What This Covers
Customer-safe summary categories only.
- Cloud hosting and infrastructure.
- Source control, CI/CD, and release evidence management.
- Container image storage and release distribution.
- Secret management or managed security infrastructure where enabled.
- Transactional email or notification delivery where enabled.
- Optional support, professional services, or customer-approved integrations.
Supplier Categories
Describe purpose and typical data exposure without private account details.
| Category | Purpose | Typical data exposure |
|---|---|---|
| Cloud hosting provider | Runs hosted application, storage, networking, and backup boundaries for the audited deployment. | Tenant data, operational data, logs, and backups according to scope. |
| Source control and CI/CD provider | Stores code, work items, release artifacts, and pipeline evidence. | Code, build metadata, issue and MR records, CI logs, and release evidence. |
| Container registry provider | Stores component images, tags, and immutable release references. | Container images, image metadata, tags, digests, and build evidence. |
| Transactional email provider | Sends approved account, security, billing, or support notifications when enabled. | Email addresses, message metadata, and content needed for the notification. |
| Customer-selected integrations | Connect customer systems for collection, identity, destination apply, reporting, or notifications. | Data depends on the customer-selected integration and approved credentials. |
Customer-Safe Commitments
Public subprocessor wording must stay scoped.
- Identify the category and purpose of the dependency.
- State whether the dependency is always-on, conditional, optional, or customer-selected.
- Avoid private hostnames, internal URLs, tokens, account identifiers, and operator-only evidence locations.
- Preserve region, contract, and approval caveats where those details vary by deployment or customer.
Next Step
Use the live public surface as the review artifact.
When a customer or reviewer needs product-safe wording, point them at these URLs on veridataops.com and then attach deployment-specific evidence separately.