DRAFT — pending legal review
This page is a starting draft written from standard B2B SaaS templates plus Adoomi-specific facts. It has NOT been reviewed by a qualified lawyer or a paid legal-template service. Do not rely on it for compliance until the draft banner is removed. Karim is in the process of engaging counsel (or a service like Termly / iubenda) to sign these off.
Sub-processors
Third parties Adoomi relies on to deliver the service
Last updated: 11 June 2026
Adoomi engages the sub-processors listed below to deliver the service. Each is bound by a data processing agreement (DPA) or equivalent terms. We publish this list publicly so customers acting as data controllers can satisfy GDPR Art 28(2) transparency obligations.
We’ll update this page whenever a sub-processor is added or removed. For notification of changes, follow our changelog or email privacy@adoomi.ai.
Current sub-processors
| Sub-processor | Purpose | Data categories | Location | Privacy link |
|---|---|---|---|---|
| Supabase | Primary database, authentication, vector indexes | Account data, bot configurations, knowledge sources, chat transcripts | EU (Frankfurt + Ireland) | Privacy ↗ |
| Cloudflare | Edge workers (chat + ingest + cron), widget hosting, DNS, CDN | IP addresses, request metadata, transient chat payloads in flight | Global edge; data processing pinned to EU | Privacy ↗ |
| Vercel | Dashboard + marketing site hosting | IP addresses, request metadata, web vitals | EU (Frankfurt) for app runtime; global edge for static assets | Privacy ↗ |
| Anthropic | Default LLM provider (Claude) for bot responses | End-user chat messages + your knowledge content sent at inference time (no training on customer data per Anthropic API terms) | US (via Anthropic API). EU residency option in progress. | Privacy ↗ |
| OpenAI | Optional LLM provider (GPT) when configured by you; embeddings | Chat messages + content sent at inference / embedding time (no training) | EU (Ireland) for inference; global for some auxiliary services | Privacy ↗ |
| DeepSeek | Optional LLM provider (DeepSeek V4 Flash) — only when a workspace selects a DeepSeek model | Chat messages and retrieved knowledge context for workspaces that choose this model | PRC (Hangzhou); selectable per workspace, never a default | Privacy ↗ |
| Perplexity | Optional LLM provider (Sonar Pro, search-grounded) — only when a workspace selects a Perplexity model | Chat messages and retrieved knowledge context for workspaces that choose this model | United States; selectable per workspace, never a default | Privacy ↗ |
| Firecrawl | Crawling your public website to build initial knowledge base | Public URLs you submit + scraped page content (public web pages only) | US | Privacy ↗ |
| Stripe | Payment processing, subscription billing | Billing email, card token, subscription metadata | EU (Ireland) | Privacy ↗ |
| Resend | Transactional + notification email delivery | Recipient email + display name + email body (transactional only) | EU + US (Resend uses AWS regions) | Privacy ↗ |
| Sentry | Error tracking + performance monitoring | Error stack traces, request metadata, breadcrumbs. No conversation content or PII in logs per policy. | EU (Frankfurt) | Privacy ↗ |
| Better Stack | Structured log aggregation | Application logs (no message bodies, no PII per logging convention) | EU | Privacy ↗ |
| MailSlurp | End-to-end smoke testing — receives test emails in CI / dev only | Test inbox addresses only. No customer data. Used only by Adoomi engineering smoke tests. | US (test-only inbox) | Privacy ↗ |
International transfers
Where a sub-processor processes data outside the EU/UK (Anthropic, OpenAI auxiliary services, Firecrawl and Perplexity in the US), transfers rely on Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework. Customer-content transfers to LLM providers are limited to the message + knowledge context sent at inference time. Anthropic, OpenAI and Perplexity do not retain API content for model training per their API terms.
DeepSeek (PRC) is different in kind and is treated accordingly: it is never a default, never used for embeddings or background processing, and only receives content for workspaces whose owner explicitly selects a DeepSeek model in the dashboard. Transfers occur under DeepSeek’s API data terms. Workspaces with strict EU-only or no-PRC-transfer requirements should simply not select DeepSeek models — every other part of the service is unaffected by this option existing.
How we notify of changes
We aim to add sub-processors to this page at least 14 days before they begin processing customer data, where commercially reasonable. Email privacy@adoomi.ai with subject “subscribe sub-processor updates” to receive these notifications by email instead of monitoring this page.
Auditing
Customers acting as data controllers may audit our sub-processor arrangements as contemplated by GDPR Art 28(3)(h). Email privacy@adoomi.ai to coordinate.