#open for more workLearn more

Security

Who processes your data, besides us.

Levano is your data processor. These vendors process parts of your data on our behalf. We update this list 30 days before adding or changing a vendor.

Updated
Jun 19, 2026
Version
1.0
Read time
~3 min

Our sub-processors

The list below is current as of Jun 19, 2026. Each vendor processes only the data its purpose requires, and always under a data processing agreement. You can find our full terms in our Data Processing Agreement (DPA).

VendorPurposeLocationCertifications
Microsoft Azure

Hosting, infrastructure, Microsoft 365 integration

EU (West Europe, Denmark)

ISO 27001SOC 2GDPR
Anthropic

AI (Claude API), with Zero Data Retention

EU/US (with ZDR, data deleted immediately)

SOC 2ISO 42001-aligned
Stripe

Payment processing

EU (Ireland)

PCI DSS Level 1ISO 27001
AWS SES

Transactional email

EU (Frankfurt)

ISO 27001SOC 2GDPR
Sentry

Error tracking & monitoring

EU (Frankfurt)

ISO 27001SOC 2
Axiom

Application logs & analytics

EU

ISO 27001
Vanta

Compliance monitoring & audit

US (with EU data isolation)

SOC 2
e-conomic / Billyintegration

Accounting, via integration only, not a direct sub-processor

EU (Denmark)

Varies

Anthropic ZDR: the key thing to understand

Anthropic is the AI vendor Levano uses. Even though Anthropic is American, we hold an Enterprise + Zero Data Retention agreement:

  • Your prompts leave the EU temporarily during processing
  • Anthropic deletes the data immediately after the response is delivered
  • No long-term storage
  • No training on your data
  • ISO 42001-aligned governance

This is the current industry standard for compliant AI use in the EU. If the law changes (for example the EU AI Act), we update the setup.

How we vet a sub-processor

No vendor gains access to data before passing the same review:

  1. ISO 27001 (or equivalent) required
  2. GDPR compliance and a data processing agreement
  3. Geographically EU-preferred; alternatives only with stronger controls
  4. Financial stability (we don't want to switch vendor every 6 months)
  5. Audit rights included in the contract
  6. Incident response SLA included

How we notify you about changes

We never add or change a sub-processor without notice. In practice that means:

  • 30 days' notice before we add or change
  • Email to administrative contacts
  • An update on this page with a “new” or “changed” tag
  • A right to object (per the Data Processing Agreement)

Change history

Here we log every addition and change as it happens, with date and status.

No changes yet. This list is current as of Jun 19, 2026.

Questions?

Questions about a specific sub-processor?

If you'd like to know more about how a specific vendor handles your data, just write to our security team. We usually reply within two business days.

contact@levano.io

Levano ApS · Lille Torv 2A, 3rd floor · 8000 Aarhus C, Denmark