Last updated: 2 July 2026. We give account owners 30 days' email/console notice before adding a subprocessor that will process customer content, with a right to object on reasonable grounds (Terms §10).
| Provider | Role | Data touched | Processing location* |
|---|---|---|---|
| Google Cloud Platform | Primary hosting (compute, storage) | All service data | India (asia-south1) |
| LiveKit Cloud | Real-time call media (WebRTC/SIP) | Live call audio, call metadata | India region (expanding per-region with launches) |
| Deepgram | Speech-to-text | Live call audio → text | US |
| Groq | LLM inference (primary) | Conversation text | US |
| Anthropic | LLM inference (fallback) | Conversation text | US |
| Cartesia | Text-to-speech | Reply text → audio | US |
| Neon | Postgres (dev/qa/prod cloud envs) | Tenant data in those envs | Singapore/US per env |
| Upstash | Redis (rate limits, counters) | Phone-number hashes, counters | Singapore/US per env |
| FreJun | Telephony carrier (India +91) | Call signalling/media, phone numbers | India |
| Twilio | Telephony carrier (international) | Call signalling/media, phone numbers | US/global |
Configured-but-optional (active only when the feature is enabled): Resend or SMTP provider (transactional email), Meta (WhatsApp Business Cloud API) and MSG91 (SMS, India DLT), Razorpay / Stripe (payments — they hold card/UPI data; we never do), Cloudflare (Turnstile bot protection on public forms).
Ancillary vendors that do not process patient content: GitHub (source code), Docker Hub (build artifacts).
*Locations reflect current configuration and provider disclosures; regional hosting options will update this table. AI providers are used via API configurations/tiers whose terms exclude training on submitted data.
A signable DPA (with EU SCCs / UK Addendum) and completed security questionnaires are available to customers and serious evaluators: [LEGAL EMAIL].