Sub-processors
Last updated: April 22, 2026
Respondo uses third-party service providers (sub-processors) to deliver its services. As a data processor under GDPR, we engage these sub-processors to perform specific functions on our behalf. This page lists all current sub-processors.
We notify customers at least 30 days in advance of any changes to this list. For details on how we handle data processing agreements, please refer to our Data Processing Agreement.
Current Sub-processors
| Provider | Purpose | Data Categories | Location | Certifications | DPA status | DPA link |
|---|---|---|---|---|---|---|
| Clerk | Authentication & user management | Email addresses, user IDs, session data | United States / United Kingdom | SOC 2 Type II | Accepted via platform terms | View DPA |
| Supabase | Database & file storage | All tenant and end-user data | EU (Dublin, Ireland) — eu-west-1 | SOC 2 Type II, ISO 27001, GDPR compliant | Accepted via platform terms | View DPA |
| Stripe | Payment processing & subscription billing | Billing information, email addresses, payment method metadata | United States | PCI-DSS Level 1, SOC 2 Type II | Accepted via platform terms | View DPA |
| Twilio | SMS & voice communications | Phone numbers, message content | United States (EU peering for EU-registered numbers) | SOC 2 Type II, ISO 27001 | Accepted via platform terms | View DPA |
| Anthropic | AI processing: clinical summaries, follow-up suggestions, assistant chat (Claude). Anthropic does not use customer data to train its models. | Session notes and appointment metadata submitted for generation | United States | SOC 2 Type II | Accepted 2026-04-22 (DPA effective 2025-02-24) | View DPA |
| OpenAI | Audio transcription via Whisper. OpenAI does not train on API customer data; audio retained up to 30 days under OpenAI's default retention policy before deletion. | Audio files submitted for transcription | United States | SOC 2 Type II | Signed 2026-04-22 (DPA v.010126) | View DPA |
| Vercel | Application hosting, CDN, scheduled jobs | Request logs, runtime data, cron execution logs | United States, EU (edge / functions in cdg1) | SOC 2 Type II | Accepted via platform terms | View DPA |
| Sentry | Error tracking and performance monitoring (PII-masked) | Error stack traces, request metadata. User input is masked (`maskAllText` + `maskAllInputs`). | EU (de.sentry.io) | SOC 2 Type II, ISO 27001 | Accepted via platform terms | View DPA |
| PostHog | Product analytics (opt-in) | Anonymous usage events. No clinical data. Cookie-gated. | EU (eu.i.posthog.com) | SOC 2 Type II | Accepted via platform terms | View DPA |
Changes to Sub-processors
We will notify customers at least 30 days before adding or replacing a sub-processor. If you object to a new sub-processor, you may terminate your subscription as described in our Terms of Service.
Questions
For questions about our sub-processors or data processing practices, contact us at privacy@hectormoyanovelez.com.