Sub-processors
Kept in sync with the platform’s outbound integrations.
A sub-processor only receives data when the Client switches on the relevant feature or connects that account.
| Sub-processor | Purpose | Data it sees | Location |
|---|---|---|---|
| Vultr | Cloud hosting (the platform and all stored Client data) | All tenant data, at rest | Australia (Sydney) |
| Anthropic (Claude API) | The AI that classifies, extracts and drafts (email triage, quote/lead/appointment/support/review drafting, the assistant) | The specific text sent for a task (e.g. an email body, a document's text, a review) — not used to train their models | USA |
| Google (Gmail / Calendar / Business Profile) | Mail read/send, calendar free-busy and events, reading and replying to reviews — only when the Client connects a Google account | The connected account's mail/calendar/reviews, within granted OAuth scopes | USA / global |
| Microsoft (Outlook / Graph) | Mail read/send and calendar — only when the Client connects a Microsoft account | The connected mailbox/calendar, within granted scopes | USA / global |
| Xero / Intuit (QuickBooks) | Accounting ledger sync (push invoices/bills, pull reconciliation) — only when the Client connects a ledger | Invoices, bills, payments, chart of accounts | Global (provider-dependent) |
| Voyage AI | Text embeddings for the knowledge-base semantic search (Customer Support) — only when enabled | Knowledge-base text chunks | USA |
Self-hosted, not third parties
The workflow engine (n8n), the queue/cache (Redis), and the database (PostgreSQL) run on our own Sydney infrastructure — they are not external sub-processors. The workflow engine drafts content via the Anthropic API but never holds the Client’s OAuth tokens; our backend performs all provider I/O.
Not used
We do not use Client business data to train any model; we do not sell data; there is no advertising or analytics processor handling Client business data.
AI data protection
Anthropic API inputs/outputs are not used for training by default. We minimise what is sent (only the text one task needs), and the backend additionally redacts the highest-risk identifiers (card numbers, tax file numbers) before its own calls.