Subprocessor List

Last Updated: October 9, 2025

Introduction

This page lists all subprocessors (third-party service providers) that backend.chat uses to process customer data.

What is a subprocessor? A subprocessor is a third party that processes personal data on behalf of backend.chat. Under GDPR and other privacy laws, we must inform you about who processes your data and obtain your consent (or provide an objection mechanism).

Why does this matter?

• Transparency: You know where your data goes
• Compliance: Required by GDPR Article 28(2) and similar laws
• Control: You can object to specific subprocessors
• Security: You can assess third-party risks

Contact Us: [email protected]

Our Commitment

We carefully vet all subprocessors for:

• ✅ Security: Strong data protection practices
• ✅ Privacy: GDPR, CCPA, and privacy law compliance
• ✅ Reliability: Uptime, performance, and support
• ✅ Contractual safeguards: Data Processing Agreements (DPAs) in place

We require all subprocessors to:

• Sign Data Processing Agreements (DPAs)
• Implement appropriate security measures
• Only process data as instructed (no secondary use)
• Support data subject rights (access, deletion, etc.)
• Notify us of data breaches within 24 hours

Notification of Changes

We will notify you 30 days before:

• Adding a new subprocessor
• Changing a subprocessor (replacing one with another)
• Significantly changing the data processed by a subprocessor

How we notify:

• Email to your registered email address
• Update this page (check the "Last Updated" date)
• Dashboard notification (for logged-in users)

Your right to object: If you object to a new subprocessor, you may:

• Contact us at [email protected] to discuss alternatives
• Terminate your contract (if no alternative is possible)

Current Subprocessors

1. AI and Machine Learning Services

OpenAI, LLC

• Service: Large Language Model (LLM) API (GPT-4, GPT-4o, GPT-4o-mini, GPT-3.5-turbo)
• Purpose: AI-powered conversation response generation (when customer chooses OpenAI models)
• Data Processed:
  • Conversation messages (user questions and context)
  • Knowledge base chunks (for RAG context)
  • Conversation metadata (timestamps, IDs)
• Data Location: United States (primary)
• GDPR Safeguards: Standard Contractual Clauses (SCCs)
• Data Usage Policy: OpenAI does NOT use backend.chat customer data to train their models (per our agreement and their Enterprise API terms)
• Security: SOC 2 Type II certified, ISO 27001
• Website: https://openai.com
• Privacy Policy: https://openai.com/policies/privacy-policy
• Data Processing Agreement: https://openai.com/policies/data-processing-addendum

Anthropic PBC

• Service: Large Language Model (LLM) API (Claude 3.5 Sonnet, Claude 3 Opus, Claude 3 Haiku)
• Purpose: AI-powered conversation response generation (when customer chooses Anthropic models)
• Data Processed:
  • Conversation messages (user questions and context)
  • Knowledge base chunks (for RAG context)
  • Conversation metadata (timestamps, IDs)
• Data Location: United States (primary)
• GDPR Safeguards: Standard Contractual Clauses (SCCs)
• Data Usage Policy: Anthropic does NOT use backend.chat customer data to train their models (per our agreement and their API terms)
• Security: SOC 2 Type II certified, HIPAA-eligible
• Website: https://www.anthropic.com
• Privacy Policy: https://www.anthropic.com/privacy
• Data Processing Agreement: Available upon request from Anthropic

Note: Customers can choose which AI provider to use (OpenAI or Anthropic). Only the selected provider will process your data.

2. Cloud Infrastructure and Hosting

Hivelocity (Cloud Server)

• Service: Cloud server hosting (compute, storage, networking)
• Purpose: Host backend.chat application, Redis cache, and application storage
• Data Processed:
  • Conversations and messages
  • WebSocket connection state
  • Session tokens and cached data
  • Application logs
  • Knowledge base documents
• Data Location: Texas, United States
• GDPR Safeguards: Standard Contractual Clauses (SCCs), EU-U.S. Data Privacy Framework (DPF)
• Security: Enterprise-grade infrastructure with encryption in transit (TLS 1.3)
• Website: https://www.hivelocity.net/
• Privacy Policy: Available upon request
• Data Processing Agreement: Available for enterprise customers

Self-Hosting Note: If you self-host backend.chat, you control your own cloud provider and this subprocessor does not apply to you.

3. Database and Caching Services

DigitalOcean - Managed PostgreSQL Database

• Service: Managed PostgreSQL database
• Purpose: Store conversations, messages, knowledge base, user accounts, analytics
• Data Processed: All application data including customer conversations, user information, and analytics
• Data Location: New York, United States (nyc1/nyc3 datacenter)
• GDPR Safeguards: Standard Contractual Clauses (SCCs), EU-U.S. Data Privacy Framework (DPF)
• Security: Encryption at rest (AES-256), encryption in transit (TLS 1.3), automated backups, point-in-time recovery
• Website: https://www.digitalocean.com/
• Privacy Policy: https://www.digitalocean.com/legal/privacy-policy
• Data Processing Agreement: https://www.digitalocean.com/legal/data-processing-agreement

Redis Cache (hosted on Hivelocity)

• Service: Redis cache (self-managed)
• Purpose: Session management, real-time features (WebSocket state), caching
• Data Processed:
  • Session tokens
  • WebSocket connection state
  • Cached API responses
• Data Location: Texas, United States (co-located with application server on Hivelocity)
• Security: TLS encryption, password authentication, network isolation

4. Email Services (Future)

Status: Not yet implemented

Planned subprocessor:

• Service: Transactional email (e.g., SendGrid, Postmark, AWS SES)
• Purpose: Send notification emails, password reset emails, alerts
• Data Processed:
  • Email addresses
  • Email content (notifications, alerts)
• Will be added: When email notifications are implemented (estimated Q2 2025)

We will notify you 30 days before activating email services.

5. Payment Processing (Future)

Status: Not yet implemented

Planned subprocessor:

• Service: Payment gateway (e.g., Stripe, Razorpay, PayPal)
• Purpose: Process subscription payments, invoices
• Data Processed:
  • Billing information (name, address)
  • Payment method details (credit card, bank account - tokenized)
  • Transaction history
• Will be added: When paid plans launch (estimated Q3 2025)

We will notify you 30 days before activating payment processing.

Note: Payment processors are PCI-DSS certified. We do NOT store raw credit card numbers—only tokenized references.

6. Analytics and Monitoring (Internal Only)

Status: Not using third-party analytics

What we do NOT use:

• ❌ Google Analytics
• ❌ Mixpanel
• ❌ Amplitude
• ❌ Facebook Pixel
• ❌ Any third-party user tracking

Internal analytics:

• ✅ We use our own database to track product usage (conversation counts, AI metrics, etc.)
• ✅ No data is sent to third parties for analytics

Data Flows Summary

Where your data goes:

International transfers:

• US → EU: Standard Contractual Clauses (SCCs) + EU-U.S. Data Privacy Framework
• India → US: Standard Contractual Clauses (when India DPDP Act enforced)
• Self-hosting: You control data location (no international transfers if hosted locally)

Your Rights and Controls

1. Data Processing Agreement (DPA)

For GDPR compliance, we offer a Data Processing Agreement (DPA):

• Defines controller-processor relationship
• Includes Standard Contractual Clauses (SCCs) for international transfers
• Lists all subprocessors
• Specifies security obligations

How to request: Email [email protected] with subject "DPA Request"

2. Subprocessor Objection

You have the right to object to a new subprocessor.

Process:

1. We notify you 30 days before adding a new subprocessor
2. You have 14 days to object (email: [email protected])
3. We will discuss alternatives or allow you to terminate your contract without penalty

3. Data Localization (Self-Hosting)

For customers requiring data sovereignty:

• Self-host backend.chat in your own infrastructure
• No third-party cloud provider
• Only AI providers (OpenAI/Anthropic) see conversation data (if AI enabled)
• You can disable AI to prevent any third-party processing

Contact: [email protected] for self-hosting options

Security and Compliance

Subprocessor Audits

We require all subprocessors to provide evidence of security compliance:

• SOC 2 Type II reports (annually)
• ISO 27001 certification (where applicable)
• GDPR compliance (DPA, SCCs)
• Regular security assessments

Breach Notification

If a subprocessor experiences a data breach:

• Subprocessor → backend.chat: Notify us within 24 hours
• backend.chat → You: Notify you within 72 hours
• You → Regulators/Users: As required by applicable laws

Future Subprocessors (Tentative)

These are services we may add in the future. We will notify you 30 days before activating them.

Contact and Questions

General subprocessor questions: Email: [email protected]

Object to a subprocessor: Email: [email protected] (Subject: "Subprocessor Objection")

Request DPA: Email: [email protected] (Subject: "DPA Request")

Self-hosting options: Email: [email protected] (Subject: "Self-Hosting Inquiry")

Changes to This List

Last updated: October 9, 2025

Recent changes:

• Initial publication (no previous changes)

Upcoming changes:

• Email service provider (Q2 2025)
• Payment gateway (Q3 2025)

Archive: Previous versions of this list available upon request (email: [email protected])

Additional Resources

• Privacy Policy – How we handle your data
• Terms of Service – Legal agreement
• Security & Compliance – Our security practices
• AI Transparency – How our AI works

Last Updated: October 9, 2025

This Subprocessor List is part of our commitment to transparency and GDPR compliance. We will keep this page updated and notify you of any changes. For the most current information, check this page regularly or contact [email protected]