Scope
This list identifies the third-party sub-processors that Talarity may use to process Customer Data in connection with the Service. Vendors used solely for Talarity's internal business operations or corporate administration are not listed here unless they process Customer Data.
This list should be read together with Talarity's Data Processing Addendum, Privacy Policy, Terms of Service, and Security Overview.
Sub-processor obligations
Talarity requires each sub-processor to enter into written agreements imposing data-protection, confidentiality, and security obligations no less protective than those required under Talarity's applicable customer agreement and Data Processing Addendum. Talarity remains responsible for the acts and omissions of its sub-processors with respect to Customer Data.
Notice and objection
Talarity will provide at least 30 days' notice before adding a new sub-processor. Customers may object to a new sub-processor by notifying Talarity in writing within that 30-day notice period, describing the reasonable data-protection basis for the objection. Talarity will use commercially reasonable efforts to address the objection — which may include providing additional information, configuring the Service to avoid use of the sub-processor where feasible, or allowing termination of the affected Service as provided in the applicable agreement.
Talarity may replace or add a sub-processor on shorter notice where necessary to maintain the security, availability, or continuity of the Service, or where required by law. In such cases, Talarity will provide notice as soon as reasonably practicable.
International transfers
Where a sub-processor processes personal data outside the customer's jurisdiction, Talarity relies on appropriate transfer mechanisms as required by applicable law, which may include Standard Contractual Clauses, adequacy decisions, the EU-U.S. Data Privacy Framework, the UK Extension, or other lawful transfer mechanisms, as applicable. The transfer mechanisms relied on for a given sub-processor may vary based on that sub-processor's certifications and the customer's location.
Current sub-processors
The "Applies to" column distinguishes sub-processors used for the core Service from those used only for optional features or specific customer configurations. "Location" describes the primary processing region; data may also be processed in other locations as described in the relevant provider's documentation or Data Processing Addendum (for example, for support access, backups, telemetry, or legal requirements).
| Sub-processor | Applies to | Service area | Purpose | Data processed | Location |
|---|---|---|---|---|---|
| Google Cloud Platform (Google LLC) | All customers | Core service | Hosting (Cloud Run, Cloud Functions, Cloud SQL), storage (Cloud Storage), authentication (Firebase Auth) | Customer Data, account data, authentication data, logs | United States (us-central1) and other locations as described in Google's DPA |
| Cloudflare, Inc. | All customers | Core service | CDN, DDoS protection | IP address, device and browser metadata, request logs | Global edge network |
| Google LLC (reCAPTCHA) | All customers | Core service | Bot detection on login, registration, password reset, and marketing-site forms (anti-abuse / anti-fraud scoring) | IP address, device and browser metadata, interaction signals; no Customer Data content | United States and other locations as described in Google's privacy and reCAPTCHA terms |
| SendGrid (Twilio Inc.) | Customers receiving account or transactional emails | Communications | Transactional email delivery, deliverability event tracking | Name, email address, email content and metadata, delivery events | United States and other locations as described in Twilio's DPA |
| OpenAI, L.L.C. | Customers using AI Insights | Optional AI features | LLM inference for AI Insights features (board reports, policy drafting, intake routing) | Customer-provided prompts, generated outputs, limited request metadata; Talarity uses API-tier configurations under which inputs and outputs are not used to train OpenAI's models | United States and other locations as described in OpenAI's DPA |
| Anthropic, PBC | Customers using AI Insights | Optional AI features | LLM inference for AI Insights features (board reports, policy drafting, intake routing) | Customer-provided prompts, generated outputs, limited request metadata; Talarity uses API-tier configurations under which inputs and outputs are not used to train Anthropic's models | United States and other locations as described in Anthropic's DPA |
| Plausible Insights OÜ | Marketing site visitors only | Marketing analytics | Cookieless website analytics for www.talarity.com | Aggregated usage analytics, limited visitor metadata; no cookies, no cross-site identifiers | European Union |
| Stripe, Inc. | Paid subscriptions only | Payments | Payment processing, fraud prevention, invoicing for paid subscriptions | Billing contact, payment metadata, transaction data | United States and other locations as described in Stripe's DPA |
Subscribe to changes
To be notified of sub-processor additions or replacements, email support@talarity.com and ask to be added to the sub-processor update list. Active customers also receive notice through the in-product notification channel.