Skip to main content
Back to Home

Last Updated: November 5, 2025

Sub-processors

Effective Date: November 5, 2025

Overview

As outlined in our Data Processing Agreement, we maintain transparency about which third-party service providers have access to client data.

Each sub-processor listed below has been carefully vetted to ensure they meet our security and privacy standards. All sub-processors are bound by written agreements that impose data protection obligations substantially similar to those in our Data Processing Agreement.

We update this page whenever we add, change, or remove a sub-processor. Clients can subscribe to notifications about changes to this list (see "Change Notifications" section below).

Current Sub-processors

The following table lists all 16 third-party service providers currently authorized to process client data as of the last updated date shown above.

Vercel

Visit Website →

Purpose

Website hosting and content delivery

Location

United States, with global CDN nodes

Data Processed

  • Website visitor data
  • IP addresses
  • Browser information
  • Page view data

Security Safeguards

Vercel complies with SOC 2 Type II, GDPR. Data transfer mechanisms: Standard Contractual Clauses (SCCs).

Google Cloud Platform (GCP)

Visit Website →

Purpose

AI/ML services, analytics, and auxiliary hosting

Location

United States, European Union

Data Processed

  • AI model training and inference data
  • Analytics data
  • Logs and metrics

Security Safeguards

Google Cloud complies with SOC 2 Type II, ISO 27001, GDPR. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Google Cloud Data Processing Amendment.

OpenAI

Visit Website →

Purpose

AI language model services

Location

United States

Data Processed

  • Text inputs sent to AI models
  • AI-generated responses
  • Usage metadata

Security Safeguards

OpenAI complies with SOC 2 Type II. Data is not used for model training unless explicitly opted-in. Data transfer mechanisms: Standard Contractual Clauses (SCCs), OpenAI Data Processing Agreement.

Anthropic

Visit Website →

Purpose

AI language model services

Location

United States

Data Processed

  • Text inputs sent to AI models
  • AI-generated responses
  • Usage metadata

Security Safeguards

Anthropic complies with SOC 2 Type II. Data is not used for model training. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Anthropic Data Processing Agreement.

Perplexity

Visit Website →

Purpose

AI-powered search and information retrieval

Location

United States

Data Processed

  • Search queries
  • AI-generated summaries
  • Usage metadata
  • Source citations and references

Security Safeguards

Perplexity complies with SOC 2 Type II. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Perplexity Data Processing Agreement.

n8n

Visit Website →

Purpose

Workflow automation and integration platform

Location

European Union, United States

Data Processed

  • Workflow execution data
  • API credentials (encrypted)
  • Integration metadata
  • Automation logs

Security Safeguards

n8n offers self-hosted and cloud options. Cloud deployments comply with GDPR. Data transfer mechanisms: Standard Contractual Clauses (SCCs) for cross-border transfers.

Hostinger

Visit Website →

Purpose

Web hosting and domain services

Location

European Union, United States

Data Processed

  • Website files and databases
  • Email communications
  • Domain registration information
  • Server logs

Security Safeguards

Hostinger complies with GDPR, ISO 27001. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Hostinger Data Processing Agreement.

Supabase

Visit Website →

Purpose

Database and authentication services

Location

United States, European Union (configurable)

Data Processed

  • User authentication data
  • Application database records
  • User session information

Security Safeguards

Supabase complies with SOC 2 Type II, GDPR. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Supabase Data Processing Agreement.

Resend

Visit Website →

Purpose

Transactional email delivery

Location

United States

Data Processed

  • Email addresses
  • Email content
  • Delivery metadata

Security Safeguards

Resend complies with GDPR. Data transfer mechanisms: Standard Contractual Clauses (SCCs).

Stripe

Visit Website →

Purpose

Payment processing

Location

United States, European Union

Data Processed

  • Payment card information (tokenized)
  • Billing addresses
  • Transaction records
  • Customer payment profiles

Security Safeguards

Stripe is PCI DSS Level 1 certified, complies with SOC 2 Type II, ISO 27001, GDPR. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Stripe Data Processing Agreement.

Google Analytics

Visit Website →

Purpose

Website analytics and user behavior tracking

Location

United States

Data Processed

  • Website visitor data
  • IP addresses (anonymized)
  • Device and browser information
  • Page views and interactions

Security Safeguards

Google Analytics complies with GDPR. IP anonymization enabled. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Google Ads Data Processing Terms.

GitHub

Visit Website →

Purpose

Code repository and version control

Location

United States

Data Processed

  • Source code repositories
  • Code commits and history
  • Issue tracking data
  • Collaboration metadata

Security Safeguards

GitHub complies with SOC 2 Type II, ISO 27001. Data transfer mechanisms: Standard Contractual Clauses (SCCs), GitHub Data Protection Agreement.

Twilio

Visit Website →

Purpose

SMS and voice communication services

Location

United States

Data Processed

  • Phone numbers
  • SMS message content
  • Delivery status metadata
  • Communication logs

Security Safeguards

Twilio complies with SOC 2 Type II, ISO 27001, GDPR. Data transfer mechanisms: Standard Contractual Clauses (SCCs), Twilio Data Protection Addendum.

Daily.co

Visit Website →

Purpose

Video calling and conferencing infrastructure

Location

United States

Data Processed

  • Video and audio streams
  • Participant metadata
  • Session logs
  • Connection quality data

Security Safeguards

Daily.co complies with SOC 2 Type II, GDPR, HIPAA (with BAA). Data transfer mechanisms: Standard Contractual Clauses (SCCs).

Google Gemini

Visit Website →

Purpose

AI language model services

Location

United States

Data Processed

  • Text inputs sent to AI models
  • AI-generated responses
  • Usage metadata

Security Safeguards

Google Gemini complies with SOC 2 Type II, ISO 27001, GDPR. Data is governed by Google Cloud Data Processing Agreement. Data transfer mechanisms: Standard Contractual Clauses (SCCs).

Amazon Web Services (Bedrock)

Visit Website →

Purpose

AI model hosting and inference for client automation builds

Location

United States, with configurable regions

Data Processed

  • Text inputs sent to AI models
  • AI-generated responses
  • Model configuration metadata
  • Usage and billing data

Security Safeguards

AWS complies with SOC 2 Type II, ISO 27001, GDPR, HIPAA (with BAA). Data transfer mechanisms: Standard Contractual Clauses (SCCs), AWS Data Processing Agreement.

Need More Information?

We can provide additional documentation about any sub-processor upon request, including:

  • Copies of Data Processing Agreements
  • Security certification documents (SOC 2, ISO 27001, etc.)
  • Details about data transfer mechanisms
  • Information about data retention and deletion practices

Contact us at support@xavarro.com to request additional information.

Change Notifications

We understand the importance of keeping our clients informed about changes to our sub-processor list. In accordance with our Data Processing Agreement, we commit to the following notification process:

30-Day Advance Notice

We will provide at least 30 days' advance written notice before:

  • Adding a new sub-processor
  • Changing an existing sub-processor's role or access to data
  • Replacing one sub-processor with another

Notice will be sent via email to the primary contact listed in your account and will be posted on this page.

How to Subscribe to Updates

To ensure you receive timely notifications about sub-processor changes:

  1. Email Notifications: Ensure your contact information is up to date in your account settings
  2. RSS Feed: Subscribe to our legal updates feed at /legal/feed.xml
  3. Webhook: Enterprise clients can configure webhook notifications for automatic updates

What's Included in Notifications

Each notification will include:

  • The name of the new or changed sub-processor
  • The sub-processor's purpose and the categories of data they will process
  • The sub-processor's location and applicable data protection safeguards
  • The effective date of the change
  • Instructions on how to object to the change (see below)

Change History

Recent Updates

November 11, 2025

Added: Perplexity, n8n, Bolt, Replit, Hostinger

October 1, 2025

Initial publication of sub-processors list

Right to Object

Clients have the right to object to the use of a new or replacement sub-processor on reasonable grounds relating to data protection.

How to Object

If you wish to object to a new or changed sub-processor:

  1. Submit Your Objection: Send a written objection to support@xavarro.com within 14 days of receiving the notification
  2. Include Details: Your objection should include:
    • Your account information
    • The specific sub-processor you're objecting to
    • The reasonable grounds for your objection relating to data protection
    • Any alternative solutions you would find acceptable
  3. Response Timeline: We will respond to your objection within 7 business days

Resolution Process

Upon receiving a valid objection, we will work with you to find a mutually acceptable solution, which may include:

  • Using an alternative sub-processor that meets your requirements
  • Implementing additional safeguards to address your concerns
  • Adjusting the scope of data shared with the sub-processor
  • If no mutually acceptable solution can be found, either party may terminate the affected services upon 30 days' written notice without penalty

Emergency Changes

In rare cases where immediate changes are necessary (such as security incidents or service interruptions), we may implement sub-processor changes with less than 30 days' notice. In such cases:

  • We will notify you as soon as reasonably possible
  • We will explain the reason for the emergency change
  • We will still honor your right to object and work toward a resolution
  • The change will be temporary until we can implement a permanent solution with proper notice

Questions About Our Sub-processors?

If you have questions about our sub-processors, their security measures, or data processing activities, please contact us:

Email: support@xavarro.com

Address: 2 East John St., Cookstown ON L0L 1L0

We're happy to provide additional documentation about our sub-processors' security measures, certifications, and data processing agreements upon request.

Questions?

If you have any questions about this document, please contact us:

Email: support@xavarro.com

Address: 2 East John St., Cookstown ON L0L 1L0