Last updated: 17 October 2025
Role/Service: LLM inference & embeddings
Data Categories: Conversation text, prompts, retrieved context
Processing Location: US (optionally EU via Azure OpenAI if enabled)
Safeguards: SCCs/DPF; TLS; no training on API data (per provider terms)
DPA Link: https://openai.com/policies/data-processing-addendum/
Role/Service: Managed PostgreSQL, app hosting, backups
Data Categories: All Customer Data stored in the Service
Processing Location: EU or as contracted
Safeguards: Provider DPA; at-rest + in-transit encryption
DPA Link: https://www.digitalocean.com/legal/data-processing-agreement
Role/Service: Transactional emails
Data Categories: Admin/user names & emails; template variables
Processing Location: EU/US (provider-dependent)
Safeguards: Provider DPA; SCCs/DPF as applicable
DPA Link: https://resend.com/legal/dpa
Role/Service: Billing & payments
Data Categories: Billing contact, email, plan, invoice metadata (no full card data processed by Hay)
Processing Location: EU/US
Safeguards: Provider DPA; PSD2/PCI compliance; SCCs/DPF
DPA Link: https://stripe.com/en-pt/legal/dpa#download-the-dpa
Optional/Config-dependent (if enabled by Customer):
Redis Cloud/Cache, CDN (e.g., Cloudflare), and specific channel connectors (e.g., WhatsApp/Instagram via Meta). When Customer connects its own third-party systems directly (e.g., Zendesk, Shopify) and the data flows are client-managed, Customer remains solely responsible for those subprocessors.