Subprocessors | Voice2Evolve®

Last updated: March 13, 2026

Voice2Evolve UG (haftungsbeschränkt) ("Voice2Evolve") uses the following third-party subprocessors to deliver the Voice2Evolve Services. All subprocessors are bound by data processing agreements with obligations equivalent to those set out in the Master Data Processing Agreement (MDPA).

This list is maintained in accordance with GDPR Article 28(2). Voice2Evolve will provide reasonable prior notice of new or changed subprocessors. To receive notifications, contact help@voice2evolve.com.

Current Subprocessors

Provider	Role	Data Location	Legal Safeguards
Supabase Inc.	Database, Authentication	EU (Stockholm, Sweden primary hosting); onward transfers to United States / Singapore subprocessors	Supabase DPA + SCCs + supplementary safeguards documented in Supabase TIA
OpenAI, L.L.C.	AI Inference / Voice API	United States	SCCs + CPRA Compliance
Stripe Payments Europe Ltd.	Payment Processing	EU / United States	GDPR DPA + SCCs
Vercel Inc.	Frontend Hosting (CDN)	EU / United States	SCCs
Railway Corp.	Backend Infrastructure	EU	GDPR DPA
Cloudflare, Inc.	DNS Resolution, WebRTC TURN Relay	EU / United States	GDPR DPA + SCCs
Sentry, Inc.	Error Monitoring	EU / United States	GDPR DPA + SCCs
Rybbit	Website & Product Analytics	EU (EEA — Hetzner)	GDPR DPA + SCCs
Plus Five Five, Inc. (Resend)	Transactional Email	United States	GDPR DPA + SCCs + EU-US DPF
Anthropic PBC	AI Inference (LLM)	United States	GDPR DPA + SCCs
Haufe-Lexware GmbH & Co. KG (Lexware)	Invoice & Accounting Synchronisation	EU (Germany)	GDPR DPA (AVV)

Notes

Supabase hosts the primary Voice2Evolve project in Stockholm, Sweden according to the Supabase dashboard, but Supabase's DPA/TIA documents onward transfers to subprocessors in the United States and Singapore for support, observability, and ancillary tooling. If the Supabase dashboard assistant is enabled, Voice2Evolve restricts it to schema metadata and logs only; content/table-data access remains disabled. Logs are treated as potentially personal-data-bearing and must remain minimized.
Rybbit analytics is limited to the marketing site and selected app areas. Tracking is fully disabled on sensitive areas (session processing, analysis results, account and billing management, authentication, and administration). Active session views, setup/planning flows, and invitation flows are measured with URL-path anonymisation (visits counted; identifiers and tokens not transmitted in clear path form).
OpenAI and Anthropic process prompt data for voice session analysis. Data minimisation is applied; zero-data-retention (ZDR) options are evaluated where available at the applicable plan tier.
Stripe acts as payment processor and is subject to PCI DSS Level 1 compliance independent of this agreement. For fraud prevention and card verification, Stripe may collect the cardholder's billing name, billing address (including ZIP/postal code), and IP address at checkout. Stripe also sets device-identification cookies (__stripe_mid, __stripe_sid) via its JavaScript library. Stripe acts as an independent controller for fraud and risk data under its own privacy policy (stripe.com/privacy).
Lexware (Haufe-Lexware GmbH & Co. KG) is a German entity directly subject to GDPR and BDSG; no cross-border data transfer mechanism is required. Lexware processes invoice records, credit notes, and revenue recognition data for bookkeeping and VAT reporting. Data transmitted is limited to financial/billing records (invoice amounts, line items, due dates, payment references, billing company name, VAT ID). No end-user voice, session, or authentication data is transmitted to Lexware. Statutory 10-year retention of accounting records applies under §147 AO / HGB.

Contact

To receive advance notice of subprocessor changes or to raise an objection under GDPR Article 28(2), contact:

help@voice2evolve.com