Subprocessors

Last updated 17 April 2026 · Change notifications: subprocessors@xeso.ai

What is a subprocessor?

A subprocessor is any third-party service that processes personal data on our behalf. Under the GDPR (Article 28), CCPA, and the Australian Privacy Act, we disclose the identity of those parties so you can evaluate them as part of your data governance review. Every subprocessor listed below has a signed Data Processing Agreement (DPA) or is operating under a parent provider's DPA.

Current subprocessors

The table below is the authoritative list as of 17 April 2026. We update this list at least 30 days before onboarding a new subprocessor that receives customer personal data. Subscribe to change notifications by emailing subprocessors@xeso.ai — we'll email the change before it takes effect.

Google Cloud Platform

Purpose: Application hosting, storage, loggingData category: All customer data at rest + in transitLocation: United States (us-central1)DPA: SignedCertifications: SOC 2 Type II, ISO 27001, ISO 27017/18Private VPC; no public database endpoint.

Cloud SQL for PostgreSQL

Purpose: Primary application databaseData category: Notes, segments, auth metadata, PIILocation: United States (inherits GCP region)DPA: Under GCP master DPACertifications: Inherited from GCPPrivate IP only; daily backups; 7-day PITR window.

Google Gemini (Generative Language API)

Purpose: LLM inference for chat, summaries, classificationData category: Prompt text + completions. We do not send identifiers by default.Location: United StatesDPA: Reviewed — Google's Generative AI API terms applyCertifications: Enterprise API tierCustomer data is NOT used to train foundation models.

Stripe

Purpose: Billing, subscription management, invoicingData category: Payment metadata (PANs never stored by XESO), billing emailLocation: United StatesDPA: SignedCertifications: SOC 2 Type II, PCI-DSS Level 1

Resend

Purpose: Transactional email delivery (magic links, digests)Data category: Email address, email subject, bodyLocation: United StatesDPA: SignedCertifications: SOC 2 Type IIFull note bodies are never emailed.

PostHog

Purpose: Product analytics (self-host fallback to PostHog Cloud)Data category: Pseudonymous user ID, event names, event properties (PII-stripped)Location: United StatesDPA: SignedCertifications: SOC 2 Type IIIP addresses are anonymised at ingest; users may opt out in settings.

Sentry

Purpose: Error monitoring and performance tracesData category: Stack traces, request metadata, scrubbed user contextLocation: United StatesDPA: SignedCertifications: SOC 2 Type IIPII scrubbing filters applied before ingest; optional — only enabled when SENTRY_DSN is set.

GitHub

Purpose: Source code, CI, SBOM publicationData category: Source code, commit metadata, built artifactsLocation: United StatesDPA: Enterprise agreementCertifications: SOC 2 Type II, ISO 27001

Vercel

Purpose: Preview deployments only (production runs on GCP)Data category: Per-branch preview site dataLocation: United StatesDPA: SignedCertifications: SOC 2 Type IIPreview deploys use seed data; no production customer data.

International transfers

Most of our subprocessors are located in the United States. For EU/EEA and UK customers we rely on Standard Contractual Clauses (SCCs) and, where offered, the EU-US Data Privacy Framework certification. For Australian customers, cross-border disclosures meet Australian Privacy Principle (APP) 8 requirements.

Change notification

Add new subprocessors are announced via email (if you've subscribed) and updated here at least 30 calendar days before they go live. Customers with an active subscription can object to a new subprocessor by emailing subprocessors@xeso.ai within 15 calendar days of notification.

Contact

Amalgam Holdings Pty Ltd Email: subprocessors@xeso.ai Postal: available on request.

DMCA

Back to XESO