Legal
Sub-processors
Last updated: 13 June 2026 · Version 1.1
This page lists the current sub-processors SmartVolve relies on to deliver the website and the voice AI agent service. Disclosure is provided under the general written authorisation mechanism of Art. 28(2) GDPR: B2B clients receive 14 days' prior notice before any change and have a 7-day window to object on reasonable grounds (see §6.3 of our DPA).
Current list
Sub-processors are grouped by role for clarity: those marked Processor sit on the voice-agent path covered by our DPA with each B2B client; those marked Controller-side support the website forms, newsletter, and analytics for which SmartVolve itself is the data controller.
| Vendor | Purpose | Location | Transfer | Role |
|---|---|---|---|---|
| Cloudflare Inc. | Frontend hosting (Pages/Workers), CDN, WAF, captcha (Turnstile), DNS. | USA | DPF + SCC | Controller-side |
| Google Cloud EMEA Ltd / Google LLC | AI models and voice on Vertex AI (Google Cloud), backend runtime and data (Cloud Run, Firestore/Cloud SQL, storage, Secret Manager — EU regions), and Calendar API for booking. | EU (European regions, e.g. europe-west1/8) | EU — no extra-EU transfer | Processor |
| Resend Inc. | Transactional email delivery (notifications and confirmations). | USA | DPF + SCC | Controller-side |
| Formagrid Inc. dba Airtable | CRM for lead management (site forms, ROI calculator, audit requests) and confirmed newsletter contacts. | USA | DPF + SCC | Controller-side |
| Stripe Payments Europe, Ltd. | Payments and subscriptions. For payment data Stripe acts as an independent controller. | EU (Ireland) | EU; SCC for US onward transfers | Controller-side |
| Fatture in Cloud (TeamSystem S.p.A.) | Electronic invoicing and accounting. | EU (Italy) | EU — no extra-EU transfer | Controller-side |
| Fattura Express | Stripe → Fatture in Cloud connector for automatic invoice issuance. | EU (Italy) | EU — no extra-EU transfer | Controller-side |
| Sanity Inc. | Headless CMS for editorial content (resources, case studies). No client personal data. | USA | DPF + SCC | Controller-side |
| PostHog Inc. (EU region) | Privacy-first product analytics (pageviews, aggregated UI events). DNT respected; no session replay. | EU (PostHog EU cloud region) | EU — no extra-EU transfer | Processor |
| Functional Software Inc. dba Sentry (EU region) | Error tracking + frontend/backend performance traces (no intentional PII; automatic scrubbing). | EU (Sentry EU cloud region, ingest.de.sentry.io) | EU — no extra-EU transfer | Processor |
| Telnyx Ireland Limited | Voice telephony and SIP for the voice agent: call routing, caller number, call audio and metadata. Active only when the voice channel is in use. | EU (Irish contracting entity; EU PoP and data residency) | EU — Irish entity (reduced US CLOUD Act exposure) | Processor |
Transfer safeguards
Sub-processors based in the United States are covered by certification under the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, Art. 45 GDPR). Where DPF certification is unavailable or as an additional safeguard we sign the Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914, Art. 46 GDPR) together with a Transfer Impact Assessment. Documentary evidence (DPF screenshots, signed SCC copies, TIA) is provided to B2B clients on written request.
Object to a change
B2B clients can file an objection to a sub-processor change within 7 days of notification by writing to [email protected] citing the specific regulatory non-compliance concern. See the compliance page for the full DPA terms.