Velvet Reply

Data Subprocessors

Last updated: January 15, 2025

Introduction

VelvetReply uses trusted third-party service providers to help us deliver our AI-powered review management services. All subprocessors are carefully selected and bound by strict data protection agreements that meet or exceed our own standards.

Our Commitment

We maintain a comprehensive list of all subprocessors and regularly review their security practices, compliance certifications, and data protection commitments.

Subprocessor Categories

Our subprocessors fall into the following categories:
  • Cloud Infrastructure: Hosting and computing services
  • AI Services: Language model and machine learning providers
  • Analytics: Performance monitoring and analytics tools
  • Support Services: Customer support and communication tools

Current Subprocessors

Cloud Infrastructure

Google Cloud Platform

  • Purpose: Cloud infrastructure and hosting services
  • Data Processed: Application data, user content, analytics, system logs
  • Location: United States, European Union, Asia-Pacific
  • Certifications: SOC 2 Type II, ISO 27001, GDPR Compliant, HIPAA Ready
  • Contact: privacy@google.com
  • Data Processing Agreement: [Google Cloud DPA](https://cloud.google.com/terms/data-processing-terms)

Vercel

  • Purpose: Web hosting and CDN services
  • Data Processed: Website content, user interactions, performance metrics
  • Location: United States, European Union, Global CDN
  • Certifications: SOC 2 Type II, ISO 27001, GDPR Compliant
  • Contact: privacy@vercel.com
  • Data Processing Agreement: [Vercel DPA](https://vercel.com/legal/dpa)

AI Services

OpenAI

  • Purpose: AI language model services for review response generation
  • Data Processed: Review content for response generation, training data
  • Location: United States
  • Certifications: SOC 2 Type II, GDPR Compliant
  • Contact: privacy@openai.com
  • Data Processing Agreement: [OpenAI DPA](https://openai.com/privacy/data-processing-addendum)

Anthropic

  • Purpose: Alternative AI language model services
  • Data Processed: Review content for response generation
  • Location: United States
  • Certifications: SOC 2 Type II, GDPR Compliant
  • Contact: privacy@anthropic.com
  • Data Processing Agreement: [Anthropic DPA](https://www.anthropic.com/privacy)

Analytics and Monitoring

Cloudflare

  • Purpose: Web analytics, performance monitoring, and security
  • Data Processed: Website usage analytics, performance metrics, security logs
  • Location: United States, European Union, Global network
  • Certifications: SOC 2 Type II, ISO 27001, GDPR Compliant
  • Contact: privacy@cloudflare.com
  • Data Processing Agreement: [Cloudflare DPA](https://www.cloudflare.com/legal/dpa/)

Sentry

  • Purpose: Error monitoring and performance tracking
  • Data Processed: Application error logs, performance metrics, user session data
  • Location: United States, European Union
  • Certifications: SOC 2 Type II, GDPR Compliant
  • Contact: privacy@sentry.io
  • Data Processing Agreement: [Sentry DPA](https://sentry.io/legal/dpa/)

Development and Support

GitHub

  • Purpose: Version control, issue tracking, and development collaboration
  • Data Processed: Source code, contact form submissions, support requests
  • Location: United States
  • Certifications: SOC 2 Type II, ISO 27001, GDPR Compliant
  • Contact: privacy@github.com
  • Data Processing Agreement: [GitHub DPA](https://docs.github.com/en/site-policy/privacy-policies/github-data-processing-agreement)

Linear

  • Purpose: Project management and issue tracking
  • Data Processed: Project data, task information, team collaboration data
  • Location: United States
  • Certifications: SOC 2 Type II, GDPR Compliant
  • Contact: privacy@linear.app
  • Data Processing Agreement: [Linear DPA](https://linear.app/legal/dpa)

Communication and Support

Intercom

  • Purpose: Customer support and communication platform
  • Data Processed: Customer support tickets, chat conversations, user feedback
  • Location: United States, European Union
  • Certifications: SOC 2 Type II, ISO 27001, GDPR Compliant
  • Contact: privacy@intercom.com
  • Data Processing Agreement: [Intercom DPA](https://www.intercom.com/legal/data-processing-agreement)

SendGrid

  • Purpose: Email delivery and marketing services
  • Data Processed: Email addresses, delivery status, engagement metrics
  • Location: United States, European Union
  • Certifications: SOC 2 Type II, ISO 27001, GDPR Compliant
  • Contact: privacy@sendgrid.com
  • Data Processing Agreement: [SendGrid DPA](https://sendgrid.com/legal/dpa)

Subprocessor Management

Selection Criteria

We evaluate potential subprocessors based on:
  • Security Standards: Minimum SOC 2 Type II certification
  • Compliance: GDPR and other relevant regulatory compliance
  • Data Protection: Strong data protection commitments
  • Geographic Location: Data processing location controls
  • Reputation: Industry standing and track record

Contractual Requirements

All subprocessors are bound by:
  • Data Processing Agreements: Binding contractual obligations
  • Security Standards: Minimum security requirements
  • Geographic Restrictions: Data processing location controls
  • Audit Rights: Right to audit subprocessor compliance
  • Breach Notification: Timely notification of security incidents

Ongoing Monitoring

We continuously monitor our subprocessors through:
  • Regular Reviews: Annual security and compliance assessments
  • Performance Monitoring: Ongoing service quality monitoring
  • Incident Tracking: Monitoring of security incidents and breaches
  • Compliance Updates: Tracking of certification renewals and updates

Data Processing Locations

Primary Processing Locations

  • European Union: Primary data processing for EU customers
  • United States: Primary data processing for US customers
  • United Kingdom: Post-Brexit data processing arrangements

Backup and Disaster Recovery

  • Geographic Redundancy: Multiple data centers for business continuity
  • Cross-Region Backups: Encrypted backups in multiple locations
  • Failover Procedures: Automatic failover to backup locations

Subprocessor Locations

Subprocessor data processing locations are specified in the individual entries above. We ensure all locations provide adequate data protection through appropriate safeguards.

Security and Compliance

Security Standards

All subprocessors must meet minimum security requirements:
  • Access Control: Multi-factor authentication and role-based access
  • Encryption: Data encryption in transit and at rest
  • Monitoring: Comprehensive security monitoring and logging
  • Incident Response: Documented incident response procedures

Compliance Certifications

Required certifications include:
  • SOC 2 Type II: Annual security and availability audits
  • ISO 27001: Information security management systems
  • GDPR Compliance: European data protection compliance
  • Industry-Specific: Additional certifications as required

Audit Rights

We maintain the right to:
  • Security Audits: Conduct security assessments of subprocessors
  • Compliance Reviews: Review compliance documentation and certifications
  • Performance Monitoring: Monitor service quality and security metrics
  • Incident Investigation: Investigate security incidents and breaches

Changes to Subprocessors

Addition of New Subprocessors

When adding new subprocessors, we:
  • Notify Customers: Provide 30 days advance notice
  • Conduct Assessment: Evaluate security and compliance
  • Update Documentation: Maintain current subprocessor list
  • Obtain Consent: Where required by applicable law

Removal of Subprocessors

When removing subprocessors, we ensure:
  • Data Migration: Secure transfer of data to new providers
  • Service Continuity: Minimal disruption to services
  • Data Deletion: Secure deletion from removed subprocessors
  • Customer Notification: Timely notification of changes

Emergency Changes

In emergency situations, we may:
  • Immediate Action: Take immediate action to protect data
  • Retroactive Notice: Provide notice after emergency actions
  • Mitigation: Implement measures to minimize impact
  • Documentation: Document all emergency actions taken

Contact Information

For questions about our subprocessors, contact us:

Data Protection Officer: dpo@velvetreply.com Legal Department: legal@velvetreply.com Security Team: security@velvetreply.com Postal Address: [Your Company Address] Phone: [Your Phone Number]

Subprocessor Inquiries

  • General Questions: Contact our legal department
  • Security Concerns: Contact our security team
  • Compliance Issues: Contact our data protection officer
  • Service Issues: Contact our customer support team

---

This Subprocessors list is updated regularly and was last updated on January 15, 2025. For the most current information, please contact our legal department.

We use cookies to improve your experience

We use cookies to analyze traffic, personalize content and advertising. You can choose which types of cookies to allow.

Learn more about our cookie policy in our cookie policy and privacy policy.