Effective: May 6, 2026
Last reviewed: May 6, 2026
Agency Engine engages the third-party service providers listed below to deliver and support the Platform. Each subprocessor is bound by a written agreement that imposes data protection obligations no less protective than those in our Data Processing Agreement.
Notice of new subprocessors. Customers will receive at least 30 days' advance notice (by email and in-Platform) before we engage a new subprocessor that processes Customer Data, as required by GDPR Art. 28(2). To receive these notices, ensure your account email address is current. Customers who object on reasonable data-protection grounds during the notice period may terminate the affected services for a prorated refund of prepaid fees.
Data residency. All Customer Data is processed in the United States by default. Cloudflare provides global edge caching but does not retain Customer Data outside transient session handling.
| Subprocessor | Purpose | Data Categories | Location | Certifications |
|---|---|---|---|---|
| Supabase, Inc. | Primary database (Postgres), authentication, file storage, edge functions | All Customer Data; account credentials (hashed); CRM contact records; communications | United States (AWS us-east-1) | SOC 2 Type II; HIPAA-eligible (paid tiers) |
| Cloudflare, Inc. | Application hosting (Workers), CDN, DNS, WAF, email routing, rate limiting | All HTTP traffic to/from the Platform; logs (90-day retention); inbound email routing metadata | Global edge network; primary processing in the United States | SOC 2 Type II; ISO 27001; PCI DSS Level 1; FedRAMP Moderate |
| Stripe, Inc. | Payment processing, subscription billing, tax computation | Tokenized payment methods (we never receive raw card numbers); billing address; transaction records | United States | PCI DSS Level 1; SOC 1 + SOC 2; ISO 27001 |
| Twilio, Inc. | Voice calls, SMS, MMS, phone number provisioning, A2P 10DLC registration | Mobile phone numbers; SMS message content; call recordings (where Customer enables); call metadata | United States | SOC 2 Type II; ISO 27001; PCI DSS |
| Twilio SendGrid (Twilio, Inc.) | Transactional and marketing email delivery | Email addresses; email content; delivery metadata; engagement events | United States | SOC 2 Type II; ISO 27001 |
| Anthropic, PBC | AI processing for Ace features (call summaries, draft messaging, lead scoring) | Contextual snippets of Customer Data sent at the moment of an AI request | United States | SOC 2 Type II; Zero Data Retention agreement in place — Anthropic does not log, store, or train on data sent through the API |
| Google LLC | OAuth integration for Customers connecting Gmail, Google Calendar, and Google Ads to the Platform | OAuth refresh tokens (encrypted at rest); read/write access to Customer-authorized scopes only | United States; global | ISO 27001; SOC 2/3; FedRAMP |
| Microsoft Corporation | OAuth integration for Customers connecting Outlook and Microsoft 365 to the Platform | OAuth refresh tokens (encrypted at rest); read/write access to Customer-authorized scopes only | United States; global | ISO 27001; SOC 2; HIPAA |
| Discord, Inc. | Optional team/agency communication integration where Customer enables | Channel/server identifiers; message metadata for relay; user IDs | United States | ISO 27001 |
| Functional Software, Inc. (Sentry) | Application error monitoring and performance telemetry | Stack traces; sanitized error context (PII scrubbing applied); request metadata | United States | SOC 2 Type II; ISO 27001; HIPAA-eligible |
| GitHub, Inc. | Source code hosting and CI/CD | No Customer Data; code only | United States | SOC 1; SOC 2; ISO 27001 |
Customers are automatically subscribed to subprocessor change notifications via the email on file. To unsubscribe or to update the email used for legal/compliance notices, contact dpo@agencyengine.app.