Handlet Subprocessors
Handlet uses trusted third-party service providers to operate, secure, support, and improve the platform.
This page explains the main providers that may process personal data on Handlet's behalf. Not every provider is used for every customer, workspace, feature, or integration. Some providers only apply if you enable a particular feature, connect a channel, use billing, or opt into analytics.
Where a provider processes personal data for Handlet, we aim to use the provider's standard data processing terms, appropriate contractual safeguards, and transfer mechanisms such as adequacy decisions, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or Standard Contractual Clauses where relevant.
Current and Planned Providers
| Provider | Purpose | Typical data categories | Region / transfer note | Safeguards and terms |
|---|---|---|---|---|
| Supabase | Database hosting, authentication, edge functions, and file storage. | Account data, authentication data, workspace data, customer communication data, files, audit records, operational metadata. | Region depends on the configured Supabase project. Transfers and subprocessors are governed by Supabase terms and DPA. | Privacy, DPA. |
| Vercel | Application hosting, deployment, and delivery. | Technical logs, request metadata, app runtime data, limited operational data processed by server-side code. | Region depends on deployment configuration and Vercel infrastructure. Transfers are governed by Vercel terms and DPA. | Privacy, DPA, Security. |
| Railway | Backend infrastructure hosting, including Presidio services where configured. | Service logs, operational metadata, and message text processed by self-hosted Presidio Analyzer/Anonymizer before external AI/workflow use. | Presidio production target is West Europe / EEA unless otherwise approved. Transfers are governed by Railway terms and DPA. | Privacy, DPA. |
| Stripe | Subscription billing, checkout, payment processing, invoices, refunds, and billing portal. | Account holder details, billing details, payment metadata, invoice and subscription records. | Stripe may process data internationally under its published privacy and data processing terms. | Privacy, DPA, Sub-processors. |
| Resend | Transactional email delivery, including login links, password resets, and system notifications where configured. | Email address, message delivery metadata, transactional email content. | Resend may process data internationally under its published DPA and transfer terms. | Privacy, DPA. |
| Unipile | Connecting and syncing user-authorised inbox and messaging channels. | Connected-account identifiers, channel metadata, messages, attachments, thread metadata, provider account status. | Provider processing may involve Unipile infrastructure and the connected messaging provider selected by the customer. | Privacy, Terms. |
| n8n | Workflow automation and integration orchestration. | Workflow payloads, delivery logs, callback metadata, anonymised/minimised message context where Presidio applies. | Depends on whether workflows are self-hosted or cloud-hosted and the configured region. | Privacy, Sub-processors, Privacy docs. |
| OpenAI | AI-assisted processing where configured, such as embeddings, drafting, classification, or other model calls. | Prompt/context data, anonymised or minimised message context where the Presidio pipeline applies, technical metadata. | Processing and transfers are governed by OpenAI business terms, DPA, and subprocessor list where applicable. | Business privacy, DPA, Sub-processors. |
| Vapi | Optional call-agent and voice-assistant integrations. | Call metadata, caller/callee details, assistant context, transcripts, recordings, call outcomes, and related operational data where call-agent features are enabled. | Region and transfer position depends on the configured Vapi account and telephony/AI providers used. | Privacy, customer agreement or DPA where applicable. |
| Twilio | Optional telephony, voice routing, or communication infrastructure where configured. | Phone numbers, call/SMS metadata, routing data, call records, and related communication metadata. | Twilio may process data internationally under its published DPA and transfer terms. | Privacy, DPA, Sub-processors. |
| ElevenLabs | Optional voice preview, text-to-speech, or voice features where configured. | Text submitted for voice generation, generated audio, voice configuration metadata, technical logs. | ElevenLabs may process data internationally under its published privacy and DPA terms. | Privacy, DPA. |
| Google OAuth / Google Workspace | Optional login and connected Gmail/Google Workspace channels where authorised by the user. | OAuth identifiers, profile details, mailbox/channel data, messages and metadata where connected. | Google acts under its own terms and the user's Google authorisation. | Privacy. |
| Microsoft / Outlook / Microsoft 365 | Optional connected Outlook/Microsoft 365 channels where authorised by the user. | OAuth identifiers, mailbox/channel data, messages and metadata where connected. | Microsoft acts under its own terms and the user's Microsoft authorisation. | Privacy. |
| Google Analytics | Optional website or product analytics where enabled and consented. | Usage events, page views, device/browser metadata, approximate location and analytics identifiers. | Analytics only loads where configured and permitted by consent settings. | Privacy, Terms. |
| PostHog | Planned or optional product analytics and usage insights. | Product usage events, feature usage metadata, device/browser metadata, analytics identifiers where enabled. | Region depends on PostHog configuration and deployment model. Non-essential analytics requires consent where applicable. | Privacy. |
| Sentry | Error monitoring and reliability diagnostics where configured. | Error traces, stack traces, performance events, environment metadata, limited request/user metadata if included in logs. | Region and transfer position depends on configured Sentry account. | Privacy, DPA. |
Connected Customer Services
Some services are not always Handlet subprocessors in the strict legal sense because they are selected and authorised by the customer or account user. For example, when you connect Gmail, Outlook, WhatsApp, SMS, or another channel, that provider may process data under its own terms and your authorisation.
Handlet's role is to help you connect, sync, and manage those channels through supported integrations. You are responsible for ensuring that your use of connected services complies with the provider's terms and any notices you owe to your own customers.
Presidio PII Redaction
Handlet uses a Presidio-based PII detection and anonymisation pipeline before certain external AI or workflow processing. The Presidio Analyzer and Anonymizer are operated as Handlet-controlled services through the hosting provider listed above, rather than as a separate third-party SaaS processor.
More detail is available in the Privacy Policy, How we process personal data, and Intelligence & Benchmarking Policy.
Updates and Changes
Handlet reviews this register when:
- a new provider is added;
- a provider starts processing a new category of personal data;
- a provider is removed;
- a region, transfer safeguard, or DPA changes; or
- a material product feature changes where data is sent.
If major subprocessors are added or removed, this page will be updated. Where required by law or contract, Handlet will provide additional notice.
Questions about subprocessors can be sent to [email protected].