# Data Sub-processors
Last Updated, July 23rd 2025
### 📘 Legal & Compliance: Data Sub-processors
At[ VoiceB.ai](https://voiceb.ai/), we are committed to ensuring transparency, security, and full compliance with data protection regulations, including the General Data Protection Regulation (GDPR) and other applicable privacy laws.
To support the delivery of our services, we engage certain reputable third-party service providers (sub-processors) who process customer personal data on our behalf and under our instructions. We carefully assess each provider to ensure they meet high standards of privacy, security, and legal compliance.
Below is a comprehensive overview of our current data processors.
### ✅ What Is a Sub-processor?
A sub-processor is a third party engaged by VoiceB to process personal data on behalf of our customers (the data controllers), while VoiceB acts as a data processor. These providers assist us in delivering functionality such as hosting, AI processing, authentication, and payment services.
Each sub-processor is bound by a Data Processing Agreement (DPA) that includes obligations regarding confidentiality, data protection, security measures, and breach notification.
### 🔐 List of Authorized Sub-processors
| Sub-processor | Description | Jurisdiction | Data Location | Purpose | Privacy Policy | Compliance & Security Links |
| ------------- | ----------------------------------------------------- | ------------- | ------------------------- | --------------------------------------------------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Vercel | Hosting platform for the VoiceB website and dashboard | United States | EU (configurable), US | Hosting, Static content & app delivery | [Privacy Policy](https://vercel.com/legal/privacy) | [DPF](https://vercel.com/legal/privacy) · [DPA + SCCs](https://vercel.com/legal/dpa) · [Security Measures](https://vercel.com/security) · [Certifications: ISO 27001, SOC 2, HIPAA](https://vercel.com/security) |
| Clerk.dev | Authentication & user management | United States | US (default), EU optional | Login & account handling | [Privacy Policy](https://clerk.dev/legal/privacy) | [DPF](https://clerk.com/changelog/2024-02-29) . [DPA + SCCs](https://clerk.dev/legal/dpa) · [Security Overview](https://clerk.com/docs/security/overview) · Certifications: SOC 2 Type II (in progress) |
| ElevenLabs | Voice synthesis | Poland | EU (configurable), US | AI voice generation for agent calls | [Privacy Policy](https://www.elevenlabs.io/es/privacy-policy) | [DPA + SCCs](https://www.elevenlabs.io/legal/data-processing-agreement) · [Certifications: SOC 2 Type II](https://compliance.elevenlabs.io/) |
| OpenAI | LLM provider (optional, depending on integration) | United States | US | Language processing for AI agent behavior | [Privacy Policy](https://openai.com/policies/privacy-policy) | [DPA+SCCs](https://openai.com/policies/data-processing-addendum/) · [Security Practices](https://openai.com/security) · [Certifications: SOC 2 Type II](https://openai.com/security) |
| HubSpot | CRM & Marketing Automation | United States | US & EU | Sales, support, marketing workflows | [Privacy Policy](https://legal.hubspot.com/privacy-policy) | [DPA + SCCs](https://legal.hubspot.com/dpa) · [Security](https://legal.hubspot.com/security) · [Certifications: SOC 2, ISO 27001, GDPR](https://trust.hubspot.com/?hsCtaTracking=98c3bf73-03eb-4096-9ec7-dfb3078d4b63%7C3ecab3c5-8bc7-4fa6-91fe-9f0d1731cf4d) |
| Stripe | Payment processing infrastructure | United States | EU (configurable), US | Subscription billing & invoicing | [Privacy Center](https://stripe.com/privacy) | [DPF](https://stripe.com/privacy) · [DPA + SCCs](https://stripe.com/legal/dpa) · [Certifications: PCI DSS Level 1, SOC 1 Type II, SOC 2 Type II, EMVCo, ISO 27001 aligned](https://stripe.com/docs/security/stripe) |
| Twilio | Telephony infrastructure & DDI routing | United States | EU (configurable), US | Voice call handling and phone number provisioning | [Privacy Policy](https://www.twilio.com/legal/privacy) | [DPF](https://www.twilio.com/legal/privacy) · [BCR](https://www.twilio.com/legal/bcr) · [Security Measures](https://www.twilio.com/security) · [Certifications: ISO 27001, ISO 27017, ISO 27018](https://www.twilio.com/security) |
| Bland AI | Voice call infrastructure provider | United States | US | VoIP infrastructure, call routing | [Privacy Policy](https://www.bland.ai/privacy) | [DPA + SCCs](https://www.bland.ai/legal/dpa) · [Certifications: SOC 2 Type I, SOC 2 Type II](https://www.bland.ai/security) |
| Nango | Unified API integrations platform | United States | EU (configurable), US | Connecting VoiceB to third-party CRMs via OAuth/API | [Privacy Policy](https://www.nango.dev/legal/privacy) | [DPF](https://www.nango.dev/legal/privacy) · [DPA + SCCs](https://www.nango.dev/terms#dpa) · [Certifications: SOC 2 Type I](https://www.nango.dev/product-updates/soc-2-type-1-compliant) |
### 📄 Data Processing Agreements
VoiceB.ai has a Data Processing Agreement (DPA) in place with each of its sub-processors. These agreements ensure that any processing of customer personal data is conducted in accordance with the GDPR and other applicable data protection laws.
All of our sub-processors:
1. Are subject to a GDPR-compliant DPA with VoiceB.ai
2. Are contractually obligated to implement appropriate technical and organizational security measures
3. May only process data based on our documented instructions
4. Must promptly notify VoiceB.ai in the event of a personal data breach or security incident
5. Are required to support data subjects’ rights to access, rectify, erase, or restrict their personal data
***
### 🌍 International Data Transfers
Some sub-processors are located outside the European Economic Area (EEA). When customer personal data is transferred internationally, we ensure that such transfers are conducted in full compliance with the GDPR, using one or more of the following legal mechanisms:
* Standard Contractual Clauses (SCCs) approved by the European Commission
* Adequacy decisions, including participation in the EU-U.S. Data Privacy Framework, where applicable
* Binding Corporate Rules (BCRs), where adopted by the provider
* Other lawful mechanisms permitted under Chapter V of the GDPR
We thoroughly assess the legal and privacy posture of all sub-processors prior to engagement, and require appropriate safeguards for any international transfer.
***
### 📥 Contact
For any questions or to request a signed copy of our **Data Processing Agreement**, please reach out to:
📧 ****
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.voiceb.ai/legal-and-compliance/data-sub-processors.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.