Sub-Processor Disclosure

GDPR Article 28 Transparency - All Third-Party Service Providers

Last Updated: January 30, 2026 | Version 1.0

What is a Sub-Processor?

Under GDPR Article 28, Data Processors (like Voxanne AI) must obtain written authorization before engaging sub-processors to handle personal data. We believe in transparency - below is our complete list of all vendors who access or process your data.

Why we use sub-processors: We use specialized vendors to deliver the best AI receptionist experience - voice infrastructure, transcription, database storage, and analytics. We carefully vet each vendor for GDPR compliance, security certifications, and data protection practices.

30-Day Notice for Changes

GDPR Article 28(2) & 28(4) Requirement: We provide you with at least 30 days' advance notice before:

  • ✓ Adding a new sub-processor
  • ✓ Replacing an existing sub-processor
  • ✓ Changing sub-processor location or function

You have the right to object or terminate your agreement if you disagree with sub-processor changes.

Notifications are sent via email to the primary account contact. To update your contact preferences, email support@voxanne.ai.

Complete Sub-Processor List

1. Supabase

Database, Authentication, Real-time APIs

Data Processed

All customer data (contacts, appointments, call logs, knowledge base)

Location

US (Virginia) or EU (Ireland) - customer selectable

Purpose

Data storage, user authentication, real-time synchronization

Certifications

SOC 2 Type IIHIPAA BAAGDPR DPACCPA

Data Retention

Until customer deletion or service termination

Data Transfer Safeguards

Standard Contractual Clauses (SCCs) for EU/UK customers

2. Vapi AI

Voice AI Infrastructure & Call Processing

Data Processed

Real-time voice audio, call transcripts, call metadata

Location

United States

Purpose

Inbound/outbound call handling, speech-to-text, voice AI processing

Certifications

HIPAA-eligibleSOC 2GDPR-compliant

Data Retention

Call recordings (encrypted, 30-day retention), metadata (90 days)

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

3. Twilio

Telephony & SMS Gateway

Data Processed

Phone numbers, SMS messages, call metadata, call logs

Location

United States with EU redundancy

Purpose

Incoming/outgoing calls, SMS sending (confirmations, reminders, follow-ups)

Certifications

SOC 2 Type IIHIPAA BAAISO 27001GDPR DPACCPA

Data Retention

Call logs (90 days), SMS (90 days), no content retention

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

4. Deepgram

Speech-to-Text (Transcription)

Data Processed

Audio streams (real-time only, not persisted)

Location

United States

Purpose

Convert voice audio to text transcripts in real-time

Certifications

SOC 2GDPR-compliantHIPAA-compatible

Data Retention

No persistent storage (processed in real-time, deleted immediately)

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

5. ElevenLabs

Text-to-Speech Synthesis

Data Processed

Text responses (no personal data stored)

Location

United States & European Union

Purpose

Generate voice responses for outbound calls

Certifications

SOC 2GDPR DPAHIPAA-compatible

Data Retention

No persistent storage (synthesized on-demand)

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

6. OpenAI

Large Language Model (GPT)

Data Processed

Call transcripts (with PII redacted), knowledge base queries

Location

United States

Purpose

Natural language processing, knowledge base retrieval, response generation

Certifications

Enterprise DPAGDPR-compliantSOC 2

Data Retention

Zero data retention (API default), no logs saved

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

7. Stripe

Payment Processing & Billing

Data Processed

Email addresses, billing information (no credit card data stored by us)

Location

United States with global redundancy

Purpose

Subscription processing, invoice generation, payment collection

Certifications

PCI DSS Level 1SOC 2 Type IIGDPR DPAHIPAA-compatible

Data Retention

As per PCI DSS requirements (typically 90 days)

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

8. Sentry

Error Tracking & Monitoring

Data Processed

Error logs (with PII redacted), application events, performance metrics

Location

United States & Europe (customer selectable)

Purpose

Error monitoring, performance tracking, security alerts

Certifications

SOC 2GDPR DPAHIPAA-compatible

Data Retention

30 days (customer-configurable)

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

9. Google Cloud AI

AI/ML Infrastructure, Knowledge Base Processing

Data Processed

Knowledge base documents, embeddings, search indexes

Location

United States & Multi-region (customer selectable)

Purpose

Knowledge base indexing, RAG pipeline processing, semantic search

Certifications

HIPAA BAAISO 27001SOC 2 Type IIGDPR DPA

Data Retention

Duration of service

Data Transfer Safeguards

Standard Contractual Clauses (SCCs)

Data Residency Options

If your organization requires data to remain in specific geographic regions (e.g., EU-only), we offer the following options:

✓ EU-Region Database: Supabase EU (Ireland) instead of US

✓ EU-Region AI Infrastructure: Google Cloud EU (Frankfurt) for knowledge base processing

✓ EU-Region Backups: Database backups retained in EU region

Note: Some sub-processors (Vapi, Twilio, OpenAI) operate globally and cannot be restricted to EU region. Contact sales@voxanne.ai to discuss EU-only data residency requirements.

International Data Transfers

Many of our sub-processors are located in the United States, which is not an "adequate" jurisdiction under GDPR (as of 2024). Data transfers are protected by:

1. Standard Contractual Clauses (SCCs): EU/UK GDPR-approved transfer mechanism between Voxanne AI and all US-based sub-processors

2. UK International Data Transfer Agreement (IDTA): For UK-specific GDPR compliance

3. Encryption in Transit: All data encrypted with TLS 1.3 during transmission

4. Encryption at Rest: AES-256 encryption for stored data at sub-processors

5. Access Controls: Sub-processors implement role-based access control (RBAC) limiting who can access your data

All sub-processor agreements include Data Processing Agreements (DPAs) with GDPR-compliant terms. Copies available upon request.

Security & Compliance Standards

SOC 2 Type II

Most sub-processors hold SOC 2 Type II certification for security, availability, and confidentiality

HIPAA BAA

Sub-processors handling health data have signed HIPAA Business Associate Agreements

GDPR DPA

All sub-processors have signed Data Processing Agreements compliant with GDPR Article 28

Version History

Version 1.0 - January 30, 2026

Initial sub-processor disclosure. 9 sub-processors listed with GDPR Article 28 compliance details.

This page is updated whenever sub-processors change. Subscribe to security updates by contacting support@voxanne.ai.

Questions About Our Sub-Processors?

Our compliance team is available to discuss data protection, security certifications, and sub-processor agreements.

Contact SupportView DPA Template