Workiflow LLC Last updated: April 14th, 2026
Workiflow uses a limited number of third-party sub-processors to assist in delivering our Services. Each sub-processor is contractually required to protect personal data in accordance with our Data Processing Agreement and applicable data protection laws.
We only engage sub-processors where necessary for the delivery of our Services. Not all sub-processors are used in every client engagement — the specific sub-processors involved depend on the Services being provided.
Current Sub-processors
Service Delivery and Project Management
| Sub-processor | Purpose | Location |
|---|---|---|
| monday.com | Project management, client workspace management, and service delivery | US / EU |
| Make.com | Workflow automation and integration services | EU |
| n8n | Workflow automation and integration services | Varies by deployment |
| Front | Client email communication and shared inbox management | US |
| Slack | Internal team communication (may include client-related discussions) | US |
| PandaDoc | Proposals, contracts, and e-signatures | US |
Cloud Infrastructure and Hosting
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and application hosting | US |
| Google Cloud Platform | Cloud infrastructure and application services | US |
| Google Firebase | Application backend and hosting | US |
| Supabase | Database backend for applications, internal tools, and website | US |
| Vercel | Website hosting, application hosting, and internal tool deployment | US |
| GitHub | Source code management and version control | US |
AI and Automation
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude) | AI-powered analysis, content generation, and workflow assistance | US |
| OpenAI (ChatGPT) | AI-powered agents and automation | US |
Workiflow maintains paid enterprise plans with both AI providers. Client data is never used to train AI models. Both providers process data under their respective enterprise data processing terms, which prohibit the use of inputs and outputs for model training.
Communication and Collaboration
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Workspace | Email, documents, calendars, and internal collaboration | US |
| Zoom | Video conferencing, phone, scheduling, and meeting recordings | US |
| Recall.ai | Meeting bot for automated recording, transcription, and note-taking | US |
| Resend | Transactional and automated email delivery | US |
Recall.ai joins meetings as an automated participant to capture recordings and transcripts. Meeting content may include client discussions, strategy sessions, and sensitive business information. Recordings and transcripts are used for internal reference, meeting follow-ups, and service delivery. Clients will be informed when a meeting bot is present.
Time Tracking and Operations
| Sub-processor | Purpose | Location |
|---|---|---|
| Everhour | Time tracking and activity monitoring (includes periodic screenshots during active work sessions) | US |
Everhour’s screenshot feature captures periodic screen images during tracked work sessions. These screenshots may incidentally contain client data visible on screen. Screenshots are used solely for internal time verification and are retained in accordance with our data retention policies.
Note: Workiflow is in the process of transitioning time tracking and screenshot functionality to internal tools (see Workiflow Internal Tools below).
Financial and Billing
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and invoicing | US |
| QuickBooks | Accounting, invoicing, and financial record-keeping | US |
| Mercury | Business banking and payment operations | US |
Financial sub-processors may process limited client information such as company name, billing contact details, and transaction amounts in connection with invoicing and payment processing.
Security
| Sub-processor | Purpose | Location |
|---|---|---|
| At-Bay (Stance) | Security monitoring, vulnerability management, and threat detection | US |
Workiflow Internal Tools
In addition to third-party sub-processors, Workiflow builds and operates its own internal tools to support service delivery. These tools process client data and are held to the same security standards as all other systems.
| Tool | Purpose | Infrastructure | Data Location |
|---|---|---|---|
| Document Generation | Creating and sending proposals, agreements, and client documents | Vercel, Supabase | US |
| Time Tracking & Screenshots | Activity monitoring and work verification (replacing Everhour) | Vercel, Supabase | US |
| Marketplace Apps | Client-facing applications on the monday.com marketplace | Vercel, Supabase, GCP, AWS | US |
How internal tools are built. Our internal tools are built on a modern web stack using React, Next.js, Vercel (hosting), and Supabase (database). These tools may use additional open-source libraries and frameworks as dependencies, but all client data is stored and processed exclusively through the infrastructure providers listed in the Cloud Infrastructure and Hosting section above.
Security. All internal tools follow the same security practices applied across Workiflow’s operations, aligned with SOC 2 Type II and ISO 27001 controls. This includes encryption in transit and at rest, role-based access controls, and regular security monitoring.
How We Manage Sub-processors
Before engagement. We assess each sub-processor’s security practices, data handling policies, and compliance posture before granting access to any personal data.
Contractual protections. Every sub-processor is bound by a written agreement that imposes data protection obligations consistent with our DPA and applicable data protection laws.
Ongoing review. We periodically review our sub-processors to ensure continued compliance with our security and privacy standards.
Notification of Changes
When we engage a new sub-processor, we update this page and notify clients with an active Data Processing Agreement at least fourteen (14) days before the new sub-processor begins processing personal data.
If you have concerns about a new sub-processor, you may object in writing within the notification period as described in our DPA.
Questions
If you have questions about our sub-processors or data processing practices, contact us at security@workiflow.com.