This page is a forming part of the Tuteliq Data Processing Agreement (Annex III) and lists every third-party sub-processor authorised to process Personal Data on behalf of Customers. We notify customers at least 30 days in advance of any material change to this list and provide a right to object as set out in the DPA.
| Sub-processor | Purpose | Data categories | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Google Cloud Platform Google Ireland Ltd. |
Primary infrastructure: Vertex AI model inference (Mistral, Whisper), Firestore database for incidents, Cloud Storage for media uploads, Cloud Run, error monitoring. | Encrypted incident records, optional external_user_id, file_id, content payloads (transient), media files, technical metadata (IP, user-agent, API key ID). |
EU (europe-west1 Belgium, europe-west4 Netherlands) | EU/EU, no transfer required. SCCs + UK IDTA on file for any incidental US support access. |
| Supabase Supabase Inc., hosted on AWS Frankfurt |
Customer authentication, account database (Postgres), edge functions for billing/webhook relay, transactional email triggers. | Email, hashed passwords, profile data, API key hashes (SHA-256 only, never raw keys), team membership, subscription metadata, encrypted incident metadata. | EU (AWS eu-central-1, Frankfurt, Germany) | EU/EU. SCCs in place for any US-based support access by Supabase Inc. personnel. |
| Mistral AI Mistral AI SAS, France |
Foundation language models fine-tuned on Tuteliq's proprietary 50M+ expert-labelled dataset. Used as base architecture only, deployed inside our Vertex AI tenancy. | No direct customer data sent to Mistral as a service. Models are downloaded and run inside our EU GCP tenancy. | EU (deployed via Google Cloud Vertex AI, EU regions) | EU/EU. No data leaves Tuteliq's GCP tenancy at the model layer. |
| Sub-processor | Purpose | Data categories | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Stripe Payments Europe Ltd. | Subscription billing, payment processing, invoicing, tax calculation, chargeback management. | Billing name, billing address, VAT ID, email, payment method token (PAN never stored by Tuteliq), invoice history, customer ID. | Ireland (EU primary), USA (parent processing for global card networks) | EU SCCs (2021/914) + Stripe DPA. Stripe is PCI DSS Level 1 certified. |
| Sub-processor | Purpose | Data categories | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Lovable Email Infrastructure (transactional & auth email via notify.tuteliq.ai) |
Transactional and authentication emails (verification, password reset, incident notifications, billing receipts). | Recipient email address, email subject and body (incident notifications contain risk metadata only, never raw user content). | EU | EU SCCs + Lovable DPA. Sender subdomain delegated via DNS to Lovable's managed email infrastructure. |
| Sub-processor | Purpose | Data categories | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | DNS resolution, DDoS mitigation, WAF, edge caching for marketing pages and static assets. | IP address, request headers, request URL, user-agent. No request bodies inspected. | Global edge POPs; EU traffic served from EU edges. | EU SCCs + Cloudflare DPA. |
| Lovable / Lovable Hosting | Static hosting for marketing site (tuteliq.ai), build artefacts. | Static assets only; no customer Personal Data. | EU | EU/EU. No transfer required. |
We notify customers at least 30 days before adding or replacing a sub-processor by:
/legal/subprocessors) with the change date.Customers may object as set out in DPA §6.3. To subscribe to change notifications, email dpo@tuteliq.ai with the subject "Subprocessor notifications".
Tuteliq AB (Sweden). Data Protection Officer
Email: dpo@tuteliq.ai
Trust centre: https://trust.tuteliq.ai