Subprocessors
Lighthaus Labs engages a limited number of trusted third-party service providers (“subprocessors”) to support the delivery of our services. These subprocessors may process customer data on our behalf in accordance with the AICPA Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, and Privacy).
All subprocessors are subject to due diligence, contractual obligations, and ongoing oversight to ensure they meet our security and privacy standards.
Current Subprocessors
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Kaseya | IT management, monitoring, and remote support | System data, device information, support-related data | United States |
| Google (Workspace) | Email, file storage, and collaboration | Customer communications, documents, files | United States |
| OpenAI (ChatGPT) | AI-assisted productivity and support workflows | Limited business data as input by authorized personnel | United States |
| Anthropic (Claude) | AI-assisted productivity and analysis | Limited business data as input by authorized personnel | United States |
| Apple | Device ecosystem and business operations | Device-related data, limited business information | United States |
| Intuit (QuickBooks) | Accounting and financial management | Billing data, financial records, customer billing information | United States |
Trust Services Criteria Alignment
Lighthaus Labs maintains controls aligned with the AICPA Trust Services Criteria in relation to subprocessor management, including:
CC1 / CC2 (Control Environment & Communication): Subprocessors are selected based on defined security, privacy, and operational requirements. Roles and responsibilities are clearly established.
CC3 (Risk Assessment): Subprocessors are evaluated for risks related to data security, availability, and confidentiality prior to onboarding and periodically thereafter.
CC5 (Control Activities): Contracts and data processing agreements require subprocessors to implement appropriate safeguards and restrict data use to defined purposes.
CC6 (Logical & Physical Access Controls): Access to customer data is limited to authorized subprocessor personnel with a legitimate business need.
CC7 (System Operations): Subprocessors are expected to maintain monitoring, incident detection, and response capabilities.
CC8 (Change Management): Changes to subprocessor relationships are reviewed and documented in accordance with internal change management practices.
CC9 (Risk Mitigation): Lighthaus Labs monitors subprocessor performance and addresses identified risks in a timely manner.
Data Handling Statement
Lighthaus Labs implements strict data handling practices when utilizing subprocessors:
Customer data is shared with subprocessors only as necessary to deliver services.
AI-based subprocessors (e.g., ChatGPT and Claude) are used in a controlled manner:
Inputs are limited to business-purpose data.
Sensitive or regulated data is not submitted unless explicitly authorized and protected.
Data access is restricted to authorized personnel and governed by least-privilege principles.
Encryption and secure transmission methods are used where applicable.
Data retention is limited to the minimum necessary for operational and legal requirements.
Subprocessor Commitments
All subprocessors are contractually required to:
Maintain appropriate technical and organizational security measures
Ensure confidentiality and integrity of customer data
Process data only in accordance with Lighthaus Labs’ instructions
Promptly notify Lighthaus Labs of any security incidents or breaches
Updates to This List
Lighthaus Labs may update this subprocessor list from time to time as part of normal business operations. Material changes will be reflected on this page.
Contact
For questions regarding our subprocessors or data handling practices, please contact:
Last Updated: March 15, 2026