FloatChat Sub-processor List
The third-party vendors FloatChat uses to deliver the service, what they do, and where they sit.
Effective: May 20, 2026 | Version: v2.0 — BYOC Twilio model — DRAFT for legal review
DRAFT — FOR LEGAL REVIEW
This document is an AI-assisted draft prepared to accelerate legal review. It is not legal advice and must be reviewed by qualified counsel in the relevant jurisdictions before publication or signature.
About this list
This list names every sub-processor that may process personal data on behalf of FloatChat. We update it whenever a sub-processor is added, removed, or changes a material aspect of their service. Customers can subscribe to changes at floatchat.com/subprocessors/subscribe.
Before onboarding any sub-processor, we run a security and privacy review. For sub-processors that involve transfers out of the European Economic Area, the United Kingdom, or other restricted-transfer jurisdictions, we put EU Standard Contractual Clauses, the UK IDTA, or an equivalent safeguard in place and complete a Transfer Impact Assessment.
Current sub-processors
| Sub-processor | Service / Purpose | Data categories | Location | Transfer safeguard |
|---|---|---|---|---|
| DigitalOcean, LLC | Application hosting, managed database, object storage (NYC3 region) | All Customer Data and metadata (accounts, conversations, logs) | United States (NYC3 — New York metro) | SCCs + DPF certification |
| Vercel, Inc. | Marketing website hosting (floatchat.com only) | Visitor IP address and page metadata; no Customer Data | United States | SCCs + DPF certification |
| OpenAI, LLC | Large language model inference for chat replies (no training on Customer Data) | Conversation content for the duration of the API call | United States | SCCs + Data Processing Addendum |
| Stripe, Inc. | Payment processing and subscription billing | Billing details, payment metadata | United States | SCCs + DPF certification |
| Google LLC (Google Analytics 4) | Marketing-website analytics (blocked pre-consent via Iubenda) | Pseudonymous identifiers, page-view events | United States | SCCs + DPF certification + Google Consent Mode v2 |
Customer-supplied integrations (Bring Your Own Twilio)
FloatChat does NOT provide voice or SMS as part of the Service. If a Customer chooses to connect their own Twilio account (or equivalent CPaaS provider) for voice or SMS, the operator of that account is the Customer — not FloatChat. Twilio is therefore NOT listed above as a FloatChat sub-processor.
The Customer is responsible for:
- Entering its own data processing terms directly with Twilio.
- Telecom-compliance obligations (TCPA, 10DLC, FCC AI Voice Ruling, STIR/SHAKEN, EU ePrivacy, UK PECR, etc.).
- Opt-out handling, do-not-call list management, time-of-day restrictions.
- Indemnifying FloatChat against any claim arising from the Customer's Twilio account activity.
Change-notification process
- We post the updated list at floatchat.com/subprocessors and email subscribers at least 30 days before a new sub-processor starts processing personal data.
- Customers may object on reasonable grounds within 30 days of notice. We will work with the customer to find a fix, and if we can't, the customer may terminate the affected portion of the Service.
- Emergency replacements (for example, a vendor failing audit) may use shorter notice, with a written explanation.
Contact
Questions about a specific sub-processor or the change-notification list: privacy@floatchat.com.