Donna Technologies Pty Ltd (ACN 691 287 457) (“Donna”, “we”, “us” or “our”) maintains this page as the authoritative public list of the third parties we engage to process Customer Data on our behalf in the course of providing the Donna platform. The list is structured in three tiers so that Customers can see at a glance which vendors hold data at rest, which perform model inference, and which support our day-to-day operations.
At a glance
Customer Data is hosted on Microsoft Azure in a region determined by Donna having regard to the Customer’s principal place of business, applicable data-protection law and operational considerations. The Customer does not elect the region. Model inference is routed to providers we have contracted with on a no-training basis, and where available we use zero-data-retention endpoints. Any change to this list is published here at least 30 days before it takes effect, and Customers may subscribe to email alerts by writing to privacy@bydonna.ai.
1.Overview
A Subprocessoris a third party engaged by Donna to process Customer Data in connection with the Donna platform, where that processing is carried out under Donna's instructions and on Donna's behalf. The term has the meaning given to it in the Donna Data Processing Addendum (the “DPA”), and this page operates as Annex 3 to the DPA for the purposes of listing approved Subprocessors.
Donna commits to maintaining this list in a current and accurate state. We add a Subprocessor to this list before that Subprocessor begins processing Customer Data. We remove a Subprocessor from this list when it ceases to process Customer Data on our behalf. The list is versioned and dated, and prior versions are referenced in section 9.
Each entry below describes the Subprocessor's legal entity, its role, the processing activities it performs, the geographical locations from which it carries out those activities, the cross-border transfer mechanism that applies, and the relevant third-party certifications it holds. The list is limited to direct Subprocessors. Some of our direct Subprocessors will themselves engage further sub-sub-processors (for example, a model provider may rely on its own cloud infrastructure vendor) and the public security and trust pages of those direct Subprocessors disclose their onward arrangements.
2.Change notification
Donna provides Customers with at least 30 days' advance notice before a new Subprocessor begins processing Customer Data, before an existing Subprocessor takes on a materially new processing activity, and before a Subprocessor is removed in circumstances that affect a Customer service component. Notice is given by updating this page and by email to Customers who have asked to be notified. Customers and prospective Customers can ask to be added to the change-notification list by writing to privacy@bydonna.ai.
A Customer may object to the addition of a new Subprocessor on reasonable data-protection grounds within the 30-day notice period by writing to privacy@bydonna.ai. On receiving an objection, Donna and the Customer will work together in good faith to resolve the concern, including by exploring an alternative Subprocessor, an alternative configuration, or additional safeguards. If, despite good-faith engagement, Donna and the Customer have not reached a resolution within the 30-day notice period, the Customer may, as its sole and exclusive remedy, terminate the affected service component on written notice. No fees are payable in respect of the affected service component for any period after termination, and where the Customer has prepaid for that component Donna will refund the unused portion on a pro-rata basis.
For the avoidance of doubt, where Donna replaces a Subprocessor with another Subprocessor in the same role on an emergency basis (for example, in response to a security incident affecting the existing Subprocessor or a sudden discontinuation of the existing Subprocessor's service), Donna may make the replacement before the 30-day notice period has run, provided that we notify Customers as soon as reasonably practicable and that the replacement Subprocessor offers a level of protection that is at least equivalent to the one being replaced.
3.Tier 1: Hosting and infrastructure
Donna runs the Donna platform on Microsoft Azure. Tier 1 covers the hyperscale infrastructure on which Customer Data is hosted at rest and the underlying platform services that support compute, storage, networking, identity and observability. Customer Data resides at rest in the Azure region designated by Donna for the tenancy under Donna's standing hosting allocation. Donna does not relocate Customer Data at rest to another country other than as described in section 7 and in the Data Transfers Addendum.
| Subprocessor | Legal Entity | Role | Processing Activity | Locations | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|---|
| Microsoft Azure | Microsoft Corporation (registered in Washington, US) and Microsoft Australia Pty Ltd (registered in NSW) | Hyperscale cloud infrastructure | Compute, storage, database, identity, networking, observability and key management for the Donna platform | Australia East (Sydney), Australia Southeast (Melbourne), East US. Customer Data resides at rest in the Azure region designated by Donna for the tenancy. | APP 8 reasonable steps and section 16C accountability for Australian-origin Personal Information. EU SCCs Module 3 in the unusual case described in the Data Transfers Addendum. | ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, SOC 3, IRAP (Australian Government), C5 (Germany), HDS (France), FedRAMP (US Federal), ENS (Spain) |
Where the Customer has enabled customer-managed keys (an Enterprise-tier feature), the keys are held in Azure Key Vault co-located with the tenancy’s Azure region. Diagnostic and platform telemetry produced by Azure is processed in the same region as the resource that emits it.
4.Tier 2: AI model providers
Donna's AI features are powered by foundation models hosted by the providers listed below. Inference is the only processing activity these providers perform on Customer Data. None of them are permitted to use Customer Inputs or Outputs to train or fine-tune their foundation models, and where the provider supports a zero-data-retention endpoint we use it by default.
| Subprocessor | Legal Entity | Role | Processing Activity | Locations | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|---|
| Azure OpenAI Service | Microsoft Corporation (registered in Washington, US) | LLM inference for GPT-class models hosted within Azure | Process Inputs and produce Outputs in response to in-product agent and search requests | Australia East, East US, North Europe (Ireland), UK South, routed to match the Azure region designated by Donna for the tenancy. | As Tier 1. | As Tier 1 for the underlying Azure platform. |
| OpenAI | OpenAI L.L.C. (registered in Delaware, US) | LLM inference for selected models that are not yet available via Azure OpenAI | Process Inputs and produce Outputs in response to in-product agent requests, on the zero-data-retention API | United States. | APP 8 reasonable steps. EU SCCs Module 3 (Donna as processor, OpenAI as sub-processor) for EEA-origin data. UK IDTA for UK-origin data. | SOC 2 Type II |
| Anthropic | Anthropic, PBC (registered in Delaware, US) | LLM inference for the Claude family of models | Process Inputs and produce Outputs under the Anthropic enterprise terms with zero data retention and no training on Customer Inputs or Outputs | United States, with EU and UK regions used where available for tenancies allocated by Donna to EEA or UK residency. | APP 8 reasonable steps. EU SCCs Module 3 for EEA-origin data. UK IDTA for UK-origin data. | SOC 2 Type II, ISO/IEC 27001 |
| Mistral AI | Mistral AI SAS (registered in France) | LLM inference for specialised and EU-sovereignty model options | Process Inputs and produce Outputs in response to in-product agent requests | France. | Intra-EEA for tenancies allocated by Donna to EEA residency. EU SCCs Module 3 and APP 8 reasonable steps for tenancies allocated to AU or US residency. | SOC 2 Type II (where applicable) |
Inference routing
For tenancies allocated to an Australian region, Donna routes inference traffic to Azure OpenAI in Australia East by default. If Australian regional capacity for the requested model is unavailable, Donna may briefly fail over to a configured backup region (typically East US or North Europe) so that the in-product experience remains responsive. Failover routing is logged, is bounded by the safeguards described in section 7, and only occurs to regions of Subprocessors already listed on this page. Donna may, on Enterprise tier and at the Customer’s documented request, configure a strict in-region inference policy under which requests that cannot be served from the tenancy’s allocated region will fail rather than route to another region. Whether to make that configuration available is Donna’s decision.
Microsoft's contractual commitments for Azure OpenAI are that Customer Inputs and Outputs are not used to train or improve any foundation model, and that abuse-monitoring data is retained for 30 days unless Microsoft's “no abuse monitoring” amendment is in place. Donna requests the no-abuse-monitoring amendment for legal-services tenants on Azure OpenAI so that Customer Inputs and Outputs are not retained for abuse-monitoring purposes.
5.Cross-border transfers and safeguards
The full description of the cross-border transfer regime that applies to Customer Data is set out in the Donna Data Transfers Addendum. This section summarises how that regime applies to the Subprocessors listed above.
At-rest data residency
For tenancies allocated by Donna to an Australian region, Customer Data (including documents, agent threads, search indices, derived embeddings, and matter metadata) resides at rest in Australia East and, where Donna has configured geo-redundant storage, Australia Southeast. Donna does not move Customer Data at rest out of those regions other than as described in the Data Transfers Addendum. The same in-region principle applies to tenancies allocated to East US, North Europe and UK South: their data at rest stays in the region designated by Donna for the tenancy.
Inference traffic in transit
Inference traffic to Tier 2 Subprocessors may transit briefly to the model vendor's region while a request is being processed, and any short-lived state associated with that request is held within the model vendor's environment for the duration of the call. This in-transit movement is protected by the contractual commitments noted in section 5 (no training on Customer Inputs or Outputs, and zero-data-retention endpoints where available), by the Standard Contractual Clauses or the UK International Data Transfer Addendum where the data is EEA or UK origin, and by the “reasonable steps” standard required by Australian Privacy Principle 8 for AU origin data.
Encryption in transit and at rest
All transfers of Customer Data between Donna and any Subprocessor listed on this page are protected by TLS 1.2 or above in transit, and Customer Data at rest is encrypted using AES-256 (or an equivalent approved algorithm) on the underlying storage service.
6.Contact
Questions about this page, requests to subscribe to or unsubscribe from change notifications, subscription and unsubscription requests, and objections to a proposed Subprocessor change should be directed to Donna's privacy team at privacy@bydonna.ai.
For matters relating to the underlying processing of Personal Information, please refer to the Donna Privacy Policy. For the contractual framework that governs Donna's engagement of Subprocessors, please refer to the Data Processing Addendum and the Data Transfers Addendum. For the technical and organisational measures that protect Customer Data across all Subprocessors listed above, please refer to the Donna Security page.