| Amazon Web Services (AWS) | Compute (EC2), database hosting (RDS Postgres), object storage (S3), key management (KMS), secrets storage (Secrets Manager), email delivery (SES), monitoring (CloudWatch), DNS health checks | All customer data — encrypted at rest with AES-256-GCM, keys managed in AWS KMS | us-east-1 (N. Virginia) | SOC 1/2/3ISO 27001/17/18PCI DSS L1HIPAA-eligibleFedRAMP HighC5IRAP | Critical |
| Cloudflare | Edge network: DNS, DDoS mitigation, Cloudflare Tunnel for origin connectivity, WAF (when on Pro tier) | Request metadata (IP, user agent, path) — no customer secrets traverse Cloudflare in plaintext (TLS terminated at origin) | Global anycast | SOC 2 Type IIISO 27001PCI DSS L1FedRAMP Moderate | Medium |
| Clerk | Identity provider for sign-in / sign-up flows on the lockzero.io web app | Email address, name, sign-in metadata. No secrets, no customer credentials. | us-east-1 | SOC 2 Type IIGDPR-aligned | High |
| Auth0 (Okta) | OIDC provider for SSO + enterprise authentication paths | User identity tokens (JWT); Lockzero-side user IDs; auth audit metadata | us-east region (configurable to EU) | SOC 2 Type IIISO 27001/17/18HIPAA-eligiblePCI DSS | High |
| Stripe | Payment processing for paid tiers; subscription billing | Customer billing email + plan info. Card data never touches Lockzero servers — entered directly into Stripe Elements. | us-east region | SOC 1/2PCI DSS L1ISO 27001 | Medium |
| Resend | Transactional email delivery (welcome, password reset, alerts) | Email address, message content (no secrets — only audit/system messages) | us-east-1 / Cloudflare R2 | SOC 2 Type IIGDPR-aligned | Medium |
| Sentry | Application error monitoring | Stack traces and request metadata. Configured to scrub PII and never capture secret values. | us-east-1 | SOC 2 Type IIISO 27001GDPR-aligned | Low |
| GitHub | Source code hosting, CI (Actions), container registry | Source code (private repository); CI logs. No customer data. | Global | SOC 1/2ISO 27001/17/18FedRAMP ModerateGDPR-aligned | Low |