Sub-processors
Last updated: April 21, 2026
A sub-processor is a third-party service provider that processes personal data on our behalf as part of delivering Chattlebot. We maintain this list so our customers and their users can see every service that might touch their data.
We provide at least 30 days' notice before adding a new core sub-processor. Customers who subscribe to material update notifications will receive an email; all visitors can subscribe to this page via RSS or bookmark it.
Core sub-processors
Every Chattlebot customer's data flows through each of the services below. Changes to this list are considered material and are notified to customers in advance.
Google Cloud AI (Gemini API)
AI & machine learning
Generates chatbot responses from the prompt, context, and knowledge-base passages provided by Chattlebot.
- Data processed
- Chat conversation content
- Knowledge-base documents
- Processing location
- United States / Global (Google Cloud)
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Google Cloud DPA
Supabase
Infrastructure
Primary application database, authentication, file storage, and realtime infrastructure.
- Data processed
- Customer account data
- Customer or lead email
- Chat conversation content
- Knowledge-base documents
- Lead contact details
- Visitor session metadata
- Processing location
- European Union (Frankfurt, eu-central-1)
- Transfer safeguard
- Hosted in the EEA — no cross-border transfer required
Firecrawl
Content ingestion
Fetches and normalizes customer-submitted URLs into plain text for knowledge-base ingestion.
- Data processed
- URLs submitted for ingestion
- Processing location
- United States
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Firecrawl DPA
Resend
Transactional email
Sends transactional email: account verification, magic links, lead notifications, export/deletion confirmations.
- Data processed
- Customer or lead email
- Lead contact details
- Processing location
- United States
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Resend DPA
Polar.sh
Billing & invoicing
Processes subscription billing, invoices, and customer portal access.
- Data processed
- Customer account data
- Customer or lead email
- Billing identifiers (no card data — handled by Polar/Stripe)
- Processing location
- European Union
- Transfer safeguard
- Processed in the EEA — Stripe sub-processor under EU SCCs
Vercel (Hosting, Analytics, Speed Insights)
Hosting & performance
Hosts the Chattlebot web application and widget, and provides privacy-friendly page-view analytics.
- Data processed
- Visitor IP address
- Visitor session metadata
- Aggregated page-view analytics
- Processing location
- Global edge network; EU region preferred where available
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Vercel DPA
Optional sub-processors
These providers are engaged only if a customer activates the matching integration on one of their bots. No data is shared with them until the customer takes that explicit action.
HubSpot
Customer-enabled integrations
Syncs leads, contacts, and conversation context into the customer's HubSpot CRM instance.
- Data processed
- Lead contact details
- Chat conversation content
- Processing location
- United States / European Union (customer-selected region)
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + HubSpot DPA
- Engaged when
- hubspot
Salesforce
Customer-enabled integrations
Syncs leads, contacts, and opportunities into the customer's Salesforce org.
- Data processed
- Lead contact details
- Chat conversation content
- Processing location
- Multi-region (customer-selected)
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Salesforce DPA
- Engaged when
- salesforce
Shopify
Customer-enabled integrations
Reads product, inventory, and order data for chatbots answering store questions.
- Data processed
- Customer or lead email
- Lead contact details
- Processing location
- United States / Canada
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Shopify DPA
- Engaged when
- shopify
WooCommerce (customer-hosted)
Customer-enabled integrations
Reads product and order data from the customer's self-hosted WooCommerce store.
- Data processed
- Customer or lead email
- Lead contact details
- Processing location
- Customer-controlled (self-hosted WordPress)
- Transfer safeguard
- Direct controller-to-controller — customer owns the endpoint
- Engaged when
- woocommerce
Calendly
Customer-enabled integrations
Looks up availability and books meetings on behalf of chatbot visitors.
- Data processed
- Lead contact details
- Customer or lead email
- Processing location
- United States
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Calendly DPA
- Engaged when
- calendly
Slack
Customer-enabled integrations
Delivers lead notifications and conversation summaries into the customer's Slack workspace.
- Data processed
- Lead contact details
- Chat conversation content
- Processing location
- United States / European Union (customer-selected region)
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Slack DPA
- Engaged when
- slack
Zendesk
Customer-enabled integrations
Creates support tickets and attaches conversation transcripts in the customer's Zendesk account.
- Data processed
- Lead contact details
- Chat conversation content
- Customer or lead email
- Processing location
- United States / European Union (customer-selected region)
- Transfer safeguard
- EU Standard Contractual Clauses (2021/914) + Zendesk DPA
- Engaged when
- zendesk
Customer-defined webhook endpoint
Customer-enabled integrations
Forwards lead or event payloads to a customer-controlled endpoint configured by the customer.
- Data processed
- Lead contact details
- Chat conversation content
- Processing location
- Controlled by customer (the endpoint they configure)
- Transfer safeguard
- Direct controller-to-controller — customer owns the receiving system
- Engaged when
- custom_webhook
Updates to this list
We treat the addition or replacement of any core sub-processor as a material change. We will post an update here, dated, at least 30 days before the change takes effect. Customers who object may terminate the affected service in line with the DPA.
Questions about this list
Email us at info@chattlebot.com for sub-processor questions or to request an executed DPA.