Answer
Identity First Media uses nine sub-processors to deliver the platform. We have a Data Processing Agreement (DPA) in place with each sub-processor. Below you will find an overview of who does what and where your data is processed.
Sub-processors
| Company | Country | Role | Data processed | |---------|---------|------|----------------| | Supabase | DE (Frankfurt) | Database, authentication, file storage | All account data, content, customer data | | Vercel | EU | Website hosting and CDN | Public website content, visitor requests | | Cloudflare | EU | CDN, R2 storage, media processing | Media (audio, video, images) | | Stripe | EU (Ireland) | Payment processing | Payment details, order history | | SendGrid (Twilio) | US* | Email delivery | Email addresses, email content | | Anthropic | US* | AI content generation (Claude) | Identity profile, transcripts (pseudonymized) | | OpenAI | US* | Embeddings for help feature | Help article texts (no personal data) | | xAI | US* | AI content generation (Grok) | Identity profile, transcripts (pseudonymized) | | Deepgram | US* | Speech-to-text transcription | Audio files |
\* Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR are in place with all US-based parties. Several parties are certified under the EU-US Data Privacy Framework.
Pseudonymization for AI processing
When generating content, personal data from your customers (contact details, social media accounts) is automatically filtered out before data is sent to AI providers. This is handled by the built-in PII filter.
Tips
- None of the AI providers use your data for model training (Zero Data Retention or equivalent agreements)
- All EU data stays in the EU. US processing is limited to API calls with SCCs
- This overview is updated whenever our sub-processor register changes