Sub-processors
Last updated: 2026-05-03
This document was generated and reviewed by multiple AI systems for accuracy. It is not a substitute for legal counsel. Customers requiring lawyer-attested legal documents should contact privacy@myemployees.ai for the formally-reviewed version (available on request).
This page lists the third-party Sub-processors AI Agency Group ("AI Agency") engages to provide the AI Employees platform. Each Sub-processor processes Personal Data on AI Agency's behalf under a written agreement that imposes data-protection obligations no less protective than those in our Data Processing Agreement.
We give Customers at least 30 days' prior notice before engaging a new Sub-processor. To receive notice, ensure your account admin email is current in Settings → Account. Customers may object to a new Sub-processor on data-protection grounds within the 30-day window — see DPA §4 for the objection process.
How to read this list
- Data residency — the country or region where the Sub-processor primarily stores customer data. Some providers offer EU regions on request; contact
privacy@myemployees.aito discuss. - DPA status — Verified means the Sub-processor publishes a GDPR-compliant DPA we have reviewed. Pending verification means we have either not yet completed verification or the Sub-processor's DPA terms are under review; flagged Sub-processors are limited to non-EU customer deployments until verification is complete.
- Transfer mechanism — the lawful basis we rely on for transfers of EU/UK Personal Data outside the EEA / UK. DPF = EU-US Data Privacy Framework / UK Extension. SCCs = EU Standard Contractual Clauses. Most Sub-processors offer both; we rely on whichever is appropriate per service.
Active Sub-processors
| Sub-processor | Purpose | Data categories | Data residency | DPA | Transfer mechanism |
|---|---|---|---|---|---|
| Anthropic | Primary large-language-model provider for AI agent responses, classification, and content generation | Conversation content, agent prompts, ticket text, knowledge-base excerpts (via context window) | United States | Verified | DPF (self-certified) + SCCs |
| OpenAI | Embedding model (text-embedding-3-small) for retrieval-augmented generation; secondary LLM for cross-validation | Text snippets submitted for embedding; no conversation logs | United States | Verified | DPF (self-certified) + SCCs |
| Fly.io | API hosting (FastAPI), background workers, Redis cache and broker | All Personal Data flowing through the API in transit; cached session and rate-limit metadata at rest | United States (region-configurable) | Verified | SCCs |
| Supabase | Primary PostgreSQL database; knowledge-base file storage | All Customer Personal Data at rest, including audit logs and uploaded documents | United States (AWS us-east-1) | Verified | SCCs |
| Vercel | Frontend application hosting and edge delivery | No Personal Data at rest; auth tokens and request metadata in transit | United States (origin); global edge | Verified | DPF + SCCs |
| Postmark (ActiveCampaign) | Transactional email sending and inbound email webhook | Sender / recipient email addresses, subject, body, attachments | United States | Verified | SCCs |
| HubSpot | CRM integration (optional, customer-enabled) | Contact records: name, email, phone, company | United States and EU (Dublin) | Verified | DPF + SCCs |
| Salesforce | CRM integration (optional, customer-enabled) | Contact and account records | United States and EU | Verified | BCRs + SCCs |
| Stripe | Payment processing and subscription webhooks | Customer billing email, payment metadata (no card numbers) | United States and EU (Dublin) | Verified | DPF + SCCs |
| Square (Block, Inc.) | Payment processing webhook integration | Customer billing email, payment metadata (no card numbers) | United States | Verified | SCCs |
| GoHighLevel (GHL) | CRM integration (optional, customer-enabled) | Contact records: name, email, phone, custom fields, conversation history, opportunities | United States | Pending verification | Pending verification |
| Whop | Billing and subscription management for select customer cohorts | Customer email, subscription status, payment events (no card numbers) | United States | Pending verification | Pending verification |
| Vapi | Voice agent telephony provider (optional, customer-enabled) | Voice call audio, machine transcripts, caller phone metadata | United States | Pending verification | Pending verification |
| Sentry | Error monitoring and exception tracking | Stack frames, request breadcrumbs (may include incidental PII) | United States | Verified | DPF + SCCs |
| Google (Gmail API) | Email Agent inbound mailbox ingestion (optional, customer-enabled) | Sender / recipient email addresses, subject, body, attachments | United States | Verified | DPF + SCCs |
| ElevenLabs | Text-to-speech voice provider (default in voice agent pipeline) | Agent reply text (no end-user identifiers); synthesized audio | United States | Verified | SCCs |
Notes on "Pending verification" status
We are actively engaging the legal teams at GoHighLevel, Whop, and Vapi to confirm their DPA availability and transfer-mechanism status. Until verification is complete:
- AI Agency will continue to use these Sub-processors for non-EU customer deployments under contractual confidentiality, security, and breach-notification commitments.
- AI Agency will not route EU/UK end-user Personal Data to these Sub-processors without further written instructions from the Customer.
- Customers can disable any of these integrations at any time under Settings → Integrations.
We will update this page as soon as DPAs are confirmed.
Infrastructure-level processors
The following processors are used by AI Agency or our Sub-processors at the infrastructure layer and do not receive Customer Personal Data in any application context distinct from those above:
- Amazon Web Services (AWS) — underlying cloud infrastructure for Supabase databases. Data residency: US (AWS us-east-1). DPA: Verified. Transfer mechanism: SCCs.
- Cloudflare — edge DNS / CDN for select assets. Data residency: Global edge. DPA: Verified. Transfer mechanism: DPF + SCCs.
Adding a new Sub-processor
When AI Agency engages a new Sub-processor, we will:
- update this page;
- notify active customer admins by email at least 30 days in advance;
- accept reasonable, data-protection-grounds objections per the DPA §4.
If you would like to subscribe to Sub-processor change notifications outside of the customer-admin email, contact privacy@myemployees.ai.
Contact
Questions about this list, or to request DPAs from AI Agency or any of our Sub-processors, email privacy@myemployees.ai.