Sub-processor List
This page lists the processors we use to provide Chatric. All sub-processors are bound by written agreements compliant with GDPR Art. 28. We prioritize EEA processing. Where processing occurs in a third country, we implement EU Standard Contractual Clauses (SCCs) and supplementary safeguards. For more details, see our DPA and Privacy Policy.
Advance notice & objections. We aim to notify customer admins at least 30 days in advance (in-app or email) before adding or replacing a sub-processor, where feasible. Customers may object on reasonable privacy/security grounds per our DPA; we'll work in good faith to resolve or allow suspension/termination of the impacted feature.
Current sub-processors
| Vendor | Legal entity | Service / purpose | Data categories | Location | 3rd country transfer | Safeguards & notes |
|---|---|---|---|---|---|---|
| Google Cloud Platform (GCP) | Google Cloud EMEA Limited (and affiliates) | Cloud hosting (compute, storage, networking), databases, monitoring | Account data; prompts/outputs (controller context where applicable); processor-side Customer Data; logs/telemetry | EU (GCP europe-west1) | No (EEA hosted) | Encryption at rest/in transit; DPA in place |
| Firebase Authentication | Google LLC | User authentication (e.g., Google/Facebook sign-in), session validation | Name, email, profile image, auth identifiers/events | US / global auth infra | Yes (US) | SCCs; used solely for authentication and to establish access to user-authorized data sources |
| Sentry | Functional Software, Inc. (Sentry) | Error & performance monitoring (application telemetry) | Pseudonymized error traces, stack traces, timestamps, minimal request metadata | EU residency where enabled; otherwise US | Possible (US) | SCCs; PII redaction enforced; no Customer Data payloads should be sent |
| OpenAI (GPT-5) | OpenAI OpCo, LLC (and affiliates) | Model inference to generate responses | Prompts/outputs only as needed for inference | Global (may include US) | Yes (if outside EEA) | SCCs; no training on Customer Data by default; human access only under narrow exceptions (security/abuse/legal) |
Data minimization. We configure Sentry and OpenAI to avoid sending special-category or unnecessary personal data. Please avoid including such data in prompts or error payloads.
Independent Controllers / Integrations (not sub-processors)
These platforms are usually independent controllers for their own services. You choose to connect them; we act as your processor when we read from or write to them on your instructions.
| Platform | Legal entity | Role | Typical purpose | Data involved | Notes |
|---|---|---|---|---|---|
| Google (GA4 & Google Ads) | Google LLC and affiliates | Independent controller / data source | Reporting & insights (GA4 Data API read-only; Google Ads API read-only usage) | Metrics/dimensions you query; account/property/customer IDs; OAuth tokens | You can revoke access in your Google Account; we delete tokens after revocation. We comply with Google API Services Limited Use. |
| Meta (Facebook) | Meta Platforms, Inc. and affiliates | Independent controller / data recipient | Conversions API & ad activation (if enabled) | Event/campaign metadata you configure; hashed identifiers you choose to send | Your contracts with Meta apply; we act on your instructions. |
| Shopify | Shopify Inc. and affiliates | Independent controller / data source | Commerce data source (orders, customers, products, events) | Order/customer/product data you authorize | Your Shopify terms & privacy apply; we fetch only what you connect. |
How we evaluate sub-processors
- •Privacy & security review (residency, encryption, access controls, incident history)
- •Contractual controls (Art. 28 DPA; SCCs for transfers; no-training commitments for AI where applicable)
- •Data minimization (only what's necessary for the stated purpose)
- •Ongoing monitoring and annual re-assessment
Customer responsibilities
- •Configure integrations to avoid sending prohibited or unnecessary personal data.
- •Ensure a lawful basis for Customer Data sent to/received from independent platforms.
- •Use Chatric's filters/hashing/minimization where available.
Questions about this page?
Email info@chatric.ai