Skip to content
Back

Subprocessors

Last updated 17 April 2026 · Change notifications: subprocessors@xeso.ai
Pre-GA status · under reviewThe subprocessors below are the providers we intend to use. DPAs and SCCs are being finalised with each vendor before we handle customer personal data in production. We'll publish the signed versions and the go-live date before any real customer data reaches these systems. Nothing here should be read as a representation that agreements are in place today.

What is a subprocessor?

A subprocessor is any third-party service that processes personal data on our behalf. Under the GDPR (Article 28), CCPA, and the Australian Privacy Act, we disclose the identity of those parties so you can evaluate them as part of your data governance review. Each provider below will have a signed Data Processing Agreement (DPA), or operate under a parent provider's DPA, before production use.

Intended subprocessors

The table below is the authoritative list of intended subprocessors as of 17 April 2026. Status: under review — not yet live for production customer data. We will update this list at least 30 days before onboarding a new subprocessor once we are in general availability. Subscribe to change notifications by emailing subprocessors@xeso.ai — we'll email the change before it takes effect.

Google Cloud Platform

Under review · DPA pendingPurpose: Application hosting, storage, loggingData category: All customer data at rest + in transitLocation: United States (us-central1)DPA: SignedCertifications: SOC 2 Type II, ISO 27001, ISO 27017/18Private VPC; no public database endpoint.

Cloud SQL for PostgreSQL

Under review · DPA pendingPurpose: Primary application databaseData category: Notes, segments, auth metadata, PIILocation: United States (inherits GCP region)DPA: Under GCP master DPACertifications: Inherited from GCPPrivate IP only; daily backups; 7-day PITR window.

Google Gemini (Generative Language API)

Under review · DPA pendingPurpose: LLM inference for chat, summaries, classificationData category: Prompt text + completions. We do not send identifiers by default.Location: United StatesDPA: Reviewed — Google's Generative AI API terms applyCertifications: Enterprise API tierCustomer data is NOT used to train foundation models.

Groq

Under review · DPA pendingPurpose: Optional audio transcription fallback when GROQ_API_KEY is configuredData category: Audio chunks and transcripts for user-requested media importsLocation: United StatesDPA: Pending - do not enable in production without DPACertifications: Vendor review required before production enablementCode path is gated by GROQ_API_KEY; leave unset unless legal approval is complete.

OpenAI

Under review · DPA pendingPurpose: Optional BYOK LLM inference when a user supplies their own OpenAI keyData category: User query + retrieved snippets for BYOK requestsLocation: Per OpenAI API regionDPA: User-elected provider termsCertifications: Vendor maintainedOnly used when a user configures their own provider key.

Anthropic

Under review · DPA pendingPurpose: Optional BYOK LLM inference when a user supplies their own Anthropic keyData category: User query + retrieved snippets for BYOK requestsLocation: Per Anthropic API regionDPA: User-elected provider termsCertifications: Vendor maintainedOnly used when a user configures their own provider key.

Stripe

Under review · DPA pendingPurpose: Billing, subscription management, invoicingData category: Payment metadata (PANs never stored by XESO), billing emailLocation: United StatesDPA: SignedCertifications: SOC 2 Type II, PCI-DSS Level 1

Resend

Under review · DPA pendingPurpose: Transactional email delivery (magic links, digests)Data category: Email address, email subject, bodyLocation: United StatesDPA: SignedCertifications: SOC 2 Type IIFull note bodies are never emailed.

PostHog

Under review · DPA pendingPurpose: Product analytics (self-host fallback to PostHog Cloud)Data category: Pseudonymous user ID, event names, event properties (PII-stripped)Location: United StatesDPA: SignedCertifications: SOC 2 Type IIIP addresses are anonymised at ingest; users may opt out in settings.

Sentry

Under review · DPA pendingPurpose: Error monitoring and performance tracesData category: Stack traces, request metadata, scrubbed user contextLocation: United StatesDPA: SignedCertifications: SOC 2 Type IIPII scrubbing filters applied before ingest; optional — only enabled when SENTRY_DSN is set.

GitHub

Under review · DPA pendingPurpose: Source code, CI, SBOM publicationData category: Source code, commit metadata, built artifactsLocation: United StatesDPA: Enterprise agreementCertifications: SOC 2 Type II, ISO 27001

Vercel

Under review · DPA pendingPurpose: Preview deployments only (production runs on GCP)Data category: Per-branch preview site dataLocation: United StatesDPA: SignedCertifications: SOC 2 Type IIPreview deploys use seed data; no production customer data.

International transfers

Most of our subprocessors are located in the United States. For EU/EEA and UK customers we rely on Standard Contractual Clauses (SCCs) and, where offered, the EU-US Data Privacy Framework certification. For Australian customers, cross-border disclosures meet Australian Privacy Principle (APP) 8 requirements.

Change notification

Add new subprocessors are announced via email (if you've subscribed) and updated here at least 30 calendar days before they go live. Customers with an active subscription can object to a new subprocessor by emailing subprocessors@xeso.ai within 15 calendar days of notification.

Contact

Amalgam Holdings Pty Ltd Email: subprocessors@xeso.ai Postal: available on request.