Sub-processor List.
Last updated: 2026-06-25
This list identifies the third parties ("Sub-processors") that LifeSage LLC, a Washington limited liability company operating under the "Karta" brand ("Karta," "we," "us"), engages to process Customer Data in providing the Services. Capitalized terms not defined here have the meanings given in the Karta Terms of Service, the Data Processing Addendum ("DPA"), and the Privacy Policy. In the event of any conflict between this list and the DPA, the DPA controls.
This published list, as amended in accordance with Section 6, is Karta's binding statement of its Sub-processors to Customers. Karta maintains an internal configuration that mirrors this list for operational purposes; if the two ever diverge, Karta will promptly reconcile the published list, and Customer rights under Section 6 attach to the published list.
This list is provided for transparency and informational purposes. It does not itself create any data-processing terms, and the DPA is the operative contract governing Karta's processing of Customer Data and End-User Data; in the event of any conflict, the DPA controls. This list does not confer any third-party-beneficiary rights, including on any End User, who is not a party to the agreement between Karta and the Customer.
1. Roles
For End-User Data processed through Customer Agents, the Customer is the controller (or business) and Karta is the processor (or service provider), governed by the DPA. For Karta account, billing, dashboard, website, support, and platform-administration data, Karta is a controller, governed by the Privacy Policy.
Karta does not sell Customer Data or End-User Data, does not share it for cross-context behavioral advertising, does not use it for targeted advertising, and does not use Customer Content or End-User Data to train models, in each case except to the extent the Customer expressly opts in. Karta may create and use aggregated or de-identified data derived from use of the Services, provided such data does not identify any Customer or End User, to operate, secure, analyze, and improve the Services; such data is not subject to the foregoing restrictions.
Karta engages each Sub-processor under a written contract that imposes data-protection obligations consistent with those applicable to Karta and no less protective than those required by Article 28 of the GDPR and comparable applicable law. Each Sub-processor is engaged as a service provider or contractor (or the equivalent) under a contract that prohibits the Sub-processor from selling or sharing the personal information, from retaining, using, or disclosing it for any purpose other than performing the Services or as otherwise permitted by applicable law, and from combining it with personal information received from or on behalf of others except as permitted by applicable law, consistent with Cal. Civ. Code § 1798.140. Karta remains fully liable to the Customer for each Sub-processor's performance of its data-protection obligations, as further set out in the DPA.
2. Current Sub-processors
| Vendor | Purpose | Data processed | Contact | Location |
|---|---|---|---|---|
| Stripe | Payments and subscription billing | Billing email, last 4 of card, charge amounts, Stripe IDs, invoices/payment metadata | privacy@stripe.com | United States (us-west) |
| Anthropic (Karta-managed inference only; see Section 4) | LLM inference for non-BYOK, Karta-managed requests | Prompt and response payloads proxied through Karta for Karta-managed inference | privacy@anthropic.com | United States |
| Hetzner Online GmbH | Control plane hosting and primary Postgres | Account, organization, billing, authentication, audit, and dashboard records at rest | data-protection@hetzner.com | United States (Hillsboro, Oregon) |
| AWS (Amazon Web Services) | Data plane: agent session compute, durable workspace/merge store (S3), session/transcript database (RDS) | Agent session state, workspace artifacts, hosted-chat transcripts, data-plane records | aws-privacy@amazon.com | United States (us-east-1) |
| Postmark | Transactional email | Recipient email address and email body | privacy@postmarkapp.com | United States |
| Sentry | Application error monitoring and performance telemetry | Account/tenant identifiers (organization ID, user ID, role) and server-side error and performance diagnostics attached to exceptions and traces; secret values are scrubbed | privacy@sentry.io | United States |
The control plane (accounts, organizations, billing, audit log) is hosted in the United States (Hillsboro, Oregon) on Hetzner. The data plane (agent session compute, workspace/merge store, and the session/transcript database) is hosted in the United States on AWS in the us-east-1 region.
The vendor contact addresses and locations in the table above are provided as a convenience and reflect Karta's understanding at the "Last updated" date. They may change without amending these or any other legal terms, and they are not a warranty by Karta of any Sub-processor's contact details or processing location.
3. International Data Transfers
Because the Sub-processors above operate in the United States, providing the Services to EEA/UK/Swiss customers involves cross-border transfers of personal data, with the Customer as data exporter and Karta as a United States data importer. Where required, such transfers are made under the EU Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module Two (controller-to-processor) and Module Three (processor-to-sub-processor) as applicable, with United Kingdom transfers covered by the UK International Data Transfer Addendum and Swiss transfers covered by the Standard Contractual Clauses as adapted for the Swiss Federal Act on Data Protection. Karta is not certified under the EU-U.S. Data Privacy Framework. Additional transfer-mechanism detail is set out in the DPA, which governs in the event of conflict.
4. Model Providers
Anthropic is currently engaged as a Sub-processor for Karta-managed inference, where Karta contracts the Model Provider and meters usage against Customer Credits. If Karta enables additional Karta-managed Model Providers (for example, OpenAI or AWS Bedrock model access under Karta's own account), each will be added to this list before it receives Customer-identifiable data in production.
For BYOK (bring-your-own-key) traffic, the Customer supplies its own provider key and contracts with and pays the Model Provider directly. BYOK Model Providers are selected and controlled by the Customer, are not Karta Sub-processors for BYOK traffic, and the Customer is responsible for its relationship with, and the terms, data handling, and availability of, each such provider. The same vendor (for example, Anthropic) may be a Karta Sub-processor for Karta-managed inference while not being a Karta Sub-processor for the Customer's BYOK traffic.
5. Website Infrastructure, Analytics, and Pending Categories
Karta's public website and documentation rely on the following providers, which process Karta-controlled website-visitor data (such as IP address and page-request metadata) and do not process Customer Data or End-User Data:
- Cloudflare, Inc. (United States) — authoritative DNS for
karta.sh, and the content-delivery and TLS edge for Karta's public documentation site. Karta's application, data-plane, and agent-workspace hosts are DNS-only and are not proxied by Cloudflare, so Cloudflare does not have access to account, billing, agent-session, or workspace content. - Plausible Analytics (cookieless web analytics) — aggregate usage analytics for Karta's public documentation and marketing site; it sets no cookies and does not track visitors across sites.
These website-infrastructure and analytics providers are described in the Privacy Policy and the Cookie & Tracking Notice and are listed here separately because they process Karta's own website-visitor data, not the Customer Data or End-User Data covered by the Section 2 Sub-processors.
Beyond the providers above, no analytics, observability, customer-support, or additional Model Provider Sub-processor is currently engaged for Customer Data or End-User Data. Examples of categories Karta may enable in the future include application observability and error monitoring beyond Sentry, and support tooling. No such vendor will receive Customer Data or End-User Data until it is added to this list, reviewed, and covered by appropriate data-processing terms, with advance notice given as described in Section 6.
Karta may also engage incident-response, forensic, or similar providers to investigate or remediate a security incident or to meet a legal or regulatory obligation. Where Karta does so under the emergency engagement provision in Section 6, it will provide notice as described in that Section; such engagement is not a breach of this list.
Karta's standing rule is that End-User content and unmasked secrets are not sent to analytics, telemetry, or support tooling unless necessary for a Customer-requested support, security, or legal workflow and appropriately controlled.
6. Changes, Notice, and Objection
Karta may add, remove, or replace Sub-processors from time to time. Before authorizing a new Sub-processor that will process Customer Data or End-User Data for which Karta acts as a processor under the DPA, Karta will update this list and provide at least thirty (30) days' advance notice through the mechanism described in Section 7.
A Customer may object to a new or replacement Sub-processor on reasonable, documented data-protection grounds that relate to the Sub-processor's inability to meet the data-protection standard required by the DPA and that materially and adversely affect the protection of personal data, by notifying Karta in writing at privacy@karta.sh within fifteen (15) days after the notice is given. The parties will work in good faith to resolve the objection, and Karta may continue using the Sub-processor pending resolution. If Karta is unable to provide a commercially reasonable alternative within a reasonable time, the Customer's sole and exclusive remedy is to terminate, during the then-current term, the affected portion of the Services that cannot be provided without the objected-to Sub-processor, and Karta's sole liability is a pro-rated refund of (i) any prepaid, unused subscription fees and (ii) any prepaid, unused, non-expired Credits, in each case attributable to that affected portion, determined in accordance with the Terms of Service. Absent a timely written objection, the new or replacement Sub-processor is deemed authorized. This Section is consistent with the general sub-processor authorization (SCC Clause 9, Option 2) and summarizes, but does not limit, the Customer's sub-processor notice and objection rights under the DPA; in the event of conflict, the DPA controls.
Karta may engage a new Sub-processor without prior notice where required to address an emergency, a security incident, a vendor outage or business-continuity event, a material change in a Sub-processor's terms, or a legal or regulatory obligation, in which case Karta will provide notice as soon as reasonably practicable thereafter.
7. Staying Informed
Posting an updated version of this page is a sufficient and effective method of notice under Sections 6 and 7, and the Customer is responsible for monitoring this page and for keeping its administrative and billing contact details current with Karta. As a courtesy, and without creating any obligation to do so, Karta may also provide notice by email to the Customer's administrative or billing contact, through the Karta dashboard, or to Customers who subscribe to updates by emailing privacy@karta.sh with the subject line "Subprocessor Updates" to be added to Karta's Sub-processor notification list. The "Last updated" date above reflects the most recent change to this list.