Sub-processors
This page lists every third party that processes personal data on our behalf. Each provider has a signed Data Processing Agreement (DPA). We commit to notifying tenants in advance of any change.
Last updated: April 26, 2026
Infrastructure & Hosting
| Provider | Purpose | Location | Policy |
|---|
| Railway | Hosting platform servers and databases | United States (default) / Europe | Link |
| Hetzner Online GmbH | VPS hosting for production environment (Finland / Germany regions) | Germany / Finland | Link |
| Backblaze B2 | Backup storage and uploaded media files | United States / Europe | Link |
| Cloudflare | CDN, DDoS protection, DNS | United States / Global | Link |
| Provider | Purpose | Location | Policy |
|---|
| Meta Platforms (WhatsApp Business Cloud API) | Sending and receiving WhatsApp business messages on behalf of tenants | Ireland / United States | Link |
| Twilio | Sending SMS messages and OTP codes | United States | Link |
| Resend | Transactional emails (booking confirmations, password resets) | United States | Link |
| Firebase Cloud Messaging (Google) | Push notifications to mobile/web apps | United States | Link |
Artificial Intelligence
| Provider | Purpose | Location | Policy |
|---|
| Anthropic (Claude API) | Powering AI agents — answering questions, lead screening, conversation management | United States | Link |
| OpenAI (Whisper) | Transcription of inbound voice messages (optional, with customer consent) | United States | Link |
Payments
| Provider | Purpose | Location | Policy |
|---|
| Stripe | SaaS subscription payment processing — we do not store card details | United States / Ireland | Link |
Analytics & Monitoring
| Provider | Purpose | Location | Policy |
|---|
| Sentry | Error monitoring and platform stability | United States | Link |
Notification of Changes
We commit to notifying registered tenants of any addition or replacement of a sub-processor at least 30 days in advance, via email to the account admin. You may object to a material change within 14 days by contacting dpo@kaufmanai.com; if we proceed with the provider, you may cancel the account without penalty.
Data Processing Agreements (DPA)
Every sub-processor on this list is bound by one of: (a) GDPR Art. 28-compliant DPA, (b) EU Standard Contractual Clauses for transfers outside the EEA, or (c) a valid adequacy framework (e.g. EU-US Data Privacy Framework). A copy of the DPA is available to ENTERPRISE plan customers on request.
Internal Sub-processors
In addition to the list above we may engage consultants, auditors, and legal counsel under privilege and confidentiality. These parties do not act as sub-processors under GDPR unless they handle personal data at meaningful scale.
Exercising Rights
For any request related to a sub-processor — including a detailed list of data flowing to a specific provider — see the DSAR form or contact dpo@kaufmanai.com.