Sub-Processors & Third-Party Services
KAITALK uses a small, carefully selected set of third-party services to operate. This page lists every company that may process data on your behalf.
Our Sub-Processors
Under GDPR Art. 28, LGPD Art. 37, and LFPDPPP Art. 36, KAITALK discloses all parties that process personal data on behalf of our customers.
Twilio Inc.
Voice calls, SMS, WhatsApp Business API — the backbone of KAITALK's phone and messaging infrastructure.
Caller phone number, call audio (for AI transcription), call metadata (duration, timestamp). For WhatsApp: message content, sender PSID.
Stripe Inc.
Payment processing for USD (US) and MXN (Mexico) subscriptions. KAITALK never handles raw card numbers — Stripe Checkout is the only payment interface.
Billing email, business name, country, subscription status. Payment card data handled entirely by Stripe — never touches KAITALK servers.
Neon (Neon Inc.)
PostgreSQL database hosting on AWS us-east-1. All KAITALK customer data — accounts, call logs, appointments, analytics — is stored here.
All personal data stored by KAITALK: account emails, phone numbers (hashed for analytics), call transcripts (PHI encrypted at field level), appointments, AI interaction logs.
Render Services Inc.
Application hosting — the KAITALK Express.js server runs on Render's US-Oregon infrastructure. No persistent data is stored on Render; it connects to Neon for all data.
Application logs (IP addresses hashed), HTTP request headers, environment variables (secrets). No user content stored at rest on Render infrastructure.
Cloudflare Inc.
CDN and R2 object storage. KAITALK uses Cloudflare for static asset delivery and file storage (e.g., call recordings if enabled, PDF downloads).
IP addresses (for geo-detection via CF-IPCountry header, then discarded), cached static assets. R2: uploaded files including any stored call recordings.
Postmark (ActiveCampaign LLC)
Transactional email delivery — magic link authentication emails, DSR confirmations, trial drip sequences, billing receipts.
Recipient email address, email subject and body, delivery metadata (timestamp, open/click events if enabled). No email content stored beyond delivery logs.
What Data Goes Where
Data Flow Summary
| Data Type | Sub-Processors Involved | Retention |
|---|---|---|
| Phone number (caller) | Twilio, Neon | For life of account + 30 days after deletion |
| Call audio & transcript | Twilio (in-flight), Neon (stored) | 90 days default; PHI encrypted at field level |
| Business email | Neon, Postmark | For life of account |
| Payment info | Stripe only | Per Stripe retention policy (card data never stored by KAITALK) |
| IP addresses | Cloudflare (transit), Neon (SHA-256 hash only) | Raw IPs discarded immediately; hashes retained 90 days |
| WhatsApp messages | Twilio, Neon | 90 days |
| Appointment bookings | Neon | For life of account |
| Authentication tokens | Neon | 30 minutes (one-time use, then deleted) |
Our Data Processing Principles
Encryption at Rest
AES-256-GCM for PHI. Neon encrypts all data at rest. TLS 1.3 in transit.
Data Minimization
We collect only what's needed. IPs are hashed, not stored. Card data never touches our servers.
Contractual Protection
All sub-processors are bound by Data Processing Agreements (DPAs) covering GDPR, LGPD, LFPDPPP obligations.
Right to Deletion
Submit a deletion request at /dsr. We propagate deletion to all sub-processors within the regulatory deadline.
Changes to This List
KAITALK will notify active business customers at least 10 days before adding a new sub-processor, unless the change is required for security, legal, or regulatory reasons (in which case we notify at the earliest opportunity).
This notification will be sent to the email address registered in your account. Previous versions of this list are available on request via privacidad@kaitalk.online.
Questions
If you have questions about how KAITALK processes data or want to exercise your rights:
- Privacy contact: privacidad@kaitalk.online
- Data Subject Request: kaitalk.online/dsr
- Data Processing Agreement: kaitalk.online/dpa
- Privacy Policy: kaitalk.online/privacy
Need a Data Processing Agreement?
For enterprise customers and regulated industries requiring a signed DPA.