Subprocessor List

Provider: Valiquest AB · Org.nr 559577-0347 · Stockholm, Sweden Service: Virtual Customer Version: v1 — 2026-04-22 (DRAFT — pre-counsel review) Public URL (after publication): https://app.virtualcustomer.io/legal/subprocessors.html RSS feed: https://app.virtualcustomer.io/legal/subprocessors.rss Subscribe: info@valiquest.com

A "Subprocessor" is a third party that we engage to process Customer Personal Data on our behalf to deliver the Service. We commit to giving customers at least 30 days' notice before adding or replacing a Subprocessor (see DPA §7.1(c)).

How to read this list

For each Subprocessor we publish:

Provider — the contracting entity.
Service area — what part of Virtual Customer they support.
Categories of Personal Data processed — what they actually see.
Processing region(s) — where the data lives during processing.
Transfer mechanism — applicable when data leaves the EEA.
Last reviewed — the date Valiquest last reviewed the Subprocessor's data-protection posture.

If you would like additional detail (audit reports, written contracts, certificates), email info@valiquest.com.

Current Subprocessors (as at 2026-04-22)

1. Google Cloud / Firebase

Provider: Google Ireland Limited (EEA contracting entity), with onward processing by Google LLC where required.
Service area: Identity, database, file storage, serverless functions, hosting.
Categories of Personal Data processed: Account data, Customer Content, application logs.
Processing region(s): EU (Belgium, Netherlands) where regional services are available; US fallback for some services (e.g. specific Cloud Functions).
Transfer mechanism: EU SCCs 2021/914 (Module Three, Processor → Processor) where data leaves the EEA. Google's Data Processing Addendum applies.
Certifications cited by provider: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, C5. (We rely on Google's own attestation; we do not independently audit.)
Last reviewed by Valiquest: 2026-04-22.

2. Railway

Provider: Railway Corporation.
Service area: Application runtime, container hosting, internal networking.
Categories of Personal Data processed: Application logs (which can incidentally contain Customer Content if logged). We mask known secret patterns before logging (see DPA Annex 2 §B).
Processing region(s): EU (verify per environment) and US.
Transfer mechanism: EU SCCs 2021/914 (Module Three) for transfers to US.
Certifications cited by provider: SOC 2 Type II (verify on contract).
Last reviewed by Valiquest: 2026-04-22.

3. Paddle.com Market Limited

Provider: Paddle.com Market Limited (UK) — acts as merchant of record for billing.
Service area: Checkout, subscription billing, invoicing, tax (VAT / sales tax) handling, refunds, dunning, customer-portal.
Categories of Personal Data processed: Billing email, billing address (if collected by Paddle), payment-instrument metadata (Paddle stores card details; Valiquest does not), invoice history, sales-tax-relevant data.
Processing region(s): UK and Ireland.
Transfer mechanism: UK Adequacy (under EU Adequacy Decision for the UK, June 2021); UK Addendum to EU SCCs where required.
Certifications cited by provider: PCI-DSS Level 1, SOC 2 Type II, ISO 27001.
Last reviewed by Valiquest: 2026-04-22.

4. Flowise

Provider: FlowiseAI Inc. (open-source project; we self-host the container, and rely on official builds for updates). Note: where we use the Flowise Cloud control plane, FlowiseAI Inc. is the contracting entity; otherwise no third-party processing occurs from Flowise itself.
Service area: Conversational engine container, executed inside our Railway runtime.
Categories of Personal Data processed: Customer Content (prompts, transcripts) routed through the conversational engine.
Processing region(s): Co-located with our Railway runtime.
Transfer mechanism: Same region as Railway; no separate transfer.
Certifications cited by provider: None (open-source project; we treat self-hosted Flowise as part of our own runtime).
Last reviewed by Valiquest: 2026-04-22.
Note: Where Flowise calls out to LLM providers (OpenAI / Anthropic / Google), those calls are listed as separate Subprocessors below.

5. OpenAI

Provider: OpenAI Ireland Ltd (EEA contracting entity), with onward processing by OpenAI, L.L.C. (US).
Service area: LLM inference for selected conversational and analysis features.
Categories of Personal Data processed: Customer Content sent to the model (prompts, conversation context). API tier: OpenAI does not use API inputs or outputs to train models; data is retained for abuse monitoring for up to 30 days unless zero-data-retention has been negotiated.
Processing region(s): US (OpenAI does not currently offer in-region EU processing for all API endpoints).
Transfer mechanism: EU SCCs 2021/914 (Module Three) via OpenAI's standard DPA.
Certifications cited by provider: SOC 2 Type II.
Last reviewed by Valiquest: 2026-04-22.

6. Anthropic

Provider: Anthropic, PBC (US).
Service area: LLM inference for selected conversational and analysis features.
Categories of Personal Data processed: Customer Content sent to the model. API tier: Anthropic does not use API inputs or outputs to train models; retention for trust-and-safety monitoring per Anthropic Commercial Terms.
Processing region(s): US.
Transfer mechanism: EU SCCs 2021/914 (Module Three) via Anthropic's DPA.
Certifications cited by provider: SOC 2 Type II.
Last reviewed by Valiquest: 2026-04-22.

7. Google AI / Gemini

Provider: Google LLC (US) under the Generative AI / Gemini API service. EEA contracting via Google Ireland Limited where applicable.
Service area: LLM inference for selected conversational and analysis features.
Categories of Personal Data processed: Customer Content sent to the model. Paid tier: Google does not use prompts to train models; retention per Generative AI Terms of Service.
Processing region(s): Google Cloud regions; verify per call.
Transfer mechanism: EU SCCs 2021/914 (Module Three) via Google's DPA.
Certifications cited by provider: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3.
Last reviewed by Valiquest: 2026-04-22.

8. Resend (or SendGrid as fallback)

Provider (primary): Resend, Inc. (US) — currently configured for transactional email.
Provider (fallback): Twilio Inc., d/b/a SendGrid (US) — kept on file in case of provider failure.
Service area: Transactional email delivery (invitations, password resets, trial reminders, billing notifications).
Categories of Personal Data processed: Recipient email address, recipient name (if included), email body (which may include account references, organisation name, billing details, in some cases links containing tokens).
Processing region(s): US.
Transfer mechanism: EU SCCs 2021/914 (Module Three) via the provider's DPA.
Certifications cited by provider: SOC 2 Type II (Resend); SOC 2 Type II + ISO 27001 (SendGrid).
Last reviewed by Valiquest: 2026-04-22.

Subprocessors not yet engaged

The following are commonly asked about but Valiquest does not currently engage them:

Mixpanel / Amplitude / PostHog / Hotjar / Segment — no product analytics today.
Google Analytics / Google Tag Manager / Facebook Pixel — no marketing analytics today.
Intercom / Zendesk / Crisp — no live chat today.
Mux / Agora — no third-party media transport (we use Firebase Storage + LiveKit-internal media).
AWS / Azure — not used as primary infrastructure; only in transit via specific LLM providers above.

If we engage any of these in the future, we will give 30 days' notice via the RSS feed at /legal/subprocessors.rss and via email to subscribers.

Audit log of changes

Date	Change	Effective date	Notice given (days)
2026-04-22	Initial publication (v1).	2026-05-19	30

When we add, replace, or remove a Subprocessor:

We update this document and re-publish via the public HTML page and RSS feed.
We send a notice to all info@valiquest.com subscribers and to the billing contact for each customer.
Customers may object on legitimate data-protection grounds within the notice window (see DPA §7.1(d)).

RSS: add https://app.virtualcustomer.io/legal/subprocessors.rss to your RSS reader.
Email: send "Subscribe Subprocessors" to info@valiquest.com. We will also include the billing contact for every paid customer automatically.

Reviewer flags

For the external Swedish data protection / IT lawyer (G4.6.13):

[REVIEW] §1 (Google) Verify that all Firebase modules we use are covered by Google Ireland's contracting entity, or whether some (e.g. Cloud Functions in us-central1) require listing under the US entity.
[REVIEW] §2 (Railway) Verify SOC 2 Type II claim from contract — placeholder pending confirmation.
[REVIEW] §3 (Paddle) Confirm UK Adequacy continues to apply at the publication date — this could change before next review cycle.
[REVIEW] §5 (OpenAI) Confirm whether we have negotiated zero-data-retention with OpenAI for API calls. If yes, update wording.
[REVIEW] §8 (Resend / SendGrid) Confirm we have signed DPAs with both, even if SendGrid is fallback only.
[REVIEW] All sections Verify each "Certifications cited by provider" entry against current provider pages — these change.
[REVIEW] Audit log Confirm 30-day initial notice (rather than 60) is acceptable for the very first list (typical practice is to give the first list as informational rather than as a "change" requiring notice).

End of draft v1 — 2026-04-22