Subprocessors

01What this list is

A "subprocessor" is any third-party service that may process personal data on our behalf in the course of delivering our platform or operating our website — including end-user conversations, client data, website visitor data, and operational logs. We are accountable to clients for the conduct of our subprocessors, and we hold each subprocessor to contractual obligations consistent with our own privacy and security commitments.

This list does not include:

• Services we use purely for internal operations (e.g., source code hosting, accounting tools, our domain registrar) that don't process client, end-user, or website-visitor personal data
• Third-party services that you connect to your own deployment (e.g., your own CRM, calendar, or marketing platform) — those remain under your control and contractual relationship with the vendor
• Open-source tools and libraries that run inside our own infrastructure

Some entries below are marked "Planned" — these are services we've evaluated and intend to engage when a relevant client deployment requires them. They are listed in advance so vendor diligence can be completed against the full prospective stack rather than re-opened later.

02Current subprocessors

Infrastructure & hosting

• Netlify Static site hosting and global CDN for our marketing website (highflowai.com). Region: Global edge network, US-based corporate entity. Data: visitor IP addresses in server logs, anonymous request metadata.
• Render Application hosting for the backend services that power chatbot, voice agent and automation workflows. Engaged in the course of delivering client engagements. Region: United States. Data: end-user message content in transit, operational logs, application state.
• MongoDB Atlas Managed database for application state in client engagements — conversation history, lead capture records, booking data, and operational metadata. Region: United States (default; regional options available per engagement). Data: end-user conversation transcripts, lead data, booking records.
• Cloudflare R2 Object storage for application assets, file uploads, and persisted media used in client engagements. Region: Global, with primary US region. Data: client-uploaded files, generated artifacts, end-user attachments where the engagement involves file handling.

AI & language models

• OpenAI Large language model inference for chatbot and AI agent responses. Region: United States. Data: end-user message content during inference. We use API-tier access; OpenAI does not retain API content for training under their standard API terms.
• Anthropic Alternative LLM provider used for engagements where Claude is the preferred model. Region: United States. Data: end-user message content during inference. Same retention posture as above under standard API terms.
• ElevenLabs (Planned) Voice synthesis for voice AI assistants. Reserved for future voice-enabled engagements; not currently active. Region: United States. Data, when engaged: text transcripts converted to synthesised speech.

Communications & telephony

• Twilio SMS and voice telephony infrastructure for voice AI assistants, SMS automations, and our business phone number. Region: United States, with global carrier interconnects. Data: phone numbers, message content, call metadata, call audio in transit.
• Quo Call routing for inbound calls to our published US business number, forwarding them to staff phone numbers internationally. Engaged whenever someone phones our US number. Region: United States with global routing. Data: caller phone numbers, call metadata, voice audio in transit.
• Vapi (Planned) Voice AI orchestration layer for voice agent engagements. Reserved for future voice-enabled engagements; not currently active. Region: United States. Data, when engaged: call transcripts, voice metadata, conversational state.
• Resend Transactional email delivery — contact form notifications, automated replies, and operational system messages. Region: United States. Data: recipient email addresses, message content.
• Microsoft 365 (Exchange Online) Business email mailboxes for HighFlowAI staff addresses (info@, privacy@, dayaan@, etc.) provisioned via our domain registrar. Region: United States. Data: inbound and outbound email correspondence with clients, prospects, and anyone contacting our published addresses.

Sales & scheduling

• Formspree Contact form submission handler for highflowai.com. Engaged when a visitor submits the contact form on our marketing site. Region: United States. Data: name, email, company, message content, marketing consent state.
• Calendly Discovery call and meeting scheduling for prospects and clients booking time with our team. Region: United States. Data: name, email, scheduled meeting details, any information entered into booking form fields.
• Zoom Video conferencing for discovery calls and client meetings, joined from Calendly bookings. Region: United States, with global infrastructure. Data: participant names, email addresses, and call audio/video for the duration of the meeting. Meetings are not recorded by default.
• DocuSign (Planned) Electronic signature platform for executing Master Service Agreements, Statements of Work, and other commercial contracts with clients. Reserved for upcoming client contracting; subscription not yet active. Region: United States, with EU data residency available. Data, when engaged: signer names, email addresses, IP addresses, signing timestamps, and contract document contents.

Analytics

• Google LLC (Google Analytics 4) Web analytics for our marketing website. Engaged on every page load unless the visitor has opted out via a Global Privacy Control (GPC) signal, in which case no data is sent. Region: United States. Data: pseudonymous visitor identifiers, page interactions, referring URLs, device and browser metadata, truncated IP addresses (IP anonymisation is enabled). Event-level data retention is configured at 14 months. We do not enable data sharing with Google's broader advertising products; the property is configured for measurement only.

Advertising & marketing measurement

• Meta Platforms, Inc. (Meta Pixel & Conversion API) Advertising attribution and conversion measurement for paid campaigns on Meta's platforms (Facebook, Instagram). Engaged on every page load unless the visitor has opted out via a Global Privacy Control (GPC) signal, in which case no data is sent. Region: United States. Data: hashed contact identifiers (email addresses are SHA-256 hashed before transmission), browser cookie identifiers, IP addresses, page interaction data, and conversion event data (such as contact form submissions). This sharing falls within the definition of "sharing for cross-context behavioral advertising" under the California Privacy Rights Act (CPRA) and similar state laws; visitors can opt out at any time via GPC or by submitting a request through our Do Not Sell or Share page.

Payments & billing

• Stripe Payment processing for setup fees and subscription invoicing. Region: United States, with global regional infrastructure. Data: payment card details (handled directly by Stripe and never stored by us), billing contact details, transaction history.

Client-deployed integrations

In addition to the above, individual client deployments may involve integrations with platforms the client has chosen and owns the contractual relationship with — for example, HubSpot, GoHighLevel, Salesforce, Pipedrive, the client's own Calendly account, Google Workspace, or Microsoft 365. These remain under the client's account, configuration and control. The data flows are documented in each client's Statement of Work, and the third-party platform's own privacy terms govern the data once it's handed off to them. We are not a subprocessor of those platforms, and they are not subprocessors of ours.

03How we evaluate subprocessors

Before engaging a new subprocessor, we evaluate:

• Security posture. Encryption in transit and at rest, access controls, incident response capability, and (where applicable) independent audit reports such as SOC 2 or ISO 27001.
• Privacy commitments. Contractual obligations regarding data minimisation, retention, deletion, and (where relevant) compatibility with the Australian Privacy Principles and applicable US state privacy laws.
• Data residency. Where the subprocessor stores and processes data, and whether that's appropriate for the engagement.
• Sub-subprocessors. The subprocessor's own use of further third parties, and whether they maintain transparency about those relationships.
• Operational fit. Reliability, performance, and the practical question of whether the service does what we need without unnecessary scope creep.

For AI model providers specifically, we require — at minimum — that API content not be used for model training, and that the provider's standard API terms reflect that. We do not use consumer-tier ChatGPT, Claude.ai, or equivalent products in any client-facing capacity.

For analytics and advertising subprocessors specifically, we require a viable consumer opt-out mechanism that we can honour at the technical level. Visitors who send a Global Privacy Control (GPC) signal are excluded from all data transmission to these subprocessors; no event, page-view, identifier or other data leaves the browser for these services when the GPC signal is detected.

04Changes & notice

We may add, remove or replace subprocessors as our platform evolves. When we do:

• This page is updated within five (5) business days of the change taking effect, with the "Last updated" date amended at the top.
• Material changes — meaning new categories of subprocessor, or changes to data residency — are communicated to active clients in advance, by email, at least fifteen (15) days before the change takes effect, where reasonably practical.
• Objections. If a client objects to a new subprocessor on reasonable grounds, we will work with them to identify an alternative arrangement, or — if no alternative is workable — discuss termination options.

This commitment applies only to clients with an active engagement. For prospective clients reviewing this list during diligence, the current snapshot above is the basis for evaluation.

05Contact us

Questions about a specific subprocessor, our diligence process, or how data flows through a particular engagement? Get in touch: