engagements where the signed agreement provides for Hive-Bastion-side processing of customer personal data, such data may be processed here under that agreement and any DPA; in the default data-minimizing architecture, customer/consumer personal data is not retained on Hive Bastion's side. | United States (us-central1) | Provider-managed encryption in transit and at rest, inherited from the provider and subject to the provider's terms; Hive Bastion does not independently warrant provider controls. |
| Cloudflare, Inc. | DNS, CDN / edge delivery, email routing | Network metadata; inbound email content/metadata | United States | Edge/DNS layer; provider-managed TLS, inherited from the provider and subject to the provider's terms; Hive Bastion does not independently warrant provider controls. |
| Anthropic, PBC | AI inference (Claude API) | Prompt content submitted for inference | United States | Per the provider's published commercial terms as currently configured by Hive Bastion, API inputs and outputs are not used to train the provider's models, and prompt content is processed transiently to generate a response. Hive Bastion configures provider settings toward this posture but does not control and does not warrant the provider's own practices; the provider's then-current terms govern. |
| Google Workspace (Google LLC) | Business email and productivity | Business communications | United States | Used for Hive Bastion's internal business operations and correspondence. |
| GitHub, Inc. (a Microsoft company) | Source code hosting (private repositories) | Source code | United States | Private repositories. Hive Bastion's standing practice is not to store customer or consumer personal data in source control; this is an operational practice, not a guarantee that no such data has ever been present. |
4.1 Notes on AI Processing
Hive Bastion uses Anthropic's Claude API for AI inference. As a matter of standing posture: Hive Bastion does not itself use customer or consumer personal data, or client confidential data, to train, fine-tune, or otherwise improve any AI model. For third-party AI providers, Hive Bastion selects and configures each provider so that, under the provider's then-current terms, submitted content is not used by the provider to train its models by default, and Hive Bastion does not opt into any program that would change that posture. Hive Bastion does not warrant the conduct of third-party providers beyond their published terms; where an engagement requires a contractual no-training commitment stronger than a provider default, that term is captured in the governing Data Processing Addendum. Statements in this section describe Hive Bastion's configuration intent and the providers' published terms as of the date of this list; they are not warranties of third-party conduct. AI-generated content is subject to the disclaimer in Section 8.
4.2 Notes on Data Minimization
Consistent with Hive Bastion's data-minimization default, many engagements are designed so that customer and consumer personal data passes through to, or remains within, the customer's own systems and accounts without retention on Hive Bastion's side. Where retention on Hive Bastion's side is required for a specific engagement, the applicable signed agreement and any Data Processing Addendum (see Data Processing Addendum) govern the scope, purpose, and duration of such processing. Retention and destruction of any customer personal data processed on Hive Bastion's side are governed by the applicable signed agreement and Hive Bastion's Data Retention & Destruction Policy; on termination of an engagement, such data is returned or deleted as that agreement provides.
If any Subprocessor processes customer personal data outside the United States, Hive Bastion will implement an appropriate transfer mechanism (e.g., Standard Contractual Clauses) under the applicable signed agreement before such processing begins.
5. Potential Subprocessors
The following providers may be engaged for specific functions (for example, payment processing, secrets management, or communications) but are not confirmed as active Subprocessors for every engagement. They are listed here for transparency and will be moved into Section 4 if and when engaged.
| Subprocessor | Service provided | Data categories | Location | Notes |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment/billing data | United States | Engaged only if/when Hive Bastion accepts card payments through this provider. |
| Bitwarden, Inc. | Secrets / credential management | Credentials, secrets (Hive Bastion's own) | United States | Operational secrets management; no customer/consumer personal data. |
| Twilio Inc. / Google Voice (Google LLC) | Communications (voice/SMS) | Communications metadata and content | United States | Engaged only if/when Hive Bastion provides communications-related services. |
6. How Customers Are Notified of Changes
Hive Bastion maintains this Subprocessor List as the authoritative public source of its current Subprocessors. Our process for changes is:
- Page updates. When Hive Bastion adds, removes, or materially changes a Subprocessor, we update this page and revise the version and date.
- Advance notice. Where a signed engagement agreement or Data Processing Addendum requires it, Hive Bastion strives to provide reasonable advance notice of a new Subprocessor before that Subprocessor begins processing customer data, so the customer has an opportunity to review. Where a signed agreement does not specify a notice period, Hive Bastion will strive to provide at least thirty (30) days advance notice of a new Subprocessor that will process customer personal data, except where a shorter period is required to address a security, legal, or service-continuity need. The specific notice mechanism and any objection rights are governed by the applicable signed agreement, which controls.
- Notification channel. Customers may subscribe to, or request, change notifications by contacting david@hivebastion.com. The precise channel (email notice, page-monitoring, or contractual notice) is set in the applicable agreement.
- Objection / escalation. Where a customer's signed agreement provides a right to object to a new Subprocessor, the process and remedies in that agreement apply. This published page does not, by itself, create objection rights.
Two-Layer Transparency Posture
To be candid about what this process looks like today:
| Layer | Description |
|---|---|
| (a) Standard / Commitment | Hive Bastion commits to maintaining an accurate public Subprocessor List, to engaging Subprocessors under data-protection terms designed to protect customer data, and to providing reasonable advance notice of new Subprocessors where a signed agreement requires it. We strive to keep this page current and accurate. |
| (b) Current Implementation Status | This page is maintained manually by our team. Subprocessor changes are reflected by editing this page and incrementing the version/date. There is no automated subscription/notification service in place today; notifications are provided by direct email where a signed agreement requires it. |
| (c) Roadmap | Planned maturation includes: a subscribable change-notification mechanism; a formal periodic (at least annual) Subprocessor review tied to the Vendor & Subprocessor Risk Management Policy; maintenance of an internal Subprocessor Register with risk tiers and review dates; and alignment with a SOC 2 Type I examination as the security program matures. These items are planned and not represented as currently in place. |
7. Related Documents
This public list is part of a broader transparency and security documentation set:
- Privacy Policy — how Hive Bastion handles personal data.
- Data Processing Addendum (DPA) — contractual data-processing terms, including Subprocessor obligations.
- Data Retention & Destruction Policy — retention and destruction of data, including customer personal data processed on Hive Bastion's side.
- Vendor & Subprocessor Risk Management Policy — how Hive Bastion selects, assesses, and monitors Subprocessors.
- Subprocessor Register (Internal) — the internal, fuller register with risk tiers and review cadence.
- Data-Flow & Architecture — how data moves through Hive Bastion's pass-through architecture.
8. AI-Output Disclosure
This document contains content generated, in whole or in part, by AI systems operated by Hive Bastion LLC. AI can make mistakes. Every result herein is an estimate produced for the named recipient's professional review - not a regulated determination, not an underwriting decision, not a rate quote, not legal advice, not medical advice, not investment advice. The named recipient is responsible for the final decision and for verifying any factual claim before acting on it.
9. Contact
Questions about this Subprocessor List, or requests for change notifications, may be directed to:
Hive Bastion LLC
1556 Hankook Rd Suite A, PMB 1021
Clarksville, TN 37043
Contact: david@hivebastion.com
https://hivebastion.com