Compliance

Subprocessors

Lyrie AI uses a minimal set of third-party service providers to deliver the platform. Each subprocessor is bound by a Data Processing Agreement.

Effective: April 1, 2026 · OTT Cybersecurity LLC

Current Subprocessors

The following third-party entities process data on behalf of Lyrie AI (OTT Cybersecurity LLC):

Stripe, Inc.

United States

Payment processing, billing, and subscription management

Data processed: Name, email, payment method (card last 4), billing address, transaction history

https://stripe.com ↗

Vercel, Inc.

United States (global edge)

Application hosting, edge network, and serverless compute

Data processed: Request metadata (IP, headers, URL paths) for routed traffic

https://vercel.com ↗

Amazon Web Services (AWS)

United States (us-east-1)

Database hosting, object storage, and compute infrastructure

Data processed: All application data (encrypted at rest with AES-256)

https://aws.amazon.com ↗

Resend

United States

Transactional email delivery (verification codes, notifications, alerts)

Data processed: Email addresses, email content

https://resend.com ↗

Cloudflare, Inc.

Global

DNS resolution, DDoS mitigation for infrastructure

Data processed: DNS query metadata

https://cloudflare.com ↗

National Vulnerability Database (NVD)

United States

CVE data enrichment for vulnerability scanning

Data processed: No personal data — CVE identifiers only

https://nvd.nist.gov ↗

No AI Model Training

None of the above subprocessors receive customer data for the purpose of training machine learning or AI models. This is a contractual guarantee enforced in all subprocessor agreements.

Change Notification

Per our Data Processing Agreement, Lyrie will notify customers at least 30 days before adding a new subprocessor. Notifications are sent to the account email and posted on this page.

If you object to a new subprocessor, you may terminate the affected services by contacting [email protected] within 30 days of the notification.

Safeguards

All subprocessors are subject to:

  • Written Data Processing Agreements with obligations no less protective than our own DPA.
  • Regular security assessments and compliance reviews.
  • Data minimization — subprocessors only receive the data necessary for their specific function.
  • Encryption requirements for data in transit and at rest.

Contact

Questions about subprocessors: [email protected]