Subprocessors
CallNest Cloud Subprocessors
I. Introduction
A. CallNest Cloud's Commitment to Data Privacy and Security
CallNest Cloud is fundamentally committed to the protection of customer data and the upholding of robust privacy and security standards. This commitment is integral to all aspects of CallNest Cloud's service delivery and operations. The trust of our customers is paramount, and this principle guides our selection and oversight of any third-party vendors, known as subprocessors, that are engaged to support the CallNest Cloud services. This approach mirrors the practices of other leading service providers who emphasize that protecting user data is a top priority and who build privacy into their products and processes by design. By establishing a strong foundation of trust, CallNest Cloud aims to assure customers that the engagement of subprocessors is a considered component of a comprehensive and responsible data governance strategy.
B. Purpose of this Subprocessor List
This document provides transparency regarding the third-party vendors (subprocessors) that CallNest Cloud engages to process personal data on behalf of our customers. Subprocessors are external entities that CallNest Cloud utilizes to perform specific functions necessary for the delivery and operation of the CallNest Cloud services. These functions may include, for example, hosting infrastructure, providing communication capabilities, or enabling advanced AI features.
This list is intended to inform customers about how and where their data may be processed and to assist them in fulfilling their own data protection compliance obligations. Under regulations such as the General Data Protection Regulation (GDPR), data controllers (CallNest Cloud's customers) have responsibilities concerning their data processors (CallNest Cloud) and any further subprocessors engaged by the processor. This page serves as a resource to support customers in activities such as maintaining records of processing activities and conducting data protection impact assessments. The provision of this list underscores CallNest Cloud's dedication to transparency and partnership in navigating the complexities of data protection regulations.
C. Relationship to Privacy Policy and Data Processing Addendum (DPA)
This Subprocessor List is a component of CallNest Cloud's comprehensive data privacy framework. It should be read in conjunction with CallNest Cloud's main Privacy Policy and the Data Processing Addendum (DPA) applicable to the services. The Privacy Policy provides a broader overview of CallNest Cloud's data handling practices. The DPA specifically governs CallNest Cloud's role as a data processor acting on behalf of its customers and includes detailed commitments regarding the processing of personal data, including the engagement and management of subprocessors.
These documents are interlinked; for instance, a DPA is often an inseparable part of a service provider's terms and conditions. This structure ensures that customers have a clear and complete understanding of the legal and operational framework governing their data. The DPA will further elaborate on the contractual obligations CallNest Cloud imposes on its subprocessors to ensure the protection of customer data.
Customers are encouraged to review CallNest Cloud's Privacy Policy and their DPA for a complete understanding of our data protection commitments.
CallNest Cloud Privacy Policy https://callnest.cloud/privacy-policy
CallNest Cloud Data Processing Addendum https://callnest.cloud/dpa
D. Due Diligence and Contractual Safeguards
CallNest Cloud undertakes a thorough due diligence process before engaging any subprocessor. This process is designed to verify that the subprocessor maintains data protection and security standards that are commensurate with CallNest Cloud's own commitments and with applicable legal requirements, such as those outlined in Article 32 of the GDPR concerning the security of processing.
Furthermore, CallNest Cloud enters into legally binding Data Processing Agreements (DPAs) with each subprocessor. These agreements contractually obligate the subprocessor to protect any customer data they process. These DPAs impose data protection obligations on subprocessors that are at least equivalent to those CallNest Cloud has with its customers. This includes requirements for implementing appropriate technical and organizational security measures, confidentiality obligations, restrictions on data use, and cooperation in the event of data subject requests or security incidents. This practice aligns with GDPR Article 28(4), which mandates that subprocessors be bound by the same data protection obligations as the initial processor. This contractual framework ensures a consistent level of data protection throughout the data processing chain.
E. Last Updated Date
Last Updated: October 26, 2024
This date reflects the most recent review and update of this Subprocessor List. CallNest Cloud is committed to maintaining the accuracy and currency of this information. Keeping this list current is an important aspect of our transparency and governance, reflecting a standard practice for such disclosures.
II. Subprocessor List
CallNest Cloud engages the following subprocessors to deliver various functionalities within its services. The subprocessors are categorized based on the primary services they provide. For each subprocessor, the table details their legal entity name, the specific service they render (purpose of processing), the geographic location(s) where data processing and storage primarily occur, and the data transfer mechanism relied upon if data is transferred to regions requiring such safeguards (e.g., outside the EEA). This structured presentation is intended to provide clarity and assist customers in their due diligence and compliance efforts.
1. Infrastructure Subprocessors
These providers are foundational to the CallNest Cloud platform, hosting our application, customer data, and core backend services. The location and security of data processed by these entities are of critical importance.
| Subprocessor Entity Name | Service Provided (Purpose of Processing) | Location of Data Processing & Storage | Data Transfer Mechanism (If Applicable) |
|---|---|---|---|
| DigitalOcean LLC | Cloud infrastructure, server hosting (including Docker containers, MySQL databases, PHP application environments) | United States, Netherlands (EU), as selected by CallNest | Standard Contractual Clauses (SCCs) for transfers of EEA/UK/Swiss data to the United States, if CallNest utilizes US-based infrastructure for such data. |
| Docker Inc. | Containerization platform technology. Used internally for development, testing, and deployment of CallNest Cloud application components. | United States | Not directly a subprocessor of customer Personal Data unless Docker Hub is used in a manner that involves processing such data (e.g., private image storage containing embedded data). If customer Personal Data is processed, SCCs would apply for transfers to the US. |
CallNest Cloud carefully manages data residency with providers like DigitalOcean. For customers requiring their data to remain within specific geographic regions (e.g., the European Union), CallNest Cloud utilizes DigitalOcean's EU-based data centers. It is important to distinguish the role of Docker Inc.; if its services are used exclusively for internal development and orchestration without direct processing of customer Personal Data, it may not fall under the strict definition of a subprocessor for that data. However, transparency dictates its inclusion if its tools interact with environments where customer data resides.
2. Communication & Telephony Subprocessors
These subprocessors are integral to the core communication features of CallNest Cloud, including voice calls, messaging, and email delivery. They handle communication content and metadata, which can be sensitive.
| Subprocessor Entity Name | Service Provided (Purpose of Processing) | Location of Data Processing & Storage | Data Transfer Mechanism (If Applicable) |
|---|---|---|---|
| Twilio Inc. | Telephony infrastructure for voice calls (PSTN connectivity, call routing, call recording), SMS/MMS message delivery. | United States, Global Points of Presence (POPs) | Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) |
| SMTP2GO (SMTP2GO Pty Ltd) | Outgoing transactional email delivery (e.g., account notifications, password resets, service alerts). | United States, New Zealand, Australia, EU (Germany, Netherlands) | Standard Contractual Clauses (SCCs) for transfers of EEA/UK/Swiss data to non-adequate countries (e.g., US, NZ, Australia, if utilized for such data). |
Twilio Inc. plays a critical role in enabling CallNest Cloud's voice and messaging capabilities, processing both the content of communications (like call recordings and message text) and associated metadata (like call detail records). Twilio's global infrastructure means data may be processed in various locations to ensure service performance and resilience. Twilio employs robust data transfer mechanisms, including Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs), to legitimize international data flows. SMTP2GO is utilized for reliable delivery of transactional emails; CallNest Cloud ensures that any transfer of personal data (such as email addresses) to SMTP2GO's processing locations is covered by appropriate safeguards like SCCs.
3. AI & Large Language Model (LLM) Providers
These providers supply the advanced artificial intelligence and machine learning technologies that power features such as AI-driven virtual assistants, automated call summaries, and intelligent analytics within CallNest Cloud. A primary consideration with these providers is the handling of customer data, particularly concerning its use for model training.
| Subprocessor Entity Name | Service Provided (Purpose of Processing) | Location of Data Processing & Storage | Key Data Handling Practices & Model Training Policy | Data Transfer Mechanism (If Applicable) |
|---|---|---|---|---|
| OpenAI (OpenAI, L.L.C.) | AI-powered text generation, voice-to-text transcription, natural language understanding for virtual assistants, call summarization, and analytics features. | United States | CallNest Cloud has contractual agreements with OpenAI stipulating that customer data submitted to the API is not used to train OpenAI's general models. | Standard Contractual Clauses (SCCs) |
| Anthropic PBC | Conversational AI and language model features for tasks such as content generation, analysis, and interactive assistance. | United States | CallNest Cloud has contractual agreements with Anthropic stipulating that customer data submitted to their services is not used to train Anthropic's general models. | Standard Contractual Clauses (SCCs) |
| Google (Gemini models via Google Cloud Platform) | Generative AI capabilities via Google Cloud AI services (e.g., Vertex AI) for features like automation, data extraction, advanced summarization, and insight generation. | United States (or as configured by CallNest Cloud within Google Cloud Platform regions). | Customer data processed via Google Cloud AI services is governed by Google Cloud's Data Processing and Security Terms, which specify that customer data is not used to train Google's general foundation models without explicit customer instruction. | Standard Contractual Clauses (SCCs), Google Cloud Data Processing Addendum terms. |
A critical aspect of engaging AI and LLM providers is ensuring that customer data is not used to train the providers' general-purpose models, which could lead to unintended data exposure or usage. CallNest Cloud contractually requires that its AI subprocessors, including OpenAI and Anthropic, do not use customer data submitted through CallNest Cloud services for the training of their publicly available models. This is a crucial safeguard. Similarly, when using Google's Gemini models via Google Cloud Platform, CallNest Cloud relies on Google's enterprise terms, which typically segregate customer data and prevent its use for training global models.
4. Payments Subprocessors
These subprocessors are engaged to securely process customer payments for CallNest Cloud subscriptions and services. They specialize in handling sensitive financial information and are typically compliant with stringent industry standards such as PCI DSS.
| Subprocessor Entity Name | Service Provided (Purpose of Processing) | Location of Data Processing & Storage | Data Transfer Mechanism (If Applicable) |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, invoicing, and related financial services. | United States, Europe (Ireland, Germany, UK), and other global locations. | Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs). |
| PayPal, Inc. | Payment processing and facilitation of online payments. | United States, Global (including Luxembourg for European operations). | Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs). |
CallNest Cloud relies on established and secure payment processors like Stripe and PayPal to handle customer payment transactions. These providers operate globally and have implemented comprehensive data protection measures, including BCRs and SCCs, to ensure the lawful transfer and processing of personal data associated with financial transactions. CallNest Cloud itself does not store full credit card numbers; such sensitive data is handled directly by these specialized payment subprocessors.
5. Analytics & Monitoring Subprocessors
These providers assist CallNest Cloud in monitoring the performance and stability of its platform, tracking application errors, and gathering usage analytics. This information is vital for maintaining service quality, troubleshooting issues, and planning service improvements.
| Subprocessor Entity Name | Service Provided (Purpose of Processing) | Location of Data Processing & Storage | Data Transfer Mechanism (If Applicable) |
|---|---|---|---|
| Sentry (Functional Software, Inc.) | Real-time error tracking, application performance monitoring, and diagnostic data collection. | United States | Standard Contractual Clauses (SCCs) |
Sentry is utilized to identify and diagnose technical issues within the CallNest Cloud platform, helping to ensure a reliable service. The data sent to Sentry may include system logs, error details, and certain contextual information about user sessions where errors occur. CallNest Cloud endeavors to minimize the personal data shared with analytics and monitoring services and may employ techniques such as data pseudonymization where feasible. Any transfer of personal data of EEA/UK/Swiss individuals to Sentry in the United States is protected by SCCs. CallNest Cloud's main Privacy Policy provides further details on how analytics data is used.
III. International Data Transfers
A. Explanation of Cross-Border Data Flows
To deliver the CallNest Cloud services effectively and leverage specialized expertise, CallNest Cloud and its subprocessors may transfer, store, and process customer personal data in countries other than the customer's country of residence. This is a common practice for global SaaS providers. CallNest Cloud is committed to ensuring that all such international data transfers are conducted securely and in compliance with applicable data protection laws, including GDPR, the UK GDPR, and other regional regulations.
B. Mechanisms for Lawful Transfers
When personal data originating from regions with specific data export restrictions (such as the European Economic Area (EEA), the United Kingdom (UK), and Switzerland) is transferred to countries not deemed to provide an "adequate" level of data protection by relevant authorities (e.g., transfers to the United States), CallNest Cloud relies on legally recognized transfer mechanisms. These mechanisms are implemented through our Data Processing Agreements with the respective subprocessors and include:
Standard Contractual Clauses (SCCs): For the majority of transfers to subprocessors located in countries without an adequacy decision, CallNest Cloud incorporates the Standard Contractual Clauses adopted by the European Commission (and the equivalent UK International Data Transfer Agreement or Addendum). These clauses contractually require the data importer to protect personal data to a standard comparable to that of the EEA/UK.
Adequacy Decisions: If a subprocessor processes data in a country that the European Commission (or the UK government) has formally recognized as providing an adequate level of data protection, data transfers to that country may be based on this adequacy decision.
Binding Corporate Rules (BCRs): Some of CallNest Cloud's subprocessors (e.g., Twilio, Stripe, PayPal) have implemented Binding Corporate Rules approved by European data protection authorities. BCRs provide a comprehensive framework for international data transfers within a corporate group and are recognized as a valid transfer mechanism.
CallNest Cloud continuously monitors the evolving legal landscape for international data transfers to ensure ongoing compliance and the protection of customer data.
IV. Updates to this Subprocessor List
CallNest Cloud is committed to keeping this Subprocessor List current and transparent. As our services evolve, we may need to add or change subprocessors.
A. Notification of Changes
CallNest Cloud will notify customers of any new subprocessor engagements or significant changes to existing ones (such as a change in the service provided or the location of data processing) that are material to the services provided to the customer. The method and timing of such notifications will be in accordance with the terms of the Data Processing Addendum (DPA) between CallNest Cloud and the customer.
Typically, this involves:
1. Updating this Subprocessor List page, including revising the "Last Updated" date.
2. Providing customers with prior written notice (e.g., via email to the account administrator or through the CallNest Cloud service portal) before a new subprocessor begins processing customer personal data. This notification period (e.g., 30 days) allows customers an opportunity to review the change.
3. The DPA with our customers may provide a mechanism for customers to object to the appointment of a new subprocessor on reasonable data protection grounds.
Customers are encouraged to regularly review this page and the notifications provided by CallNest Cloud. Maintaining transparency about subprocessor changes is essential for compliance with regulations like GDPR Article 28(2), which addresses the processor's engagement of other processors.
V. Contact Information
A. How to Reach CallNest Cloud for Privacy Inquiries
Should you have any questions regarding this Subprocessor List, CallNest Cloud's privacy practices, or how your data is handled, please do not hesitate to contact us. CallNest Cloud has a dedicated channel for privacy-related inquiries to ensure that your questions are addressed by the appropriate personnel.
For all privacy-related matters, including questions about our subprocessors or our Data Protection Officer (DPO), please contact:
Email: info@callnest.cloud
Providing a clear and accessible point of contact is a key element of CallNest Cloud's commitment to accountability and data protection. We are dedicated to addressing your concerns and providing clarity on our data processing activities.