Skip to main content
SmartAlex engages a small number of vetted third parties, called sub-processors, to help deliver the platform, websites, applications and APIs. This page is an evaluator-facing summary. It groups those sub-processors by function so your data-protection team can see, at a glance, what each category does, what data it touches, and where it operates.
The authoritative list lives here. For the current, itemised list of named sub-processors, which we are legally required to publish and keep up to date, see the full document at getsmartalex.com/legal/smartalex-subprocessor-list. That published document is the authoritative version and prevails over this summary. Where it and our Data Processing Addendum differ, the Data Processing Addendum prevails.
This summary reflects Sub-processor List version 1.1, effective 1 June 2026. Categories and regions can change as the platform evolves. Always check the authoritative list for the live position.

Why we publish this

We publish sub-processor transparency so that a customer, and its data-protection function, can see the full chain of processors that may handle personal data passing through the platform, assess each onward transfer, and exercise the objection right described below. This satisfies the transparency requirement in Article 28 of the General Data Protection Regulation, which requires a processor to identify its sub-processors and to flow equivalent data-protection obligations down to them. For your data, you are the controller and SmartAlex is the processor. Every sub-processor below acts only on our documented instructions, which reflect yours. Before any sub-processor handles customer data, we put a written contract in place that binds it to obligations materially equivalent to those we owe you: process only on documented instructions, keep personnel under confidentiality, apply encryption in transit and at rest, engage further sub-processors only under equivalent terms, assist with data-subject requests and breach notification, delete or return data at the end of the service, and support audits. We remain fully liable to you for each sub-processor’s performance.

Core sub-processors

These categories are engaged for every customer. Where customer data reaches a speech or language provider, we contract for terms under which that data is not used to train the provider’s models, and we enable zero-retention or short-retention processing wherever the provider supports it.
Our cloud hosting, backend and content-delivery providers each maintain their own independently audited security programmes, including SOC 2 and ISO 27001 attestations. Our payment processor is certified to PCI DSS Level 1. Speech and language providers receive only the customer data needed for the requested operation. They do not receive billing data, credentials or account-administration data.

Optional sub-processors

These categories are engaged only if you or an administrator on your account turns on the specific feature named. If you do not use the feature, no customer data is sent to the corresponding sub-processor. Listing a category here does not mean the feature is enabled on your account.

Change notifications and your objection right

1

We publish the change

When we add or remove a sub-processor, we update the authoritative list and record the change, with its effective date, in that document’s change log. That date is what starts the notice period for any objection.
2

We notify the account contact

For material additions that affect customer data, we also email the primary administrative contact on the account. If you would rather receive advance notice of material changes through a dedicated channel, you can subscribe by writing to privacy@getsmartalex.com.
3

You can object

If you object to a new sub-processor on reasonable, documented data-protection grounds, you may exercise the objection and termination right in our Data Processing Addendum. We will work with you in good faith to address it, for example by describing additional safeguards or, where available, offering a configuration that does not route your data to that sub-processor.
4

Unresolved objections

If we cannot resolve the objection within a reasonable time, you may terminate the affected services, and we will refund any prepaid fees covering the period after termination.

International transfers

Several categories above process personal data outside the European Economic Area, the United Kingdom and Switzerland, principally in the United States. For those transfers we rely on recognised safeguards, backed by supplementary technical and organisational measures.

EU transfers

EU Standard Contractual Clauses (Implementing Decision 2021/914), controller-to-processor and processor-to-processor modules.

UK transfers

The UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

Swiss transfers

The Swiss addendum to the EU Standard Contractual Clauses recognised by the Swiss regulator.
These mechanisms are supported by encryption in transit and at rest, strict access controls, and a policy of challenging any unlawful or overbroad government access request. Equivalent contractual protections apply for customers and end users in other jurisdictions where required, including South Africa’s Protection of Personal Information Act for cross-border transfers. A copy of the relevant safeguards, with commercially sensitive terms redacted, is available on request from privacy@getsmartalex.com.

Sensitive and voice data

Call audio, recordings and transcripts can contain special-category personal data within the meaning of Article 9 of the General Data Protection Regulation, for example where an end user mentions their health. A voice may constitute biometric data where it is used to uniquely identify an individual. The platform is not designed to identify individuals from their voice. We process voice data to provide the conversational, transcription and analytics functions you configure, on your documented instructions, not to perform biometric identification on our own account. Sub-processors that handle call audio, recordings or transcripts are held to our most stringent requirements.
As the controller, you are responsible for establishing a lawful basis and, where required, a condition under Article 9(2) of the General Data Protection Regulation, typically the end user’s explicit consent, or the equivalent condition under South Africa’s Protection of Personal Information Act, and for giving end users the notices required by law before such data is captured. Our Telephony and Call Recording Notice and Acceptable Use Policy describe these call-consent responsibilities in more detail.

What is not on this list

Two kinds of third party are deliberately excluded, so your data-protection function is not misled into thinking end-user data flows to them. It does not.

Website analytics and advertising

Cookie-based analytics and advertising partners process data about visitors to our own websites, where SmartAlex is the controller, not a processor of your customer data. They are set only with consent where consent is required and are described in our Cookie Policy.

Integrations you connect yourself

Services you connect to your own tenant, for example your own CRM, calendar, or a bring-your-own-telephony trunk, are your own processors or independent controllers, not sub-processors of SmartAlex. You are responsible for your own data-processing terms with them. Our role is limited to transmitting data to the integration you have chosen, on your instructions.

Questions

For questions about sub-processors, to request advance notice of material changes, or to request a copy of the transfer safeguards we rely on, contact privacy@getsmartalex.com. SmartAlex is a trading name of THERCSGROUP PTE. LTD. (Singapore), and this list is governed by the law of Singapore. For the binding, named and current list, always refer to the authoritative document.