Third-Party Service Providers
Effective Date: January 5, 2026
Last Updated: January 5, 2026
Version: 1.0
1. Overview
This document lists the third-party service providers that Voice AI Portal uses to provide our Services. These are carefully selected partners that help us deliver our platform while maintaining the highest standards of data protection and security. We evaluate all service providers based on their security certifications, GDPR compliance, and data protection practices.
As required by Article 28(2) of UK GDPR, this list provides transparency about entities that process personal data on behalf of Voice AI Portal and our customers.
2. Our Third-Party Service Providers
| Service Provider | Service Type | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| Supabase | Authentication Database, RBAC Management | Email addresses, password hashes, authentication tokens, session data, RBAC permissions | eu-central-1 (Frankfurt, Germany – EU) | SOC 2 Type II, GDPR, ISO 27001 |
| Google Cloud Platform (GCP) | Cloud Infrastructure, Application Hosting | All application data, call metadata, workspace configurations, usage logs, billing records | europe-west1 (Belgium – EU) | SOC 2, ISO 27001, ISO 27017, ISO 27018, GDPR |
| Cloudflare | Web Application Firewall (WAF), DDoS Protection, SSL Certificates, CDN | IP addresses, device information, security logs, domain configurations, traffic data | Global network with EU data centers | SOC 2, ISO 27001, GDPR, C5 (BSI) |
| Resend | Email Delivery Service | Email addresses, names, email content, delivery logs, bounce data | EU region (default) | SOC 2, GDPR |
| Stripe | Payment Processing | Billing information, payment card details, transaction history, customer names, addresses | United States | PCI DSS Level 1, SOC 2 Type II, ISO 27001, GDPR |
| Retell AI | Voice AI Provider (Client-Connected) | Voice call data, API configurations, call metadata (client-managed account) | United States | SOC 2, GDPR |
| VAPI | Voice AI Provider (Client-Connected) | Voice call data, API configurations, call metadata (client-managed account) | United States | SOC 2, GDPR |
| ElevenLabs | Voice AI Provider (Client-Connected) | Voice call data, API configurations, call metadata (client-managed account) | United States | SOC 2, GDPR |
| Google Analytics | Website and Platform Analytics | Website usage data, anonymized IP addresses, device information, page views | United States | SOC 2, ISO 27001, GDPR (with Google Analytics 4 controls) |
3. Why We Use These Services
3.1 Authentication and Access Control
Supabase (eu-central-1, Germany)
Supabase provides our authentication database and role-based access control (RBAC) management system. All user credentials, password hashes (bcrypt), authentication tokens (JWT), and workspace permissions are stored securely in Supabase’s EU region. Row Level Security (RLS) policies enforce multi-tenant data isolation at the database level.
Key Security Features:
- EU-hosted data (Frankfurt, Germany) ensures GDPR compliance without international transfers
- AES-256 encryption at rest, TLS 1.3 in transit
- SOC 2 Type II certified infrastructure
- Automated encrypted backups with 7-day retention
3.2 Infrastructure Services
Google Cloud Platform (europe-west1, Belgium)
GCP provides our primary cloud infrastructure including application hosting, database storage, and computing power. All customer application data, call analytics metadata, workspace configurations, and usage logs are stored on GCP servers in the EU region.
Infrastructure Components:
- Virtual Private Cloud (VPC) with network isolation
- Cloud SQL for application databases
- Cloud Storage for file assets and backups
- Cloud Logging for audit trails and monitoring
- Cloud KMS for encryption key management
3.3 Security and Performance Services
Cloudflare (Global Network with EU Priority)
Cloudflare provides critical security and performance services including Web Application Firewall (WAF), DDoS protection, SSL/TLS certificate management for white-label domains, and content delivery network (CDN) services.
Security Services:
- OWASP Top 10 protection via WAF
- Automatic DDoS mitigation (up to 100+ Gbps attacks)
- Bot management and fraud detection
- Rate limiting and API protection
- Automatic SSL certificate provisioning and renewal
- 24/7 security monitoring and threat intelligence
3.4 Communication Services
Resend (EU Region)
Resend handles transactional and system email delivery including account notifications, workspace invitations, security alerts, password resets, and billing confirmations. Default configuration uses EU region infrastructure.
Email Types Processed:
- Account authentication (magic login links, password resets)
- Workspace invitations and user management
- Security alerts and audit notifications
- Billing invoices and payment confirmations
- System updates and maintenance notices
3.5 Payment Services
Stripe (United States)
Stripe handles all payment processing for subscriptions, billing, and invoicing. Voice AI Portal does not store complete payment card details on our servers. All sensitive payment information is stored exclusively by Stripe in their PCI DSS Level 1 certified infrastructure.
3.6 Voice AI Services (Client-Connected Integrations)
Retell AI, VAPI, and ElevenLabs
These are the voice AI platforms that our clients use and connect to through Voice AI Portal’s integration interface. Important: We do not store voice recordings or full transcripts ourselves. We only connect to these services through APIs to retrieve and display call metadata, analytics, and reference links.
Data Flow:
- Clients maintain their own accounts with voice AI providers
- Clients configure API credentials in Voice AI Portal (stored encrypted)
- Voice AI Portal retrieves call metadata via provider APIs
- Actual recordings/transcripts remain on provider infrastructure
- Voice AI Portal displays analytics and reference URLs only
3.7 Analytics Services
Google Analytics (United States)
Google Analytics helps us understand how our website and platform are used so we can improve user experience, identify technical issues, and optimize features.
4. Data Protection & Security Standards
4.1 Service Provider Requirements
All Voice AI Portal third-party service providers must meet the following minimum requirements:
Security Certifications:
- SOC 2 Type II compliance (annual audits)
- ISO 27001 Information Security Management
- Industry-specific certifications (PCI DSS for payments, etc.)
- GDPR compliance and demonstrated data protection practices
Contractual Obligations:
- Executed Data Processing Agreements (DPAs) per Article 28 UK GDPR
- Commitment to process data only on documented instructions
- Confidentiality obligations for all personnel with data access
- Assistance with data subject rights requests
- Data breach notification within 24 hours
- Data deletion or return upon termination
Technical Safeguards:
- Encryption in transit (TLS 1.2 minimum, TLS 1.3 preferred)
- Encryption at rest (AES-256 or equivalent)
- Multi-factor authentication for administrative access
- Regular security assessments and penetration testing
4.2 International Data Transfers
EU Hosting Priority:
Voice AI Portal prioritizes EU-based infrastructure to minimize international data transfers:
- Supabase: eu-central-1 (Frankfurt, Germany – no international transfer)
- GCP: europe-west1 (Belgium – no international transfer)
- Resend: EU region (no international transfer)
- Cloudflare: EU data centers prioritized
Transfers to United States:
For service providers located in the United States (Stripe, Google Analytics, voice AI providers), appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU Commission approved clauses for lawful transfers
- UK International Data Transfer Agreement (IDTA): UK-specific transfer mechanism
- Supplementary Measures: Encryption, access controls, contractual protections
5. Service Provider Change Management
5.1 Adding or Changing Service Providers
Voice AI Portal reserves the right to add or change third-party service providers as necessary to provide and improve our Services.
New Service Provider Process:
- Due Diligence: Security assessment, certification review, DPA negotiation
- Internal Approval: Data Protection Officer and management review
- Client Notification: Update this document, email notification to clients
- Objection Period: 30 days for clients to object to new service provider
- Implementation: After objection period or resolution of objections
5.2 Client Notification
Advance Notice:
Clients will receive 30 days advance notice via email when:
- New service provider added to this list
- Material change to existing service provider (location, services, security)
- Service provider removed or replaced
Notification Method:
- Email to account administrator
- Update to this document with “Last Updated” date
- In-platform notification banner
5.3 Right to Object
Client Objection Rights:
If you object to a new or changed service provider on reasonable data protection grounds:
- Notify Us: Email [email protected] within 30 days of notification
- Explanation Required: Provide specific data protection concerns
- Good Faith Discussion: We will discuss concerns and potential alternatives
- Resolution Options:
- We implement alternative service provider
- We provide additional safeguards addressing concerns
- Client may terminate subscription without penalty if unresolved
6. Contact Information
Data Protection Officer:
Email: [email protected]
Subject: “Service Provider Inquiry – [Your Company]”
Service Provider Objections:
Email: [email protected]
Subject: “Service Provider Objection – [Provider Name]”
This Third-Party Service Providers list was last updated on January 6, 2026. We review this list quarterly and update as needed when service providers are added, removed, or materially changed. Clients receive 30 days advance notice of changes with objection rights as described in Section 5.
Document Version: 1.0
Next Scheduled Review: April 5, 2026