Last Updated: November 30, 2025
This document lists all third-party sub-processors that Operalta uses to provide the Service. Sub-processors may access or process customer data as part of service delivery.
Operalta reserves the right to change sub-processors at any time to ensure service quality, continuity, compliance, and cost-effectiveness. Material changes to this list will be announced via email with at least 30 days' advance notice for critical infrastructure providers.
Service: Claude Sonnet 4.5 API
Purpose: Conversational AI, memory extraction, intelligence synthesis, report generation
Data Processed: Conversation content, documents, company context, search queries
Data Location: United States
Data Retention: Not retained after processing (per Anthropic DPA)
DPA/SCC: Yes - Anthropic DPA
Privacy Policy: anthropic.com/privacy
Status: Active (all customers)
Service: Pixtral 12B (vision), Mistral Large (classification)
Purpose: Document processing (optional, French market clients only)
Data Processed: Uploaded documents (PDFs, images, Office files)
Data Location: European Union (France)
Data Retention: Not retained after processing (per Mistral AI terms)
DPA/SCC: Requested (pending)
Privacy Policy: mistral.ai/terms
Status: Optional (activated via DOCUMENT_PROVIDER environment variable)
Service: Speech-to-text transcription API
Purpose: Voice input transcription (auto-language detection)
Data Processed: Audio recordings (voice messages)
Data Location: Switzerland (100% Swiss infrastructure)
Data Retention: Not retained after processing
DPA/SCC: Infomaniak standard DPA (Swiss data protection compliant)
Privacy Policy: infomaniak.com/privacy
Status: Active (voice feature users only)
Note: Swiss-based provider ensures GDPR compliance and strong data protection under Swiss Federal Act on Data Protection (FADP)
Service: Edge runtime, serverless functions, CDN
Purpose: Application hosting, edge routing, serverless API execution
Data Processed: All application data (HTTP requests, responses, logs)
Data Location: Global (US primary, edge locations worldwide)
Data Retention: Logs retained for 7 days, function execution data transient
DPA/SCC: Requested (pending)
Privacy Policy: vercel.com/legal/privacy-policy
Status: Active (all customers)
Service: PostgreSQL database, authentication, file storage
Purpose: Primary data storage (users, companies, conversations, streams, reports, files)
Data Processed: All user-generated content, metadata, session data
Data Location:
Data Retention: Active account data indefinite, deleted account data purged after 30 days, backups purged after 90 days
DPA/SCC: Supabase standard DPA
Privacy Policy: supabase.com/privacy
Status: Active (all customers)
Service: Redis (rate limiting, caching)
Purpose: Distributed rate limiting (sliding window algorithm), session caching
Data Processed: Rate limit counters (no personal data), session tokens (ephemeral)
Data Location: Global (multi-region)
Data Retention: Rate limit counters expire after window (1-60 minutes), cache ephemeral
DPA/SCC: Requested (pending)
Privacy Policy: upstash.com/privacy
Status: Active (all customers)
Service: CDN, Web Application Firewall (WAF), DDoS protection
Purpose: Content delivery, security, edge caching
Data Processed: HTTP requests (IP, user agent, request URL), cached responses
Data Location: Global (edge locations worldwide)
Data Retention: Logs retained for 72 hours, cached data transient
DPA/SCC: Cloudflare standard DPA
Privacy Policy: cloudflare.com/privacypolicy
Status: Active (all customers)
Service: Structured Google search results API
Purpose: Market intelligence research, competitive analysis, web research
Data Processed: Search queries (company context, research topics)
Data Location: United States
Data Retention: Queries not retained (per SERP API terms)
DPA/SCC: Requested (pending)
Privacy Policy: serpapi.com/privacy
Status: Active (intelligence feature users only)
Service: AI-powered search with summaries
Purpose: Fallback intelligence provider when SERP API unavailable
Data Processed: Search queries (company context, research topics)
Data Location: United States
Data Retention: Queries not retained (per You.com terms)
DPA/SCC: Requested (pending)
Privacy Policy: you.com/legal/privacy
Status: Active (fallback only)
Service: Omnichannel communications platform (email, SMS, WhatsApp)
Purpose:
Data Processed: Email addresses, phone numbers (if SMS/WhatsApp enabled), notification content (summaries, not full conversation content)
Data Location: European Union (Netherlands headquarters, EU data centers)
Data Retention: Message logs retained for 90 days (per Bird retention policy)
DPA/SCC: Bird standard DPA available (GDPR-compliant, EU-based provider)
Privacy Policy: bird.com/legal/privacy-statement
Status: Active (all customers for email, SMS/WhatsApp opt-in features)
Note: Bird is an EU-based communications provider. Emails/SMS may contain summaries (e.g., "Your report is ready", "Job completed") but not full conversation content or sensitive data. Bird supports EU data residency, making it GDPR-compliant without cross-border transfers for EU customers.
Service: Payment processing, subscription billing
Purpose: Subscription payments, invoicing, billing portal, usage metering
Data Processed: Billing information (name, email, address), payment methods (tokenized card data), subscription status
Data Location: Global (US primary, PCI-DSS compliant data centers)
Data Retention: Payment data retained per Stripe's retention policy (7 years for tax/compliance)
DPA/SCC: Stripe standard DPA (GDPR-compliant)
Privacy Policy: stripe.com/privacy
Status: Planned (integration ready, not yet deployed)
Note: Operalta does not store full credit card information. Card data is tokenized by Stripe.
Operalta will provide at least 30 days' advance notice via email before making material changes to critical infrastructure providers:
Critical providers (30-day notice required):
Material changes include:
If you object to a critical infrastructure change, you may terminate your account within 30 days of the notice without penalty.
Operalta reserves the right to change technical service providers at any time without advance noticeto ensure service quality, cost-effectiveness, and technical performance:
Technical providers (can change without notice):
Rationale: AI/LLM providers and technical services may need to be changed rapidly due to:
User notification: Changes to technical providers will be documented in this list and updated quarterly. Users will be notified of changes in our changelog and release notes, but no advance notice or opt-out period is provided.
For questions about sub-processors or to request copies of DPAs/SCCs, contact:
Email: privacy@operalta.com
Data Protection Officer: dpo@operalta.com (if appointed)
Last Updated: November 30, 2025