Aegix Platform — Safety and Incident Management
Last Updated: April 30, 2026
1. Introduction
Purpose of This Document
This Subprocessor List discloses all third-party subprocessors that may process Customer Data on behalf of Aegix Global, LLC in the delivery of the Aegix platform (Aegix One, Aegix AIM, and Aegix SMS) to K-12 school districts and charter networks, colleges and universities, federal / state / local / tribal / military government agencies, healthcare organizations, corporate campuses, religious institutions, summer camps, sports and entertainment venues, and other site-operating organizations.
Disclosure framework. This list is published as a matter of transparent practice for all Authorized Customers, and is also the disclosure mechanism Aegix uses to satisfy:
Student Data Privacy Consortium (SDPC) v3.0 Data Privacy Agreements (for K-12 Authorized Customers)
State student-data-privacy laws (including NY Education Law § 2-d Part 121.3, IL SOPPA, NJ SOPA, NH RSA 189) — for K-12 Authorized Customers
16-state K-12 SDPC v3 Data Privacy Agreements (MA, ME, CO, IL, IA, MO, NE, NH, NJ, NY, OH, RI, TN, VT, VA, WA)
Business Associate Agreements (for healthcare Authorized Customers under executed BAAs)
FedRAMP-environment subprocessor disclosures (for government Authorized Customers)
General CPRA / VCDPA / CPA / CTDPA / TDPSA / OCPA "categories of third parties to whom we disclose personal information" obligations applicable to all Authorized Customers regardless of sector
Advance-notice commitments. Aegix Global, LLC maintains this list as subprocessor relationships change and provides:
At least 30 days' advance notice to K-12 Authorized Customers before engaging any new subprocessor that will process Student Data, consistent with SDPC v3 Article III and NY Education Law § 2-d Part 121.3
Reasonable advance notice to healthcare Authorized Customers under executed BAAs before engaging any new subprocessor that will process PHI
Reasonable advance notice to government Authorized Customers per the executed contract
Public revision history at the bottom of this document for all Authorized Customers
Aegix Global, LLC Headquarters
94 Lone Hollow Dr., Sandy, UT 84092
2. Authorized Subprocessors
The following table lists all authorized subprocessors with access to Customer Data. Where a subprocessor processes data only for certain Authorized Customer sectors (e.g., a subprocessor that handles K-12 Student Data but not government or healthcare data), the scope is noted in the row.
| Subprocessor Name | Purpose/Service Provided | Data Processed | Data Location | Security Measures | DPA/Contract Status |
| Amazon Web Services (AWS) | Primary cloud infrastructure (compute, storage, database, networking, security services) | All application data including student PII (encrypted) | United States (AWS regions: us-east-1, us-west-2) | SOC 2 Type II, ISO 27001, FedRAMP Authorized, NIST SP 800-53 Compliant, AES-256 encryption at rest and in transit | AWS Data Processing Addendum (DPA); AWS Business Associate Agreement |
| Google Cloud Platform (GCP) | Outdoor mapping services and push notification delivery | Location data (school/facility coordinates, not student-specific), push notification tokens | United States | SOC 2 Type II, ISO 27001, COPPA compliant, Google Workspace DPA | GCP Data Processing Terms and Conditions |
| Sentry | Application error monitoring and performance tracking | Error logs, stack traces, application performance metrics (PII scrubbing enabled—no student data collected) | United States | SOC 2 Type II, encrypted at rest and in transit, PII filtering by design | Sentry Data Processing Agreement |
| Cloud Management Platform | Cloud infrastructure management, compliance automation, deployment orchestration | Infrastructure configuration, deployment metadata (no direct student data access) | United States | SOC 2 Type II, operates within AWS security boundary, audited annually | Service Agreement with Data Processing Terms |
| Apple Push Notification Service (APNs) | Push notification delivery to iOS devices | Device tokens, notification content (no student PII in notifications by design) | United States | Apple platform security, TLS 1.2+ encryption in transit, limited data retention | Apple Developer Agreement and Program Licensing Agreement |
| Google Firebase Cloud Messaging (FCM) | Push notification delivery to Android devices | Device tokens, notification content (no student PII in notifications by design) | United States | Google Cloud security, TLS encryption in transit, Firebase DPA | Firebase Terms of Service + GCP Data Processing Terms |
| MapsIndoors | Indoor positioning and floorplan queries tied to user identity during active alerts only | Floorplan queries (building / floor / room identifiers), alert-context user identity (Restricted-Student-Record-PII when tied to student) | United States / EU (per deployment region) | SOC 2 Type II, TLS 1.2+ in transit, data-residency configurable, signed MapsIndoors DPA | MapsIndoors Data Processing Agreement — 30-day LEA advance-notice clock triggered 2026-04-22 per SDPC v3 Article III + NY EdLaw § 2-d Part 121.3 (retroactive disclosure; MapsIndoors was live before the initial list was published). |
| RapidSOS | Digital 911 Routing — forwards Aegix alerts to the appropriate Public Safety Answering Point (PSAP) or Emergency Communications Center via the certified NG911 dispatch network | Today: organization's published site address,
organization's main phone number, alert type, timestamp (functionally
equivalent to ALI/ANI from a 911 call placed from the organization's
published landline; no individual device location, reporter
identifier, or student PII is forwarded today).
Planned: reporter's device location at the moment of
alert, subject to the user-level Location Services control and a
per-organization Location Sharing control. Processing occurs only for
organizations that have opted in via the
digital_911_enabled configuration. |
United States | SOC 2 Type II, TLS 1.2+ in transit, certified NG911 / i3 standards–compliant ingestion, signed RapidSOS DPA | RapidSOS Data Processing Agreement — per-organization opt-in: enabled at the organization's discretion; not all organizations participate. Listed 2026-04-30 (retroactive disclosure of an active integration). Today's data flow does not process Student Data, so SDPC v3 Article III and NY EdLaw § 2-d Part 121.3 are not technically triggered by the current scope; the 30-day LEA advance-notice clock will be triggered before any planned expansion adds reporter device location, reporter identifier, or other Student Data to the forwarded payload. |
3. Data Minimization
Aegix Global limits subprocessor access to the minimum student data necessary to deliver Aegix platform:
PII Scrubbing: Error monitoring tools (Sentry) have PII scrubbing enabled to prevent student data from being transmitted.
Push Notifications: Notification content is designed to exclude student PII. Device tokens are minimized to necessary identifiers only.
Mapping Services: Location data shared with GCP is limited to school/facility coordinates and does not include student-specific location tracking.
Digital 911 Routing: In current releases, the data shared with RapidSOS is limited to the organization's published site address, the organization's main phone number, the alert type, and a timestamp — functionally equivalent to ALI/ANI data from a 911 call placed from the organization's published landline. No individual device location, reporter identifier, or student PII is shared today. Routing occurs only for organizations that have opted in via the
digital_911_enabledconfiguration. No ongoing location stream is sent. Planned expansions to include the reporter's device location are documented in the Privacy Policy and the End User License Agreement, and will be subject to user-level controls before they ship.Database Access: Only authorized Aegix personnel access the PostgreSQL database containing student data; subprocessors access only as required by their contracted services.
Infrastructure Management: Cloud management platform receives only configuration metadata; it does not directly access encrypted student data.
4. Subprocessor Management and Oversight
Security Assessment
All new subprocessors undergo security assessment before onboarding.
Aegix evaluates subprocessor SOC 2 Type II reports, ISO 27001 certification, and compliance with applicable data protection standards.
Contractual Requirements
All subprocessors sign Data Processing Agreements (DPAs) or equivalent terms requiring compliance with FERPA, state privacy laws, and student data protection standards.
Contracts specify appropriate security controls, data minimization, confidentiality obligations, and audit rights.
Annual Review
Aegix Global conducts annual reviews of all subprocessor relationships.
Subprocessors are assessed for continued alignment with Aegix security and compliance standards.
Audit Rights
Aegix Global and LEAs maintain the right to audit subprocessor practices related to student data security and compliance.
Subprocessors must cooperate with security assessments, audits, and investigations.
Documentation: All supply chain incidents are documented with: timeline, impact assessment, vendor response, remediation actions, and lessons learned. Documentation is retained for audit purposes.
Remediation Verification: Before restoring data flows to an affected subprocessor, verify that the root cause has been addressed, compensating controls are in place, and the subprocessor’s security posture has been re-validated.
Vendor Communication: Engage the subprocessor’s security team to obtain incident details, scope, root cause, and remediation timeline.
Impact Assessment: Determine whether student data was exposed. If student data may be affected, initiate the Security Incident Response Plan and LEA notification procedures per DPA requirements.
Immediate Response: Isolate affected data flows, disable compromised integrations, and notify the CPTO within 1 hour of discovery.
If a supply chain security incident is identified (subprocessor breach, compromised dependency, or infrastructure vulnerability):
5.3 Supply Chain Incident Response
Performance Review: Subprocessor performance against SLA commitments (uptime, response time, support responsiveness) is reviewed quarterly. Persistent underperformance triggers vendor replacement evaluation.
Incident Monitoring: Aegix monitors public breach disclosure databases and vendor security advisories for any security events affecting subprocessors. Confirmed incidents trigger immediate reassessment and potential suspension of data sharing.
Continuous Monitoring: GitHub Dependabot and GitHub security advisories provide continuous monitoring of open-source supply chain components. AWS Security Hub monitors infrastructure-level supply chain risks.
Annual Reassessment: All subprocessors undergo annual security reassessment. The CPTO reviews updated SOC 2 reports, security questionnaire responses, and any incidents or changes in the subprocessor’s security posture.
Ongoing Monitoring
Scoring and Approval: Each subprocessor receives a risk score (Low, Medium, High, Critical) based on: volume and sensitivity of data accessed, criticality to platform operations, security posture assessment results, and compliance certification status. Subprocessors scoring High or Critical require CPTO approval with documented risk mitigation plan.
Student Data Risk Assessment: For any subprocessor that will access student data, a student data-specific risk assessment evaluates: necessity of data access (data minimization), encryption in transit and at rest, jurisdictional data residency, FERPA and COPPA compliance capabilities, and breach notification procedures.
Compliance Verification: Aegix verifies the following for each subprocessor before engagement: SOC 2 Type II report (current year), ISO 27001 certification (if applicable), data processing agreement execution, privacy policy review, and documented security incident history.
Security Questionnaire: New subprocessor candidates complete a security assessment questionnaire covering: data encryption practices, access control mechanisms, incident response capabilities, employee background checks, and compliance certifications.
Pre-Engagement Assessment
Aegix Global conducts structured assessments of all subprocessors to verify security posture and ongoing compliance:
5.2 Supplier Assessment and Monitoring (SR-5, SR-6)
Contractual Controls: All subprocessors are bound by Data Processing Agreements (DPAs) that include: data use limitations, security control requirements, breach notification obligations (within 24 hours), audit rights, data return/destruction upon termination, and prohibition on secondary use of student data.
Data Flow Controls: Student data flows are mapped and documented for each subprocessor. Data minimization is enforced at each handoff point (PII scrubbing for error monitoring, no PII in push notifications, location data limited to facility coordinates).
Infrastructure Supply Chain: AWS provides the foundation infrastructure under the AWS Shared Responsibility Model. DuploCloud (cloud management platform) manages infrastructure configuration and provides compliance automation. Both vendors maintain SOC 2 Type II and ISO 27001 certifications.
Secure Development Supply Chain: All third-party code dependencies are monitored through GitHub Dependabot for known vulnerabilities. New dependencies require review and approval before adoption. Software Bill of Materials (SBOM) is maintained for all production components.
Approved Supplier Registry: Only subprocessors listed in Section 2 are authorized to process student data. The CPTO maintains the approved supplier registry and reviews it semi-annually.
Aegix Global establishes and maintains supply chain controls to ensure that third-party components, services, and providers do not introduce unacceptable risk to the organization or to student data:
5.1 Supply Chain Controls and Processes (SR-3)
Aegix Global implements a comprehensive supply chain risk management program aligned with NIST SP 800-53 Rev 5 Supply Chain Risk Management (SR) controls. Given that Aegix platform processes student PII under FERPA and COPPA, supply chain security is critical to maintaining the integrity of the data protection chain.
5. Supply Chain Risk Management Framework (NIST SR Family)
6. Change Notification and LEA Rights
Advance Notice
Aegix Global provides at least 30 days' advance written notice before engaging any new subprocessor that will process student data.
Notice is sent to the designated LEA privacy contact or compliance officer via email.
Content of Notice
Subprocessor name and location
Type of data the subprocessor will access
Purpose of the subprocessor relationship
Security measures and data protection standards
LEA Objection Rights
LEAs may object to new subprocessors per Data Privacy Agreement terms.
Objections must be submitted in writing within 15 days of notice.
Aegix Global will work with LEAs to resolve legitimate concerns or provide alternative solutions.
Emergency Subprocessor Changes
In the event of a security incident or emergency, Aegix Global may engage a new subprocessor with retrospective notification.
LEAs will be notified immediately of the reason, scope, and security measures implemented.
7. Regulatory Compliance
FERPA (Family Educational Rights and Privacy Act)
All subprocessors operate under Aegix Global's school official designation and maintain confidentiality obligations consistent with FERPA requirements.
COPPA (Children's Online Privacy Protection Act)
All subprocessors comply with COPPA requirements for children under 13, including parental consent, data minimization, and limited retention.
NY Education Law § 2-d
This Subprocessor List complies with New York Education Law § 2-d disclosure requirements under 8 NYCRR Part 121. All subprocessors disclosed herein are aligned with the Commissioner's Regulations on Student Data Privacy and Protection.
NIST SP 800-53 Rev 5
Aegix Global and its subprocessors maintain security controls consistent with NIST SP 800-53 Rev 5 standards, including:
SA-9: External System Services (third-party oversight and risk management)
SR-1: Supply Chain Risk Management Policy and Procedures; SR-2: Supply Chain Risk Management Plan; SR-3: Supply Chain Controls and Processes; SR-5: Acquisition Strategies, Tools, and Methods; SR-6: Supplier Assessments and Reviews
Encryption standards, access controls, and audit capabilities
SOC 2 CC9.2 (Third-Party Risk Management)
Aegix Global manages subprocessor relationships according to SOC 2 Control CC9.2, which requires vendor risk assessment, contracting, ongoing monitoring, and incident response.
8. Document Control and Updates
Document Metadata
Last Updated: April 30, 2026
Next Review: October 30, 2026 (semi-annual review cycle)
Document Owner: Chief Product & Technology Officer, Aegix Global, LLC
Classification: Confidential
Version History
| Version | Date | Changes |
| 1.0 | April 2, 2026 | Initial document. Included AWS, GCP, Sentry, Cloud Management Platform, APNs, and Firebase as authorized subprocessors. |
| 1.1 | April 22, 2026 | Added MapsIndoors (indoor positioning during active alerts). 30-day LEA advance-notice clock triggered per SDPC v3 Article III + NY EdLaw § 2-d Part 121.3. Retroactive disclosure: the service was live but omitted from the initial list; this revision corrects the omission. |
| 1.2 | April 30, 2026 | Added RapidSOS (Digital 911 Routing for
organizations that have opted in via digital_911_enabled).
Today's data scope is the organization's published site address, main
phone number, alert type, and timestamp — functionally equivalent to
ALI/ANI from the organization's published landline; no
individual device location, reporter identifier, or Student Data is
forwarded today. Retroactive disclosure of an active
integration. Today's scope does not process Student Data, so SDPC v3
Article III and NY EdLaw § 2-d Part 121.3 are not technically triggered
by current scope; the 30-day LEA advance-notice clock will be triggered
before any planned expansion adds reporter device location, reporter
identifier, or other Student Data to the forwarded payload. |
For questions regarding this Subprocessor List, contact:
Aegix Global, LLC
Chief Product & Technology Officer
94 Lone Hollow Dr.
Salt Lake City, UT 84101
Email: compliance@aegixglobal.com
© 2026 Aegix Global, LLC. All rights reserved. This document is confidential and intended for authorized recipients only.
Appendix: Vendor Compliance Documentation References
The following vendor documentation provides supporting evidence for the compliance claims and technical controls referenced in this document. These resources should be reviewed periodically to ensure alignment with current vendor certifications and capabilities.
Amazon Web Services (AWS)
AWS Compliance Programs: https://aws.amazon.com/compliance/programs/
AWS SOC Reports FAQ: https://aws.amazon.com/compliance/soc-faqs/
AWS ISO 27001 FAQ: https://aws.amazon.com/compliance/iso-27001-faqs/
AWS FERPA Compliance: https://aws.amazon.com/compliance/ferpa/
AWS Artifact: https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html
Cloud Management Platform (DuploCloud)
DuploCloud Security and Compliance: https://docs.duplocloud.com/docs/automation-platform/security-and-compliance
DuploCloud SOC 2 Compliance: https://duplocloud.com/solutions/security-and-compliance/soc-2/
DuploCloud Compliance Automation: https://duplocloud.com/platform/compliance/
Note: AWS compliance reports (SOC 2 Type II, ISO 27001) are available for download through AWS Artifact in the AWS Management Console. Contact the CPTO for access credentials.