1. How to read this list
A "sub-processor" is a third-party vendor that may process personal information on our behalf in the course of providing the Service. Each entry below names the vendor, category of processing, primary hosting region, and data category currently disclosed for review.
1.1Vendor processing terms, transfer terms, onward-transfer restrictions, and equivalent security obligations must be confirmed from the maintained contract/legal source.
1.2Vendors are grouped by category. The categories are hosting & infrastructure, email delivery, model providers, payment processing, authentication, analytics, error tracking, and observability. We do not use ad-tech or marketing-attribution sub-processors; see the Cookie Policy for why.
1.3Where a vendor operates globally, the "Location" column shows the region intended for Airheart data. Edge transit, storage region, and transfer terms should be confirmed from the active vendor configuration and contract record.
2. Sub-processor table
| Sub-processor | Purpose | Location | Data category | Transfer mechanism |
|---|---|---|---|---|
| Hosting & infrastructure | ||||
| Amazon Web Services, Inc. | Primary application hosting, database, object storage, background workers. | us-east-1 eu-central-1 | Account data, Voyage content, agent conversation history, traveler records, telemetry. | Contract/legal source required |
| Cloudflare, Inc. | CDN, DNS, DDoS mitigation, bot management, TLS termination at the edge. | Global edge (EU / US primary) | Request metadata (IP, user-agent, URL), TLS session data. No application payloads persisted. | Contract/legal source required |
| Email delivery | ||||
| Postmark (ActiveCampaign, LLC) | Transactional email — sign-in codes, receipts, policy notifications, security alerts. | us-east-1 | Recipient email, message content (scoped to transactional triggers), delivery events. | Contract/legal source required |
| Model providers | ||||
| Anthropic, PBC | Large-language-model inference for the Airheart agent. Retention configuration must match the active provider contract. | us-west-2 | Prompt content submitted to the agent, completions, routing metadata. Provider retention is contract-controlled. | Contract/legal source required |
| OpenAI, LLC | Large-language-model inference and embeddings for the agent router and search ranking. Retention configuration must match the active provider contract. | us-east-1 | Prompt content, completions, embedding inputs. Provider retention is contract-controlled. | Contract/legal source required |
| Payment processing | ||||
| Stripe, Inc. | Payment authorization, capture, refunds, tax calculation, invoicing. | us-east-1 eu-west-1 | Payment method token, billing name and address, amount, card network metadata. Card-data handling is processor-controlled. | Processor terms required |
| Authentication / OIDC | ||||
| WorkOS, Inc. | SSO, directory sync, and SCIM provisioning for Organization tier customers. Consumer sign-in uses the customer's IdP directly. | us-east-1 | OIDC subject ID, email, directory attributes (role, team) for Organization tier customers only. | Contract/legal source required |
| Analytics | ||||
| Plausible Insights OÜ | Pseudonymous first-party analytics — page-view counts, navigation timing, feature usage. No cross-site tracking. | eu-central-1 (Germany) | Pseudonymous visitor ID, URL path, referrer, user-agent class. No personal identifiers. | Contract/legal source required |
| Error tracking | ||||
| Functional Software, Inc. (Sentry) | Application error tracking, performance monitoring, session replay on opt-in only. Request bodies and auth tokens scrubbed before transmission. | us-east-1 | Stack traces, URL path, user-agent, pseudonymous session ID. PII filters applied at the SDK. | Contract/legal source required |
| Search | ||||
| Algolia, Inc. | Full-text search indexing for public catalogues and the marketplace. No personal information in indices. | us-east-1 eu-west-3 (Paris) | Public catalogue content, publisher names, catalogue metadata. No customer PII. | Contract/legal source required |
| Observability | ||||
| Grafana Labs, Inc. | Logs, metrics, traces, and alerting for platform operations. Personal information filtered from log payloads. | us-east-1 eu-west-1 | Application logs, metrics, distributed traces. Personal-data filtering is controlled by the active observability implementation. | Contract/legal source required |
2.1This is the current route disclosure. If a vendor appears to process Airheart customer data and is not named here, report the gap to privacy@airheart.com for legal/source review.
2.2Some vendors above themselves use sub-processors (for example, AWS's own infrastructure suppliers). Those are governed by the vendor's own terms and disclosed through their sub-processor lists; review status belongs in the legal/procurement record.
3. Transfer mechanisms
Where a sub-processor stores or processes personal information outside the European Economic Area, the United Kingdom, or Switzerland, transfer terms must be confirmed from the maintained legal source or signed contract.
- Transfer clauses — confirmed through the active contract source.
- Regional commitments — confirmed from vendor configuration and contract records.
- Technical measures — confirmed from maintained security evidence before publication.
3.1Transfer review artifacts can be requested through dpo@airheart.com and are provided where the active legal source supports them.
3.2Security measures such as encryption, tenant scoping, and minimization require maintained security evidence before this page states them as commitments.
4. Changes & notifications
Notice terms come from policy or contract.
When we plan to add or replace a sub-processor, notice timing and recipient scope are controlled by the applicable policy or signed contract. Notices should name the vendor, purpose, location, data category, and planned effective date where required.
Objection rights, alternatives, exclusions, termination rights, and refunds are contract terms, not route-local promises.
4.1Emergency replacement. If a sub-processor suffers an outage, security incident, or contract termination, emergency replacement and notice timing follow the maintained legal/ops process and any signed contract terms.
4.2Non-material changes. A vendor renaming itself, a change of business entity in the same corporate group, or a change of sub-region within the same legal jurisdiction does not trigger the 30-day notice — but the table above is updated and the changelog is written.
4.3The version history for this list is at /legal/subprocessors/changelog. Entries include what changed, when it took effect, and (where applicable) the notice email that accompanied the change.
5. Contact
Questions about a specific sub-processor, processing terms, or a subscription to the notice list all go to the same inbox. Response timing is handled by the current legal operations process.
Data Protection Officer
Priya Ramanathan, Airheart Inc.
Sub-processor questions, transfer-review requests, notice-list subscriptions, and processing-term redlines.
dpo@airheart.com privacy@airheart.com legal@airheart.comPostal address
Airheart Inc.
Attn: Data Protection Officer
Austin, TX 78701
United
States
See also: Privacy Policy and Cookie Policy.