Third-Party Service Providers

Effective Date: January 5, 2026
Last Updated: January 5, 2026
Version: 1.0

1. Overview

This document lists the third-party service providers that Voice AI Portal uses to provide our Services. These are carefully selected partners that help us deliver our platform while maintaining the highest standards of data protection and security. We evaluate all service providers based on their security certifications, GDPR compliance, and data protection practices.

As required by Article 28(2) of UK GDPR, this list provides transparency about entities that process personal data on behalf of Voice AI Portal and our customers.​

2. Our Third-Party Service Providers

Service ProviderService TypeData ProcessedLocationSecurity Certifications
SupabaseAuthentication Database, RBAC ManagementEmail addresses, password hashes, authentication tokens, session data, RBAC permissionseu-central-1 (Frankfurt, Germany – EU)SOC 2 Type II, GDPR, ISO 27001
Google Cloud Platform (GCP)Cloud Infrastructure, Application HostingAll application data, call metadata, workspace configurations, usage logs, billing recordseurope-west1 (Belgium – EU)SOC 2, ISO 27001, ISO 27017, ISO 27018, GDPR
CloudflareWeb Application Firewall (WAF), DDoS Protection, SSL Certificates, CDNIP addresses, device information, security logs, domain configurations, traffic dataGlobal network with EU data centersSOC 2, ISO 27001, GDPR, C5 (BSI)
ResendEmail Delivery ServiceEmail addresses, names, email content, delivery logs, bounce dataEU region (default)SOC 2, GDPR
StripePayment ProcessingBilling information, payment card details, transaction history, customer names, addressesUnited StatesPCI DSS Level 1, SOC 2 Type II, ISO 27001, GDPR
Retell AIVoice AI Provider (Client-Connected)Voice call data, API configurations, call metadata (client-managed account)United StatesSOC 2, GDPR
VAPIVoice AI Provider (Client-Connected)Voice call data, API configurations, call metadata (client-managed account)United StatesSOC 2, GDPR
ElevenLabsVoice AI Provider (Client-Connected)Voice call data, API configurations, call metadata (client-managed account)United StatesSOC 2, GDPR
Google AnalyticsWebsite and Platform AnalyticsWebsite usage data, anonymized IP addresses, device information, page viewsUnited StatesSOC 2, ISO 27001, GDPR (with Google Analytics 4 controls)

3. Why We Use These Services

3.1 Authentication and Access Control

Supabase (eu-central-1, Germany)
Supabase provides our authentication database and role-based access control (RBAC) management system. All user credentials, password hashes (bcrypt), authentication tokens (JWT), and workspace permissions are stored securely in Supabase’s EU region. Row Level Security (RLS) policies enforce multi-tenant data isolation at the database level.​

Key Security Features:

  • EU-hosted data (Frankfurt, Germany) ensures GDPR compliance without international transfers
  • AES-256 encryption at rest, TLS 1.3 in transit
  • SOC 2 Type II certified infrastructure
  • Automated encrypted backups with 7-day retention

3.2 Infrastructure Services

Google Cloud Platform (europe-west1, Belgium)
GCP provides our primary cloud infrastructure including application hosting, database storage, and computing power. All customer application data, call analytics metadata, workspace configurations, and usage logs are stored on GCP servers in the EU region.​

Infrastructure Components:

  • Virtual Private Cloud (VPC) with network isolation
  • Cloud SQL for application databases
  • Cloud Storage for file assets and backups
  • Cloud Logging for audit trails and monitoring
  • Cloud KMS for encryption key management

3.3 Security and Performance Services

Cloudflare (Global Network with EU Priority)
Cloudflare provides critical security and performance services including Web Application Firewall (WAF), DDoS protection, SSL/TLS certificate management for white-label domains, and content delivery network (CDN) services.​

Security Services:

  • OWASP Top 10 protection via WAF
  • Automatic DDoS mitigation (up to 100+ Gbps attacks)
  • Bot management and fraud detection
  • Rate limiting and API protection
  • Automatic SSL certificate provisioning and renewal
  • 24/7 security monitoring and threat intelligence

3.4 Communication Services

Resend (EU Region)
Resend handles transactional and system email delivery including account notifications, workspace invitations, security alerts, password resets, and billing confirmations. Default configuration uses EU region infrastructure.​

Email Types Processed:

  • Account authentication (magic login links, password resets)
  • Workspace invitations and user management
  • Security alerts and audit notifications
  • Billing invoices and payment confirmations
  • System updates and maintenance notices

3.5 Payment Services

Stripe (United States)
Stripe handles all payment processing for subscriptions, billing, and invoicing. Voice AI Portal does not store complete payment card details on our servers. All sensitive payment information is stored exclusively by Stripe in their PCI DSS Level 1 certified infrastructure.​

3.6 Voice AI Services (Client-Connected Integrations)

Retell AI, VAPI, and ElevenLabs
These are the voice AI platforms that our clients use and connect to through Voice AI Portal’s integration interface. Important: We do not store voice recordings or full transcripts ourselves. We only connect to these services through APIs to retrieve and display call metadata, analytics, and reference links.​

Data Flow:

  1. Clients maintain their own accounts with voice AI providers
  2. Clients configure API credentials in Voice AI Portal (stored encrypted)
  3. Voice AI Portal retrieves call metadata via provider APIs
  4. Actual recordings/transcripts remain on provider infrastructure
  5. Voice AI Portal displays analytics and reference URLs only

3.7 Analytics Services

Google Analytics (United States)
Google Analytics helps us understand how our website and platform are used so we can improve user experience, identify technical issues, and optimize features.​

4. Data Protection & Security Standards

4.1 Service Provider Requirements

All Voice AI Portal third-party service providers must meet the following minimum requirements:​

Security Certifications:

  • SOC 2 Type II compliance (annual audits)
  • ISO 27001 Information Security Management
  • Industry-specific certifications (PCI DSS for payments, etc.)
  • GDPR compliance and demonstrated data protection practices

Contractual Obligations:

  • Executed Data Processing Agreements (DPAs) per Article 28 UK GDPR
  • Commitment to process data only on documented instructions
  • Confidentiality obligations for all personnel with data access
  • Assistance with data subject rights requests
  • Data breach notification within 24 hours
  • Data deletion or return upon termination

Technical Safeguards:

  • Encryption in transit (TLS 1.2 minimum, TLS 1.3 preferred)
  • Encryption at rest (AES-256 or equivalent)
  • Multi-factor authentication for administrative access
  • Regular security assessments and penetration testing

4.2 International Data Transfers

EU Hosting Priority:
Voice AI Portal prioritizes EU-based infrastructure to minimize international data transfers:

  • Supabase: eu-central-1 (Frankfurt, Germany – no international transfer)
  • GCP: europe-west1 (Belgium – no international transfer)
  • Resend: EU region (no international transfer)
  • Cloudflare: EU data centers prioritized​

Transfers to United States:
For service providers located in the United States (Stripe, Google Analytics, voice AI providers), appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): EU Commission approved clauses for lawful transfers
  • UK International Data Transfer Agreement (IDTA): UK-specific transfer mechanism
  • Supplementary Measures: Encryption, access controls, contractual protections

5. Service Provider Change Management

5.1 Adding or Changing Service Providers

Voice AI Portal reserves the right to add or change third-party service providers as necessary to provide and improve our Services.​

New Service Provider Process:

  1. Due Diligence: Security assessment, certification review, DPA negotiation
  2. Internal Approval: Data Protection Officer and management review
  3. Client Notification: Update this document, email notification to clients
  4. Objection Period: 30 days for clients to object to new service provider
  5. Implementation: After objection period or resolution of objections

5.2 Client Notification

Advance Notice:
Clients will receive 30 days advance notice via email when:

  • New service provider added to this list
  • Material change to existing service provider (location, services, security)
  • Service provider removed or replaced

Notification Method:

  • Email to account administrator
  • Update to this document with “Last Updated” date
  • In-platform notification banner

5.3 Right to Object

Client Objection Rights:
If you object to a new or changed service provider on reasonable data protection grounds:​

  1. Notify Us: Email [email protected] within 30 days of notification
  2. Explanation Required: Provide specific data protection concerns
  3. Good Faith Discussion: We will discuss concerns and potential alternatives
  4. Resolution Options:
    • We implement alternative service provider
    • We provide additional safeguards addressing concerns
    • Client may terminate subscription without penalty if unresolved

6. Contact Information

Data Protection Officer:
Email: [email protected]
Subject: “Service Provider Inquiry – [Your Company]”

Service Provider Objections:
Email: [email protected]
Subject: “Service Provider Objection – [Provider Name]”


This Third-Party Service Providers list was last updated on January 6, 2026. We review this list quarterly and update as needed when service providers are added, removed, or materially changed. Clients receive 30 days advance notice of changes with objection rights as described in Section 5.

Document Version: 1.0
Next Scheduled Review: April 5, 2026