Vendor transparency
These providers may process customer personal data to operate the platform, depending on the customer plan, configured integrations, and enabled workflows.
Last updated 20 February 2026. Customers may object to material sub-processor changes according to the applicable DPA or written agreement.
PurposeApplication hosting, builds, edge delivery, and serverless function execution
Data categoriesApplication traffic, logs, deployment metadata, limited request data processed by app routes
LocationVercel Functions: Frankfurt, Germany (fra1)
SafeguardsDPA, security controls, regional function configuration, encrypted transport
PurposePostgres database, authentication, storage, realtime, and platform backend services
Data categoriesAccount, organization, CRM, lead, vehicle, document, consent, audit, and authentication data
LocationSupabase: Central EU / Frankfurt, Germany (eu-central-1)
SafeguardsDPA, EU project region, row-level security, encryption at rest and in transit, SOC 2 controls
Used only for enabled AI features and configured organization workflows.
PurposeAI assistance, summarization, classification, extraction, drafting, and operational analysis
Data categoriesMinimized prompts, operational context, selected images where enabled, outputs, and usage metadata
LocationOpenAI API with EU data residency where enabled; otherwise DPA/SCC-protected processing
SafeguardsDPA, SCCs where needed, provider data controls, privacy gateway, minimization and human review
Used when system or organization email delivery is configured.
PurposeTransactional and operational email delivery
Data categoriesEmail addresses, message headers, message bodies, delivery metadata, bounce and complaint data
LocationProvider-controlled regions depending on account configuration
SafeguardsProvider DPA, TLS delivery where supported, access controls, suppression handling
Used when SMS or Twilio messaging is enabled.
PurposeSMS and messaging delivery
Data categoriesPhone numbers, message content, delivery logs, webhook metadata
LocationProvider-controlled regions depending on account configuration
SafeguardsProvider DPA, channel consent controls, rate limits, audit logs
Used when WhatsApp Business is connected.
PurposeWhatsApp Business messaging and webhook delivery
Data categoriesPhone numbers, WhatsApp identifiers, message content, templates, delivery/read metadata
LocationMeta-controlled global infrastructure
SafeguardsMeta business terms, channel consent controls, template approvals, audit logs
Used when paid plans, invoices, or payment flows are enabled.
PurposePayment processing, invoicing, subscription management, and tax-relevant billing records
Data categoriesBilling contacts, payment metadata, invoices, transaction references, VAT/tax details
LocationProvider-controlled global infrastructure
SafeguardsProvider DPA/data terms, PCI controls, limited payment data exposure to the application
Used only when an authorized user connects a Google or Gmail account.
PurposeOAuth sign-in, Gmail inbox sync, Gmail sending, calendar or productivity integrations
Data categoriesOAuth identifiers, email metadata/content where enabled, tokens, sync and delivery metadata
LocationGoogle-controlled global infrastructure
SafeguardsGoogle API policies, limited-use commitments, OAuth scopes, token encryption, revocation controls
Used when Upstash Redis rate limiting is configured.
PurposeRate limiting, abuse prevention, and transient operational counters
Data categoriesRequest identifiers, IP-derived keys, counters, timestamps, and rate-limit metadata
LocationConfigured database region
SafeguardsProvider DPA, low-data retention design, hashed or minimized keys where implemented
Used only when background jobs are enabled.
PurposeBackground job orchestration and workflow event delivery
Data categoriesEvent names, workflow payloads, run metadata, timestamps, and error logs
LocationProvider-controlled infrastructure depending on account configuration
SafeguardsProvider DPA/data terms, event minimization, webhook secrets, queue access controls
If a customer connects a marketplace, bank, email account, social account, messaging channel, or other third-party integration, that provider may also process data under its own terms or under the customer's agreement with that provider.
Send vendor due-diligence, DPA, SCC, or sub-processor questions to privacy@dotgrey.co.