Subprocessors
Last updated: July 8, 2026
A subprocessor is a third-party service that we engage to process customer personal data on our behalf in order to provide the Qbox service. We enter into data-processing agreements with each of our subprocessors that require them to protect your data and to process it only as needed to provide their service to us.
We will update this page at least 30 days before adding or replacing a subprocessor that processes customer personal data, and announce material changes in the app.
Current Subprocessors
| Subprocessor | Purpose | Personal data processed | Location | Transfer safeguards |
|---|---|---|---|---|
| Supabase (on AWS) | Database, authentication, file storage, serverless functions | All customer data stored in Qbox | United States | Provider DPA with SCCs |
| Vercel | Web application hosting | Request metadata | United States / global | Provider DPA with SCCs; EU-U.S. DPF certified |
| Gmail & Google Calendar APIs (user-authorized access); Gemini API for AI drafting and analysis (content not used for model training) | Mailbox and calendar content; AI-processed email content | United States | Provider DPA; EU-U.S. DPF certified; SCCs | |
| Microsoft | Outlook & Microsoft Graph APIs (user-authorized access) | Mailbox and calendar content | United States | Provider DPA; EU-U.S. DPF certified; SCCs |
| OpenAI | AI processing: text embeddings for search/matching, voice-input transcription, document text extraction (API data not used for model training) | Email text, voice input (transient, not stored), uploaded knowledge-base documents | United States | Provider DPA with SCCs |
| Unipile | LinkedIn integration | LinkedIn messages and profile data of accounts you connect | France (EU) | Provider DPA |
| Stripe | Billing and payments | Email address; payment details are collected directly by Stripe | United States | Provider DPA; EU-U.S. DPF certified; SCCs |
| Resend | Transactional email delivery | Names and email addresses in team invitations and contact-form submissions | United States | Provider DPA with SCCs |
| Jina AI | Extracting text content from websites you ask us to import into your knowledge base | The URLs you submit and the fetched page content | Germany (EU) | Provider DPA |
| Google Analytics & HubSpot | Analytics and visitor engagement on our public marketing website only (never loaded inside the application) | Website visitor and cookie data | United States | Provider terms |
Locations reflect each provider's primary region; providers may process data in additional regions as described in their own subprocessor disclosures. Where a provider is not certified under the EU-U.S. Data Privacy Framework, transfers rely on Standard Contractual Clauses.
For more information about how we handle your data, see our Privacy Policy.