Every third party that processes your data when you use AIVA. We list all of them, what they do, where they sit, and how they're certified — so your security review can be done in an afternoon, not a month.
These vendors run the platform itself — hosting, observability, billing, transactional email. None of them have access to your conversation content; only AWS (encrypted at rest, encryption keys held by us) and Sentry (with PII scrubbing) touch it incidentally.
| Sub-processor | Purpose | Region | Certifications |
|---|---|---|---|
| Amazon Web Services | Application hosting, primary database, object storage | EU (Frankfurt), US (Virginia) | SOC 2 · ISO 27001 · HIPAA |
| Cloudflare | CDN, DDoS protection, edge cache | Global | SOC 2 · ISO 27001 |
| Stripe | Payment processing, billing, subscriptions | US, EU (Ireland) | PCI DSS · SOC 2 |
| Sentry | Error tracking and performance monitoring | EU (Frankfurt) | SOC 2 · ISO 27001 |
| Plausible Analytics | Cookieless website analytics — aggregate only, no session replay or personal data | EU (Germany) | GDPR-compliant · EU-hosted |
| Postmark | Transactional email delivery | US | SOC 2 |
These carriers route messages and calls between you, your customers, and AIVA. They see message content in transit — same as any other telecom carrier — but never store it longer than required by their own retention windows (typically 7–30 days, configurable).
Speech-to-text (Deepgram) and text-to-speech (ElevenLabs) operate on audio streams in real time. Audio is not retained for training under our contracts with either vendor.
| Sub-processor | Purpose | Region | Certifications |
|---|---|---|---|
| Twilio | Voice calls, SMS | US, EU (Ireland) | SOC 2 · ISO 27001 · HIPAA · PCI |
| Plivo | Voice & SMS — Indian carrier routing | India, US | SOC 2 · ISO 27001 |
| Exotel | Indian voice & SMS — Tier 1 carrier routing | India | ISO 27001 · CMMI L5 |
| Deepgram | Speech-to-text (transcription for voice) | US | SOC 2 · HIPAA |
| ElevenLabs | Text-to-speech (AIVA voice synthesis) | US, EU | SOC 2 |
These vendors host the foundation models AIVA uses for reasoning, retrieval, and generation. All four run under zero-data-retention contracts — your inputs and outputs are not stored, logged for training, or accessible to vendor staff.
We route conversations to whichever model performs best for your use case. You can request a pin to a specific provider for compliance reasons.
| Sub-processor | Purpose | Region | Certifications |
|---|---|---|---|
| OpenAI | Conversational reasoning (zero-data-retention) | US | SOC 2 — ZDR enabled, no training on customer data |
| Anthropic | Conversational reasoning (zero-data-retention) | US | SOC 2 — ZDR enabled, no training on customer data |
| Voyage AI | Embeddings for retrieval / RAG | US | SOC 2 — no training on customer data |
| Cohere | Re-ranker for retrieval (failover) | US, Canada | SOC 2 |
AIVA staff use these tools to run the company. They do not process your customers' conversation data — they hold metadata only (your contract terms, our internal tickets, the marketing site).
We list them because some compliance reviews ask. If you don't care about AIVA's internal stack, skip this section.
| Sub-processor | Purpose | Region | Certifications |
|---|---|---|---|
| Google Workspace | Internal email, docs, calendars for AIVA staff | Global | SOC 2 · ISO 27001 · ISO 27017 |
| Linear | Engineering issue tracking (no customer data) | US | SOC 2 |
| GitHub | Source code, deployment, CI | US | SOC 2 · ISO 27001 |
| Vercel | Marketing site (aivachat.io) hosting only | Global | SOC 2 |
| HubSpot | CRM for AIVA sales — never your customer data | EU, US | SOC 2 · ISO 27001 |
We give 30 days' written notice before adding a new sub-processor or replacing an existing one — sent to the email address on your billing account.
You can also subscribe to the standalone change feed (RSS or email digest). New entries appear here within 7 days of any change.
aivachat.io/sub-processors/feed.xmlIf you object to a new sub-processor on reasonable data-protection grounds, you have two options:
Object by emailing dpo@aivachat.io. We respond within 5 business days.
This list is governed by the Data Processing Addendum, section 04 (“Sub-processors”). Read that for the full contractual terms.