The authoritative list lives here. For the current, itemised list of named sub-processors, which we are legally required to publish and keep up to date, see the full document at getsmartalex.com/legal/smartalex-subprocessor-list. That published document is the authoritative version and prevails over this summary. Where it and our Data Processing Addendum differ, the Data Processing Addendum prevails.
This summary reflects Sub-processor List version 1.1, effective 1 June 2026. Categories and regions can change as the platform evolves. Always check the authoritative list for the live position.
Why we publish this
We publish sub-processor transparency so that a customer, and its data-protection function, can see the full chain of processors that may handle personal data passing through the platform, assess each onward transfer, and exercise the objection right described below. This satisfies the transparency requirement in Article 28 of the General Data Protection Regulation, which requires a processor to identify its sub-processors and to flow equivalent data-protection obligations down to them. For your data, you are the controller and SmartAlex is the processor. Every sub-processor below acts only on our documented instructions, which reflect yours. Before any sub-processor handles customer data, we put a written contract in place that binds it to obligations materially equivalent to those we owe you: process only on documented instructions, keep personnel under confidentiality, apply encryption in transit and at rest, engage further sub-processors only under equivalent terms, assist with data-subject requests and breach notification, delete or return data at the end of the service, and support audits. We remain fully liable to you for each sub-processor’s performance.Core sub-processors
These categories are engaged for every customer. Where customer data reaches a speech or language provider, we contract for terms under which that data is not used to train the provider’s models, and we enable zero-retention or short-retention processing wherever the provider supports it.Our cloud hosting, backend and content-delivery providers each maintain their own independently audited security programmes, including SOC 2 and ISO 27001 attestations. Our payment processor is certified to PCI DSS Level 1. Speech and language providers receive only the customer data needed for the requested operation. They do not receive billing data, credentials or account-administration data.
Optional sub-processors
These categories are engaged only if you or an administrator on your account turns on the specific feature named. If you do not use the feature, no customer data is sent to the corresponding sub-processor. Listing a category here does not mean the feature is enabled on your account.Change notifications and your objection right
1
We publish the change
When we add or remove a sub-processor, we update the authoritative list and record the change, with its effective date, in that document’s change log. That date is what starts the notice period for any objection.
2
We notify the account contact
For material additions that affect customer data, we also email the primary administrative contact on the account. If you would rather receive advance notice of material changes through a dedicated channel, you can subscribe by writing to privacy@getsmartalex.com.
3
You can object
If you object to a new sub-processor on reasonable, documented data-protection grounds, you may exercise the objection and termination right in our Data Processing Addendum. We will work with you in good faith to address it, for example by describing additional safeguards or, where available, offering a configuration that does not route your data to that sub-processor.
4
Unresolved objections
If we cannot resolve the objection within a reasonable time, you may terminate the affected services, and we will refund any prepaid fees covering the period after termination.
International transfers
Several categories above process personal data outside the European Economic Area, the United Kingdom and Switzerland, principally in the United States. For those transfers we rely on recognised safeguards, backed by supplementary technical and organisational measures.EU transfers
EU Standard Contractual Clauses (Implementing Decision 2021/914), controller-to-processor and processor-to-processor modules.
UK transfers
The UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
Swiss transfers
The Swiss addendum to the EU Standard Contractual Clauses recognised by the Swiss regulator.
Sensitive and voice data
Special-category and biometric considerations
Special-category and biometric considerations
Call audio, recordings and transcripts can contain special-category personal data within the meaning of Article 9 of the General Data Protection Regulation, for example where an end user mentions their health. A voice may constitute biometric data where it is used to uniquely identify an individual. The platform is not designed to identify individuals from their voice. We process voice data to provide the conversational, transcription and analytics functions you configure, on your documented instructions, not to perform biometric identification on our own account. Sub-processors that handle call audio, recordings or transcripts are held to our most stringent requirements.
Your responsibilities as controller
Your responsibilities as controller
As the controller, you are responsible for establishing a lawful basis and, where required, a condition under Article 9(2) of the General Data Protection Regulation, typically the end user’s explicit consent, or the equivalent condition under South Africa’s Protection of Personal Information Act, and for giving end users the notices required by law before such data is captured. Our Telephony and Call Recording Notice and Acceptable Use Policy describe these call-consent responsibilities in more detail.
What is not on this list
Two kinds of third party are deliberately excluded, so your data-protection function is not misled into thinking end-user data flows to them. It does not.Website analytics and advertising
Cookie-based analytics and advertising partners process data about visitors to our own websites, where SmartAlex is the controller, not a processor of your customer data. They are set only with consent where consent is required and are described in our Cookie Policy.
Integrations you connect yourself
Services you connect to your own tenant, for example your own CRM, calendar, or a bring-your-own-telephony trunk, are your own processors or independent controllers, not sub-processors of SmartAlex. You are responsible for your own data-processing terms with them. Our role is limited to transmitting data to the integration you have chosen, on your instructions.

