Sub-processors
Last updated: September 20, 2025
Bot On Site ("we", "us", "our") engages certain third parties to help us deliver, secure, and support the Services. These third parties ("Sub-processors") may process Customer Data on our behalf as described below. Capitalized terms not defined here have the meanings in our Data Processing Addendum ("DPA").
We contractually require every Sub-processor to implement appropriate confidentiality, security, and privacy protections at least as protective as those in our DPA, including international transfer safeguards (e.g., EU Standard Contractual Clauses (SCCs) and the UK Addendum, and—where applicable—participation in the EU-U.S./UK-U.S. Data Privacy Framework).
If we add or replace a Sub-processor, we will (a) post the change here at least 30 days in advance and (b) notify account owners by email.
How we vet and oversee Sub-processors
- Due diligence on security, privacy, compliance, and sub-subprocessor use before engagement
- Written contracts with confidentiality, purpose limitation, and flow-down obligations
- Transfer mechanisms (SCCs Module 3 + UK Addendum, where applicable)
- Least privilege access and data minimization
- Ongoing monitoring and periodic reassessment
Current Sub-processors
Processing locations reflect the vendor's primary facilities for our configuration. Where Customer Data originates from the EEA/UK and is transferred to the U.S., we rely on SCCs + UK Addendum (and DPF where applicable).
| Vendor | Purpose | Categories of Personal Data | Processing Location(s) | Transfer Mechanism(s) | Core/Optional | Typical Retention |
|---|---|---|---|---|---|---|
| Vercel, Inc. | Application hosting, serverless compute, edge/CDN delivery and logs | IP address, request metadata/headers, minimal telemetry; may include chat/lead payloads in transit | United States (with global edge distribution) | SCCs + UK Addendum; DPF where applicable | Core | Edge/CDN logs per vendor policy; app data per our storage |
| Supabase, Inc. | Managed Postgres database, object storage, authentication | Lead/contact data (name, email, phone), chat transcripts, account/admin data, auth identifiers | United States | SCCs + UK Addendum | Core | Per our retention settings; backups/replicas per policy |
| Fly.io, Inc. | Background workers/queues, job execution, networking | Pseudonymous operational data; may process chat/lead payloads as jobs | United States (regionalized by us) | SCCs + UK Addendum | Core | Ephemeral job data; logs per vendor TTL |
| OpenAI, L.L.C. | LLM inference to generate responses to site visitors | Chat prompts & responses; may include lead fields you configure | United States | SCCs + UK Addendum | Core | Ephemeral processing; no model training on Customer Data without explicit opt-in |
| Voyage AI, Inc. | Embeddings/LLM services for semantic search/retrieval | Text content and vectors derived from Customer Data | United States | SCCs + UK Addendum | Core (if enabled globally); can be disabled on request | Ephemeral/short-term; no training without opt-in |
| Twilio Inc. | SMS/voice notifications and messaging to your team or customers (if enabled) | Phone numbers, message content/metadata | United States | SCCs + UK Addendum; DPF where applicable | Optional (only if you enable SMS/voice features) | Message logs per vendor TTL; delivery records for compliance |
| Twilio SendGrid, Inc. | Transactional email (account notices, install tips, lead routing) | Recipient email, message content/metadata | United States | SCCs + UK Addendum; DPF where applicable | Core | Delivery logs per vendor TTL; copies in recipient mailboxes |
| Stripe, Inc. | Subscription billing and payments | Billing contact details, payment metadata (we do not store full card numbers) | United States | SCCs + UK Addendum; DPF where applicable | Core | As required for tax/financial/legal retention; note Stripe may act as an independent controller for certain activities (e.g., fraud prevention) |
Not a Sub-processor: Next.js is a software framework used to build our application and does not independently process Customer Data.
Feature-dependent / customer-requested integrations
Some processing occurs only if you enable an integration (e.g., pushing leads to your CRM, helpdesk, calendars, or SMS provider). In those cases, the third party typically acts as your independent controller or processor under its terms. We transmit data only as you instruct.
| Integration Category | Example Use | Who Chooses | Data Flow |
|---|---|---|---|
| CRM / Marketing | Push new leads into your CRM | You | Bot On Site → Your CRM |
| Helpdesk | Create/update support tickets | You | Bot On Site ↔ Your Helpdesk |
| Communications | SMS/email alerts to your team | You | Bot On Site → Your provider |
Processing locations & international transfers
We primarily process Customer Data in the United States. Where data is transferred from the EEA/UK to the U.S., we rely on SCCs (Module 3) and the UK Addendum (and, where a vendor participates, the EU-U.S./UK-U.S. Data Privacy Framework). Sub-processors must implement appropriate technical and organizational measures.
Advance notice & right to object
- Notice: We will update this page and email account owners ≥30 days before adding or replacing a Sub-processor.
- Objection: If you have reasonable grounds to object, email support@botonsite.com within 15 days of notice. We'll work in good faith to provide a commercially reasonable alternative. If we cannot, you may terminate the affected Services and receive a pro-rata refund of prepaid fees for the terminated portion.
- Subscribe to updates: Email support@botonsite.com with subject "Subscribe to Sub-processor Updates."
Sub-processor change log
- September 20, 2025 – Initial publication of the Sub-processor list (Vercel, Supabase, Fly.io, OpenAI, Voyage, Twilio, SendGrid, Stripe).
Contact
Questions? Contact support@botonsite.com or support@botonsite.com.