Skip to main content
Sign in
Updated: May 9, 20263 min read6 sections

Sub-processors

The trusted third-party vendors that process customer data on our behalf, each under a Data Processing Agreement.

1. Overview

A sub-processor is a third-party vendor we engage to help operate the platform: cloud infrastructure, payment processing, telephony, observability. Every sub-processor below is bound by a Data Processing Agreement (DPA) and operates under terms at least as protective as those in our Privacy Policy.

2. Current Sub-processors

Infrastructure

  • Amazon Web Services (AWS)US

    Cloud infrastructure, hosting, and primary data storage

    View DPA

Payments

  • StripeUS

    Payment processing (PCI-DSS Level 1 certified)

    View DPA

Communications

  • TwilioUS

    Voice telephony, SMS messaging, and call routing (carrier vendor for the A2P 10DLC programme)

    View DPA

Email

  • ResendUS

    Transactional email delivery

    View DPA

  • SendGrid (Twilio)US

    Marketing email delivery and template rendering

    View DPA

Observability

  • SentryUS

    Error monitoring and performance tracing (no PII; session replays masked)

    View DPA

Security

  • Google reCAPTCHA EnterpriseUS

    Bot protection and abuse prevention on public forms

    View DPA

ai

  • AnthropicUS

    Large language model inference (Claude) for AI agents (Sales, Scheduling, Quality, Support, Analytics, Follow-up), conversation AI, and content generation. Customer data shared: agent prompts, chat history, job descriptions, conversation context.

    View DPA

  • OpenAIUS

    Voice synthesis (TTS) and the Realtime voice bridge for the AI Voice Receptionist. Customer data shared: voice transcripts, prompt context, conversation turns; speech samples processed for synthesis only.

    View DPA

3. Data Shared With Sub-processors

Each sub-processor receives only the minimum data necessary for its role:

  • AWS: all customer data at rest and in flight, encrypted; data residency US.
  • Stripe: billing-side data only — name, email, card token, invoice metadata.
  • Twilio: SMS recipient phone numbers, message bodies (transactional + promotional), and voice call audio for AI processing.
  • Resend / SendGrid: email recipient address, subject, body, attachments.
  • Sentry: error stack traces and performance traces; PII is scrubbed by our SDK before transmission.
  • Google reCAPTCHA Enterprise: the form-submitter's IP and a behavioral signal; no business data shared.

4. Adding or Removing Sub-processors

We update this page whenever a sub-processor is added or removed. Material changes are announced via in-app notification and email at least 30 days before the change takes effect, allowing time for object-and-terminate clauses in our DPA to be exercised.

5. Right to Object

Customers on contracted DPA terms may object to the engagement of a new sub-processor on reasonable data-protection grounds within 30 days of notification. If the objection cannot be resolved, the customer may terminate the affected portion of their subscription on a pro-rated basis.

6. Contact

DPA / sub-processor questions: privacy@exoserva.com.