Legal
Sub-processors
Last updated: 17 May 2026 · Version 1.0
This page lists the current sub-processors SmartVolve relies on to deliver the website and the voice AI agent service. Disclosure is provided under the general written authorisation mechanism of Art. 28(2) GDPR: B2B clients receive 14 days' prior notice before any change and have a 7-day window to object on reasonable grounds (see §6.3 of our DPA).
Current list
Sub-processors are grouped by role for clarity: those marked Processor sit on the voice-agent path covered by our DPA with each B2B client; those marked Controller-side support the website forms, newsletter, and analytics for which SmartVolve itself is the data controller.
| Vendor | Purpose | Location | Transfer | Role |
|---|---|---|---|---|
| Vercel Inc. | Frontend hosting and edge CDN. | USA | DPF + SCC | Controller-side |
| Cloudflare Inc. | CDN, WAF, captcha (Turnstile), DNS. | USA | DPF + SCC | Controller-side |
| Supabase Inc. | Postgres database (leads, transcripts, logs). | USA (EU multi-region option) | DPF + SCC | Controller-side |
| Amazon Web Services (AWS) | Backend storage and compute (eu-central-1 Frankfurt). | EU (Germany) | EU — no extra-EU transfer | Processor |
| Resend Inc. | Transactional email delivery (notifications and confirmations). | USA | DPF + SCC | Controller-side |
| HubSpot Inc. | Processor-side CRM for lead management + aggregate analytics. | USA | DPF + SCC | Controller-side |
| ElevenLabs Inc. | Synthetic voice (TTS) + voice agent orchestration. | USA | DPF + SCC | Processor |
| OpenAI Inc. | LLM-based findings extraction (internal cron, no training on client data). | USA | DPF + SCC | Processor |
| Notion Labs Inc. | Conversation operational log (migration to AWS Frankfurt in progress). | USA | DPF + SCC | Processor |
| Google LLC (Calendar API) | Calendar booking for slot proposals (founder account). | USA | DPF + SCC | Controller-side |
| Plausible Analytics | Cookieless web analytics (aggregate, no individual tracking). | EU (Germany) | EU — no extra-EU transfer | Controller-side |
| PostHog Inc. (EU region) | Privacy-first product analytics (pageviews, aggregated UI events). DNT respected; no session replay. | EU (PostHog EU cloud region) | EU — no extra-EU transfer | Processor |
| Functional Software Inc. dba Sentry (EU region) | Error tracking + frontend/backend performance traces (no intentional PII; automatic scrubbing). | EU (Sentry EU cloud region, ingest.de.sentry.io) | EU — no extra-EU transfer | Processor |
Transfer safeguards
Sub-processors based in the United States are covered by certification under the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, Art. 45 GDPR). Where DPF certification is unavailable or as an additional safeguard we sign the Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914, Art. 46 GDPR) together with a Transfer Impact Assessment. Documentary evidence (DPF screenshots, signed SCC copies, TIA) is provided to B2B clients on written request.
Object to a change
B2B clients can file an objection to a sub-processor change within 7 days of notification by writing to [email protected] citing the specific regulatory non-compliance concern. See the compliance page for the full DPA terms.