Legal · Subprocessors
Subprocessors
MVS Holdings (operator of AgentHub) uses a small set of carefully vetted service providers (“subprocessors”) to deliver the platform. Each is bound by a written data-protection agreement and processes personal information only on our instructions and yours. We list the categories below; specific vendor names are available on request to current customers under NDA.
Effective date: May 15, 2026
How we evaluate subprocessors
Before engaging a subprocessor, we assess (a) the security controls and certifications they hold, (b) whether the data they will process is necessary for the function they support, (c) the regions in which they will store and process data, and (d) the lawful transfer mechanisms required if they are located outside the data-exporting region. Each subprocessor signs a written agreement that imposes substantially equivalent confidentiality, security, and data-protection obligations to those in our customer agreements, including the EU Standard Contractual Clauses and the UK Addendum where applicable.
We continuously monitor subprocessors for changes in security posture, location, and certification status, and we re-evaluate the list at least annually.
Current subprocessor categories
Last reviewed May 15, 2026.
Category
Hosted Postgres provider
Purpose
Primary relational database for accounts, Workspaces, agent manifests, audit-event chains, and billing metadata.
Region
United States
Processes personal data
Yes
Data classification
Account & usage
Category
Hosted vector retrieval provider
Purpose
Embedding storage and similarity search powering retrieval-augmented agents over Customer Content.
Region
United States
Processes personal data
Limited
Data classification
Customer Content
Category
Object storage provider
Purpose
Durable storage for uploaded files, knowledge-base documents, evaluation artifacts, and signed audit exports.
Region
United States
Processes personal data
Limited
Data classification
Customer Content
Category
Email delivery provider
Purpose
Transactional email (verification, password reset, billing, audit notifications) and email outputs sent by agents on a Workspace's behalf.
Region
United States
Processes personal data
Yes
Data classification
Account & usage
Category
SMS delivery provider
Purpose
Out-of-band one-time codes for two-factor authentication and SMS-based notifications from agents on a Workspace's behalf.
Region
United States
Processes personal data
Yes
Data classification
Account & usage
Category
Card-payments processor
Purpose
Tokenization, authorization, and capture of card payments. Raw card data is never stored on our systems.
Region
United States
Processes personal data
Yes
Data classification
Billing
Category
Code sandbox provider
Purpose
Ephemeral, isolated execution environments where agent-generated code runs against a restricted toolchain.
Region
United States
Processes personal data
Limited
Data classification
Customer Content
Category
OAuth-token vault provider
Purpose
Encrypted storage and short-lived issuance of OAuth refresh and access tokens for connectors authorized by Workspaces.
Region
United States
Processes personal data
Limited
Data classification
Account & usage
Category
Model gateway provider
Purpose
Routing and rate-limiting of inference calls to large language model providers, with usage attribution back to the originating Workspace.
Region
United States
Processes personal data
Limited
Data classification
Customer Content
Category
Application hosting provider
Purpose
Edge and server-side runtime for the AgentHub web application, marketing site, and APIs.
Region
United States
Processes personal data
Yes
Data classification
Account & usage
“Limited” means the subprocessor handles personal information only when it is incidentally present in Customer Content (for example, a name appearing inside a document a customer has uploaded). Customers control what they submit. “Data class” reflects the highest sensitivity of data routinely processed by the category.
Cross-border transfers
All subprocessors above are located in the United States. When personal information originating in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border-transfer rules is shared with a U.S. subprocessor, we rely on (a) the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, (b) supplementary technical measures such as encryption in transit and at rest and tenant isolation, and (c) where appropriate, the EU–U.S. Data Privacy Framework with U.S. recipients self-certified to it. We document a transfer impact assessment for each category.
Notification of changes
We will provide at least thirty (30) days' advance notice before adding a new subprocessor that processes Customer Content, by updating this page and notifying the Workspace owner by email. Customers on enterprise plans may subscribe to a subprocessor-update mailing list and have the right to object on reasonable grounds, as set out in our Data Processing Addendum.
Internal subprocessors
In addition to the categories above, we use MVS Holdings affiliates for limited internal functions (engineering, customer support, billing operations, and security monitoring). Affiliate access to Customer Content is logged and limited to what is necessary to provide the Service.
Connectors authorized by you
Separately from MVS subprocessors, your Workspace can authorize connectors to third-party systems (your CRM, your ticketing platform, your code host, etc.). Those third-party systems are not MVS subprocessors — they are independent controllers or processors with whom you have your own relationship. The Service acts on your behalf within the scopes you grant; your contracts with those providers govern their handling of data they receive.
Contact
For privacy or subprocessor questions, including to request the underlying vendor names under NDA, write to legal@mvsagents.ai. For security-specific concerns, contact security@mvsagents.ai. Our broader privacy practices are described in the Privacy Policy.
AgentHub is operated by MVS Holdings. Effective date: May 15, 2026.