Subprocessors List

Last Updated: December 19, 2025

This page lists all third-party subprocessors (service providers) that Inflowence uses to provide our services. We maintain this list for transparency and to comply with data protection obligations under CCPA and other applicable US privacy regulations.

Purpose of This List

As described in our Privacy Policy and Data Processing Addendum, Inflowence uses carefully selected third-party service providers to deliver our platform. These subprocessors may process customer data on our behalf.

Key Points:

• All subprocessors are bound by contractual obligations to protect data
• We conduct due diligence on security and privacy practices
• Subprocessors are only granted access to data necessary for their services
• We monitor subprocessor compliance with data protection requirements

Updates to This List

We may add, remove, or change subprocessors as we improve our services:

• Material changes will be announced 30 days in advance
• Non-material changes will be reflected here immediately
• Subscribe for updates: Email subprocessor-updates@inflowence.ai with "Subscribe" in subject

Subprocessor List

Core Infrastructure

| Entity Name | Service Provided | Data Location | Purpose | |-------------|-----------------|---------------|---------| | Amazon Web Services (AWS) | Cloud Infrastructure, Email Delivery (SES), Storage (S3) | USA (Primary)
Multiple regions available | Hosting application infrastructure, database backups, file storage, and transactional email delivery | | Vercel Inc. | Frontend Hosting & Serverless Functions | USA / Global CDN | Hosting web application, serverless API endpoints, and edge computing | | Supabase Inc. | Primary Database & User Authentication | USA | PostgreSQL database, real-time subscriptions, authentication services | | Upstash | Serverless Redis (Caching & Rate Limiting) | USA / Global | In-memory data caching, session management, rate limiting, and queue processing |

CRM & Automation

| Entity Name | Service Provided | Data Location | Purpose | |-------------|-----------------|---------------|---------| | GoHighLevel (HighLevel Inc.) | CRM, Marketing Automation Engine, Messaging Relay | USA | Primary CRM platform, workflow automation, contact management, SMS/email/social messaging relay | | Twilio Inc. | SMS & Voice Delivery (via GHL) | USA / Global | SMS message delivery, voice call routing, phone number provisioning | | Mailgun Technologies Inc. | Email Delivery Services (via GHL/AWS) | USA | Transactional and marketing email delivery, bounce/complaint handling |

Communication Platforms

| Entity Name | Service Provided | Data Location | Purpose | |-------------|-----------------|---------------|---------| | Meta Platforms, Inc. | WhatsApp, Facebook Messenger, Instagram DM Processing | USA / Global | Social media integrations, direct message processing, business messaging API | | OpenAI, L.L.C. | AI Content Generation & Processing | USA | AI-powered content generation, text analysis, chatbot responses, voice transcription |

Analytics & Monitoring

| Entity Name | Service Provided | Data Location | Purpose | |-------------|-----------------|---------------|---------| | Vercel Analytics | Web Analytics & Performance Monitoring | USA / Global | Anonymous usage analytics, performance monitoring, error tracking | | Sentry | Error Tracking & Application Monitoring | USA | Application error logging, performance monitoring, debugging |

Payment Processing

| Entity Name | Service Provided | Data Location | Purpose | |-------------|-----------------|---------------|---------| | Stripe, Inc. | Payment Processing & Billing | USA / Global | Subscription billing, payment processing, invoice generation, fraud detection |

Security & Compliance

| Entity Name | Service Provided | Data Location | Purpose | |-------------|-----------------|---------------|---------| | Cloudflare, Inc. | CDN, DDoS Protection, Web Application Firewall | USA / Global | Content delivery, security protection, traffic management, SSL/TLS termination |

Data Processing Details

What Data is Shared

Subprocessors may process the following types of data depending on their role:

Customer Account Data:

• Business name and contact information
• User account credentials (hashed/encrypted)
• Billing and payment information (Stripe only)
• Usage and activity logs

End-User Data (Your Customers):

• Contact information (names, emails, phone numbers)
• Communication content (messages, emails, call recordings)
• Social media profiles and interactions
• Engagement and behavioral data

Technical Data:

• IP addresses and device information
• Browser and operating system data
• Session information and cookies
• Performance and error logs

Security Measures

All subprocessors are required to:

• Implement appropriate technical and organizational security measures
• Encrypt data in transit and at rest
• Maintain industry-standard access controls
• Conduct regular security audits and assessments
• Notify us of any security incidents promptly
• Comply with applicable data protection laws

Geographic Considerations

Primary Data Storage

Customer data is primarily stored in:

• United States (AWS US-East, Supabase US regions)
• Data may be cached globally through CDNs (Vercel, Cloudflare)

International Transfers

Data may be transferred internationally:

• Standard Contractual Clauses (SCCs) are in place where required
• Adequacy decisions are followed where applicable
• Additional safeguards are implemented for sensitive transfers

Data Residency Options

For customers with specific data residency requirements:

• Contact sales@inflowence.ai for custom arrangements
• Enterprise plans may offer regional data storage options
• Additional fees may apply for dedicated regional hosting

Subprocessor Obligations

Each subprocessor is contractually obligated to:

1. Process data only as instructed by Inflowence
2. Maintain confidentiality of all customer data
3. Implement security measures commensurate with data sensitivity
4. Assist with data subject requests (access, deletion, etc.)
5. Notify us of any data breaches or security incidents
6. Delete or return data upon termination of services
7. Comply with data protection laws including applicable US state laws (CCPA, CPRA, VCDPA, etc.)
8. Undergo audits and provide compliance documentation

Your Rights

As a Inflowence customer, you have the right to:

Object to Subprocessors

If you object to our use of a specific subprocessor:

• Notify us in writing within 30 days of receiving notice of a new subprocessor
• We will work with you to find an alternative solution
• If no alternative is feasible, you may terminate your agreement without penalty

Request Information

You may request:

• Additional information about subprocessor security practices
• Copies of relevant data processing agreements
• Evidence of subprocessor compliance certifications
• Details about data flows and processing activities

Contact: legal@inflowence.ai

Audit Rights

Enterprise customers may have audit rights:

• Review subprocessor compliance documentation
• Request third-party audit reports (SOC 2, ISO 27001, etc.)
• Conduct audits subject to mutual agreement

Changes and Notifications

New Subprocessors

When adding a new subprocessor:

• 30 days advance notice for material changes
• Notice via email to your account email address
• Notice posted on this page
• Opportunity to object per your contract terms

Material vs. Non-Material Changes

Material Changes (30-day notice):

• Adding a new category of subprocessor
• Changing primary hosting or database providers
• Subprocessors processing sensitive personal data

Non-Material Changes (immediate update):

• Updating existing subprocessor details
• Removing a subprocessor
• Changes in data location within the same region

Subscribe to Updates

Stay informed about subprocessor changes:

• Email: subprocessor-updates@inflowence.ai
• Subject line: "Subscribe to Subprocessor Updates"
• Include your account email address

Compliance Certifications

Many of our subprocessors maintain industry-standard certifications:

Common Certifications:

• SOC 2 Type II: Security, availability, processing integrity, confidentiality, privacy
• ISO 27001: Information security management
• PCI DSS: Payment card industry data security (Stripe)
• CCPA Compliance: California consumer privacy act
• HIPAA: Healthcare data protection (where applicable)

Verification: Contact compliance@inflowence.ai to request copies of certifications.

Data Processing Addendum

This Subprocessors List is part of our Data Processing Addendum, which governs data processing relationships for business customers.

Key DPA Sections:

• Roles and responsibilities (Controller vs. Processor)
• Data processing scope and limitations
• Security requirements and incident response
• Data subject rights and assistance
• International transfer mechanisms
• Subprocessor management (this list)

Contact Information

Questions About Subprocessors

• General Inquiries: privacy@inflowence.ai
• Legal/DPA Questions: legal@inflowence.ai
• Security Questions: security@inflowence.ai
• Compliance Questions: compliance@inflowence.ai

Objecting to a Subprocessor

To object to a subprocessor:

1. Email legal@inflowence.ai
2. Include "Subprocessor Objection" in subject line
3. Specify which subprocessor and reason for objection
4. Allow 10 business days for response

Requesting Subprocessor Information

To request additional information:

• Email with specific questions or requirements
• Indicate if request relates to an audit or compliance requirement
• Response time: 10-15 business days for detailed requests

Related Documents

• Privacy Policy
• Data Processing Addendum
• Terms of Service
• Security Overview

Changelog

December 19, 2025

• Initial publication of Subprocessors List
• All current subprocessors documented
• Notification process established

Commitment to Transparency: Inflowence is committed to transparency in our data processing practices. We carefully vet all subprocessors and require them to meet our high standards for security and privacy.

If you have questions or concerns about any subprocessor, please don't hesitate to contact us.