Last updated: 3 December 2025
Role/Service: LLM inference & embeddings
Data Categories: Conversation text, prompts, retrieved context
Processing Location: US (optionally EU via Azure OpenAI if enabled)
Safeguards: SCCs/DPF; TLS; no training on API data (per provider terms)
DPA Link: https://openai.com/policies/data-processing-addendum/
Role/Service: Managed PostgreSQL, app hosting, backups
Data Categories: All Customer Data stored in the Service
Processing Location: EU or as contracted
Safeguards: Provider DPA; at-rest + in-transit encryption
DPA Link: https://www.digitalocean.com/legal/data-processing-agreement
Role/Service: Transactional emails
Data Categories: Admin/user names & emails; template variables
Processing Location: EU/US (provider-dependent)
Safeguards: Provider DPA; SCCs/DPF as applicable
DPA Link: https://resend.com/legal/dpa
Role/Service: Billing & payments
Data Categories: Billing contact, email, plan, invoice metadata (no full card data processed by Hay)
Processing Location: EU/US
Safeguards: Provider DPA; PSD2/PCI compliance; SCCs/DPF
DPA Link: https://stripe.com/en-pt/legal/dpa#download-the-dpa
Role/Service: CRM (Customer Relationship Management)
Data Categories: Customer contacts, company information, interaction records
Processing Location: Google Cloud Platform (UK/EU regions)
Safeguards: ISO 27001 certified; GDPR/CCPA compliant; TLS 1.2+; encrypted backups
DPA Link: https://attio.com/legal/terms-and-conditions
Role/Service: Product analytics & feature flags
Data Categories: Usage data, feature flags, session recordings, analytics events
Processing Location: AWS EU (Germany) or US (customer choice)
Safeguards: GDPR/UK GDPR compliant; SCCs for international transfers; SOC 2 Type II
DPA Link: https://posthog.com/dpa
When Customer connects its own third-party systems directly (e.g., Zendesk, Shopify) and the data flows are client-managed, Customer remains solely responsible for those subprocessors.