Sub-processors
Last updated: 8 February 2026
Coldread uses the following third-party sub-processors to deliver the service. Each sub-processor has been selected for reliability, security, and compliance with applicable data protection regulations.
Under GDPR Article 28, we maintain this list of sub-processors as part of our transparency obligations. We will notify customers of any changes to this list at least 30 days in advance.
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase (PostgreSQL) | Primary database — stores call records, contacts, transcripts, analysis results, and account data | US (AWS us-east-1) | All structured data including call metadata, transcripts, AI analysis, contact profiles |
| Cloudflare R2 | Object storage for call audio recordings | US (auto-selected region) | Call audio files (downloaded from VoIP provider, stored encrypted at rest) |
| ElevenLabs (Scribe) | Primary speech-to-text transcription provider | US | Call audio sent for transcription — audio is processed and discarded, not retained |
| Google (Gemini) | AI call analysis via OpenRouter — extracts summaries, objections, buying signals, contact intelligence | US | Call transcripts (text only, no audio) sent for analysis |
| OpenRouter | API gateway for AI model access (routes to Google Gemini) | US | Call transcripts routed to AI model — no persistent storage |
| Clerk | Authentication and user management (sign-in, sign-up, sessions) | US | Email addresses, names, session tokens, authentication events |
| Stripe | Payment processing and subscription billing | US | Payment methods, billing addresses, subscription status, invoice history |
| Vercel | Application hosting and CDN (Next.js deployment) | US (iad1) | HTTP requests, server-side rendering, edge middleware execution |
| Inngest | Durable workflow engine for background processing (transcription, analysis, relay) | US | Event payloads containing call IDs and metadata (no audio or transcript content) |
Data Transfer Mechanisms
Where data is transferred outside the European Economic Area (EEA) or the United Kingdom, we rely on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) addendum, as applicable.
All sub-processors maintain SOC 2 Type II or equivalent security certifications. Data in transit is encrypted using TLS 1.2+, and data at rest is encrypted using AES-256.
Questions
For questions about our sub-processors or to request a Data Processing Agreement (DPA), contact us at privacy@coldread.ai.