> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getsmartalex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sub-processors

> The categories of sub-processor SmartAlex engages to deliver the platform, the data each handles, and where processing takes place, with a link to the authoritative named list.

SmartAlex engages a small number of vetted third parties, called sub-processors, to help deliver the platform, websites, applications and APIs. This page is an evaluator-facing summary. It groups those sub-processors by function so your data-protection team can see, at a glance, what each category does, what data it touches, and where it operates.

<Info>
  **The authoritative list lives here.** For the current, itemised list of named sub-processors, which we are legally required to publish and keep up to date, see the full document at [getsmartalex.com/legal/smartalex-subprocessor-list](https://getsmartalex.com/legal/smartalex-subprocessor-list). That published document is the authoritative version and prevails over this summary. Where it and our Data Processing Addendum differ, the Data Processing Addendum prevails.
</Info>

<Note>
  This summary reflects Sub-processor List version 1.1, effective 1 June 2026. Categories and regions can change as the platform evolves. Always check the authoritative list for the live position.
</Note>

## Why we publish this

We publish sub-processor transparency so that a customer, and its data-protection function, can see the full chain of processors that may handle personal data passing through the platform, assess each onward transfer, and exercise the objection right described below.

This satisfies the transparency requirement in Article 28 of the General Data Protection Regulation, which requires a processor to identify its sub-processors and to flow equivalent data-protection obligations down to them. For your data, you are the controller and SmartAlex is the processor. Every sub-processor below acts only on our documented instructions, which reflect yours.

Before any sub-processor handles customer data, we put a written contract in place that binds it to obligations materially equivalent to those we owe you: process only on documented instructions, keep personnel under confidentiality, apply encryption in transit and at rest, engage further sub-processors only under equivalent terms, assist with data-subject requests and breach notification, delete or return data at the end of the service, and support audits. We remain fully liable to you for each sub-processor's performance.

## Core sub-processors

These categories are engaged for every customer. Where customer data reaches a speech or language provider, we contract for terms under which that data is not used to train the provider's models, and we enable zero-retention or short-retention processing wherever the provider supports it.

| Category                                     | Purpose                                                                                                                         | Data handled                                                                                                                                                  | Region                                          |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
| Database, authentication and storage backend | Primary backend: managed database, authentication, file storage and serverless functions                                        | Effectively all customer data: account data, contacts, call records, transcripts, recording metadata and knowledge bases                                      | United States                                   |
| Cloud hosting and serverless compute         | Hosts the web application and runs the compute functions in the processing pipeline                                             | Application and session data, and processing payloads passing through compute functions                                                                       | United States                                   |
| Content delivery, DNS and document rendering | DNS, content delivery network, server-side rendering of exported documents such as PDFs, and object storage for those documents | Network and technical data, IP addresses, request metadata, cached content and exported documents                                                             | Global edge network, United States headquarters |
| Payment processing                           | Payment processing, billing and subscription management                                                                         | Billing contact details, payment-method metadata and transaction history. The full card number is tokenised by the processor and is never stored by SmartAlex | United States and EU                            |
| Telephony and PSTN carrier                   | Public-network call connectivity, phone-number provisioning and SMS                                                             | Caller and called phone numbers, call and message metadata, call signalling, and SMS content                                                                  | United States                                   |
| Real-time voice media infrastructure         | Carries live call audio between the end user and the voice agent                                                                | Live call audio and session data, processed in transit. Persistent recordings are stored in our own backend, not retained here                                | United States                                   |
| Large-language-model inference, live call    | Drives the voice agent's responses during a live call                                                                           | Call audio and transcript content during the call                                                                                                             | United States                                   |
| Speech-to-text transcription                 | Transcribes call speech                                                                                                         | Call audio, transcripts and speaker segmentation                                                                                                              | United States                                   |
| Text-to-speech synthesis                     | Synthesises the agent's voice                                                                                                   | Agent text input and synthesised audio                                                                                                                        | United States and EU                            |
| Post-call language-model processing          | Transcript analysis, summarisation, enrichment, embeddings and fallback transcription                                           | Call transcripts, contact data and prompts                                                                                                                    | United States                                   |
| Transactional email delivery                 | Invitations, password resets, receipts and operational notifications                                                            | Recipient email addresses and email content                                                                                                                   | United States and EU                            |
| Fraud and abuse prevention                   | Device fingerprinting to prevent signup fraud and abuse                                                                         | Device and browser identifiers, and the IP address presented at signup                                                                                        | United States                                   |

<Note>
  Our cloud hosting, backend and content-delivery providers each maintain their own independently audited security programmes, including SOC 2 and ISO 27001 attestations. Our payment processor is certified to PCI DSS Level 1. Speech and language providers receive only the customer data needed for the requested operation. They do not receive billing data, credentials or account-administration data.
</Note>

## Optional sub-processors

These categories are engaged only if you or an administrator on your account turns on the specific feature named. If you do not use the feature, no customer data is sent to the corresponding sub-processor. Listing a category here does not mean the feature is enabled on your account.

| Category                         | Engaged only if you use               | Data handled                                    | Region                   |
| -------------------------------- | ------------------------------------- | ----------------------------------------------- | ------------------------ |
| Messaging channel                | An optional messaging channel         | Phone numbers and message content               | United States            |
| Meeting recording and notetaking | The meeting-bot and notetaker feature | Meeting audio, transcripts and participant data | United States            |
| Web enrichment                   | Web-enrichment features               | Public website content used for enrichment      | United States            |
| Mapping and location             | Mapping and location features         | Addresses and coordinates                       | United States            |
| E-commerce integration           | A connected commerce store            | Store and customer data you choose to sync      | Canada and United States |
| Email outreach                   | The email-outreach integration        | Contact lists and email-engagement data         | France, EU               |
| Scheduling integration           | Healthcare scheduling integrations    | Appointment and availability data               | United States            |
| AI video persona                 | AI video-persona features             | Video-persona data                              | United States            |

## Change notifications and your objection right

<Steps>
  <Step title="We publish the change">
    When we add or remove a sub-processor, we update the authoritative list and record the change, with its effective date, in that document's change log. That date is what starts the notice period for any objection.
  </Step>

  <Step title="We notify the account contact">
    For material additions that affect customer data, we also email the primary administrative contact on the account. If you would rather receive advance notice of material changes through a dedicated channel, you can subscribe by writing to [privacy@getsmartalex.com](mailto:privacy@getsmartalex.com).
  </Step>

  <Step title="You can object">
    If you object to a new sub-processor on reasonable, documented data-protection grounds, you may exercise the objection and termination right in our Data Processing Addendum. We will work with you in good faith to address it, for example by describing additional safeguards or, where available, offering a configuration that does not route your data to that sub-processor.
  </Step>

  <Step title="Unresolved objections">
    If we cannot resolve the objection within a reasonable time, you may terminate the affected services, and we will refund any prepaid fees covering the period after termination.
  </Step>
</Steps>

## International transfers

Several categories above process personal data outside the European Economic Area, the United Kingdom and Switzerland, principally in the United States. For those transfers we rely on recognised safeguards, backed by supplementary technical and organisational measures.

<CardGroup cols={3}>
  <Card title="EU transfers">
    EU Standard Contractual Clauses (Implementing Decision 2021/914), controller-to-processor and processor-to-processor modules.
  </Card>

  <Card title="UK transfers">
    The UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
  </Card>

  <Card title="Swiss transfers">
    The Swiss addendum to the EU Standard Contractual Clauses recognised by the Swiss regulator.
  </Card>
</CardGroup>

These mechanisms are supported by encryption in transit and at rest, strict access controls, and a policy of challenging any unlawful or overbroad government access request. Equivalent contractual protections apply for customers and end users in other jurisdictions where required, including South Africa's Protection of Personal Information Act for cross-border transfers. A copy of the relevant safeguards, with commercially sensitive terms redacted, is available on request from [privacy@getsmartalex.com](mailto:privacy@getsmartalex.com).

## Sensitive and voice data

<AccordionGroup>
  <Accordion title="Special-category and biometric considerations">
    Call audio, recordings and transcripts can contain special-category personal data within the meaning of Article 9 of the General Data Protection Regulation, for example where an end user mentions their health. A voice may constitute biometric data where it is used to uniquely identify an individual. The platform is not designed to identify individuals from their voice. We process voice data to provide the conversational, transcription and analytics functions you configure, on your documented instructions, not to perform biometric identification on our own account. Sub-processors that handle call audio, recordings or transcripts are held to our most stringent requirements.
  </Accordion>

  <Accordion title="Your responsibilities as controller">
    As the controller, you are responsible for establishing a lawful basis and, where required, a condition under Article 9(2) of the General Data Protection Regulation, typically the end user's explicit consent, or the equivalent condition under South Africa's Protection of Personal Information Act, and for giving end users the notices required by law before such data is captured. Our Telephony and Call Recording Notice and Acceptable Use Policy describe these call-consent responsibilities in more detail.
  </Accordion>
</AccordionGroup>

## What is not on this list

Two kinds of third party are deliberately excluded, so your data-protection function is not misled into thinking end-user data flows to them. It does not.

<CardGroup cols={2}>
  <Card title="Website analytics and advertising">
    Cookie-based analytics and advertising partners process data about visitors to our own websites, where SmartAlex is the controller, not a processor of your customer data. They are set only with consent where consent is required and are described in our Cookie Policy.
  </Card>

  <Card title="Integrations you connect yourself">
    Services you connect to your own tenant, for example your own CRM, calendar, or a bring-your-own-telephony trunk, are your own processors or independent controllers, not sub-processors of SmartAlex. You are responsible for your own data-processing terms with them. Our role is limited to transmitting data to the integration you have chosen, on your instructions.
  </Card>
</CardGroup>

## Questions

For questions about sub-processors, to request advance notice of material changes, or to request a copy of the transfer safeguards we rely on, contact [privacy@getsmartalex.com](mailto:privacy@getsmartalex.com). SmartAlex is a trading name of THERCSGROUP PTE. LTD. (Singapore), and this list is governed by the law of Singapore. For the binding, named and current list, always refer to the [authoritative document](https://getsmartalex.com/legal/smartalex-subprocessor-list).
