Offizielles Rechtsdokument
Unterauftragnehmer
Dies ist das offizielle Rechtsdokument, das von Voice2Evolve veröffentlicht wurde.
Die deutsche Übersetzung ist noch nicht verfügbar. Es gilt die englische Originalfassung.
Gültig ab
2026-03-02
Rechtsversion
2026-04-27
Zuletzt aktualisiert
2026-04-27
Rechtsträger
voice2evolve UG (haftungsbeschränkt)
Registersitz
Amtsgericht Stuttgart, HRB 803557
Last updated: April 27, 2026
Voice2Evolve UG (haftungsbeschränkt) ("Voice2Evolve") uses the following third-party subprocessors to deliver the Voice2Evolve Services. All subprocessors are bound by data processing agreements with obligations equivalent to those set out in the Master Data Processing Agreement (MDPA).
This list is maintained in accordance with GDPR Article 28(2). Voice2Evolve will provide reasonable prior notice of new or changed subprocessors. To receive notifications, contact help@voice2evolve.com.
Current Subprocessors
| Provider | Role | Data Location | Legal Safeguards |
|---|---|---|---|
| Supabase Inc. | Database, Authentication | EU (Stockholm, Sweden primary hosting); onward transfers to United States / Singapore subprocessors | Supabase DPA + SCCs + supplementary safeguards documented in Supabase TIA |
| OpenAI, L.L.C. | AI Inference / Voice API | United States | SCCs + CPRA Compliance |
| Stripe Payments Europe Ltd. | Payment Processing | EU / United States | GDPR DPA + SCCs |
| Vercel Inc. | Frontend Hosting (CDN) | EU / United States (AWS + Microsoft Azure + GCP; EU edge regions: Paris, Frankfurt, Sweden) | SCCs (Module 2, C2P) + UK IDTA |
| Railway Corp. (railway.com) | Backend Infrastructure | US / EU-region deployment (underlying infrastructure: GCP) | Executed DPA + EU SCCs (Module 2, C2P) + DPF |
| Cloudflare, Inc. | DNS Resolution, WebRTC TURN Relay | EU / United States | GDPR DPA + SCCs |
| Sentry, Inc. | Error Monitoring | EU / United States | GDPR DPA (DocuSign executed 2026-04-27) + DPF (primary) + SCCs (Module 2/3) + UK IDTA |
| Rybbit | Website & Product Analytics | EU (EEA — Hetzner; Cloudflare Object Storage) | GDPR DPA (accepted by use) + SCCs |
| Plus Five Five, Inc. (Resend) | Transactional Email | United States | GDPR DPA (accepted by use) + DPF (primary) + SCCs (Module 2) + UK IDTA |
| Anthropic PBC | AI Inference (LLM) | United States | GDPR DPA + SCCs |
| Haufe-Lexware GmbH & Co. KG (Lexware) | Invoice & Accounting Synchronisation | EU (Germany) | GDPR DPA (AVV) |
Notes
- Supabase hosts the primary Voice2Evolve project in Stockholm, Sweden according to the Supabase dashboard, but Supabase's DPA/TIA documents onward transfers to subprocessors in the United States and Singapore for support, observability, and ancillary tooling. If the Supabase dashboard assistant is enabled, Voice2Evolve restricts it to schema metadata and logs only; content/table-data access remains disabled. Logs are treated as potentially personal-data-bearing and must remain minimized.
- External identity providers selected by end users (for example, Google or Microsoft Azure for social sign-in) may act as independent controllers for processing performed within their own authentication services. Voice2Evolve's listed authentication subprocessor for Customer Personal Data is Supabase; additional providers are listed as subprocessors only where Voice2Evolve engages them to process Customer Personal Data on the Customer's behalf.
- Rybbit analytics is limited to the marketing site and selected app areas. Tracking is fully disabled on sensitive areas (session processing, analysis results, account and billing management, authentication, and administration). Active session views, setup/planning flows, and invitation flows are measured with URL-path anonymisation (visits counted; identifiers and tokens not transmitted in clear path form). Rybbit's DPA (accepted by use, December 10, 2025) documents session replay as a platform capability; Voice2Evolve does not use this feature — verified in code (no session replay attribute configured). Rybbit's own sub-processors are Hetzner (primary hosting, EU), Cloudflare (object storage/security), Stripe and Resend (Rybbit's own operational billing/notifications), and ipapi.is (IP geolocation, IPs not stored).
- Sentry processes application error events (stack traces, request metadata) for error monitoring and alerting. No voice transcripts, session content, Special Categories of Personal Data, or authentication credentials may be transmitted to Sentry (DPA Section 2.2.2 prohibition on Sensitive Data). PII scrubbing is applied before all event transmission. EU data storage region (Frankfurt, Germany) configured for the Voice2Evolve production Sentry organisation. DPA executed by DocuSign (envelope C7F6263F-7067-4494-BBAC-E776A503A59A, 2026-04-27); transfer mechanism: EU-US DPF primary + Module 2/3 SCCs fallback, Irish governing law, Irish Data Protection Commissioner.
- Resend (Plus Five Five, Inc.) processes email addresses, message content, and delivery metadata for transactional email flows (magic links, invitations, invoice delivery, payment reminders). Resend acts as an independent controller for Account Data and Usage Data under its own Privacy Policy (DPA Section 9); this controller path does not involve Voice2Evolve end-user email content or recipient data. Sub-processor change notice: 14 days (shorter than V2E's 30-day window — monitor resend.com/legal/subprocessors). DPA accepted by use (December 31, 2025); transfer mechanism: EU-US DPF primary + Module 2 SCCs fallback, Irish law.
- OpenAI and Anthropic process prompt data for voice session analysis. Data minimisation is applied; zero-data-retention (ZDR) is active for OpenAI real-time API endpoints. For internal quality evaluation, Voice2Evolve uses the OpenAI Batch API; Batch API file inputs are outside ZDR scope and may be retained at OpenAI for up to 30 days per the ZDR Amendment (Section 7). Best-effort PII redaction (email addresses, phone numbers, IBAN numbers) is applied before Batch API submission. Structural PII (names, company names) is an accepted residual risk documented in the ROPA.
- Stripe acts as payment processor and is subject to PCI DSS Level 1 compliance independent of this agreement. For fraud prevention and card verification, Stripe may collect the cardholder's billing name, billing address (including ZIP/postal code), and IP address at checkout. Stripe also sets device-identification cookies (
__stripe_mid,__stripe_sid) via its JavaScript library. Stripe acts as an independent controller for fraud and risk data under its own privacy policy (stripe.com/privacy). - Lexware (Haufe-Lexware GmbH & Co. KG) is a German entity directly subject to GDPR and BDSG; no cross-border data transfer mechanism is required. Lexware processes invoice records, credit notes, and revenue recognition data for bookkeeping and VAT reporting. Data transmitted is limited to financial/billing records (invoice amounts, line items, due dates, payment references, billing company name, VAT ID). No end-user voice, session, or authentication data is transmitted to Lexware. Statutory 10-year retention of accounting records applies under §147 AO / HGB.
Contact
To receive advance notice of subprocessor changes or to raise an objection under GDPR Article 28(2), contact: