Workiflow uses a limited number of third-party sub-processors to assist in delivering our Services. Each sub-processor is contractually required to protect personal data in accordance with our Data Processing Agreement and applicable data protection laws.
We only engage sub-processors where necessary for the delivery of our Services. Not all sub-processors are used in every client engagement. The specific sub-processors involved depend on the Services being provided.
Current Sub-processors
Service Delivery and Project Management
| Sub-processor | Purpose | Location |
|---|---|---|
| monday.com | Project management, client workspace management, and service delivery | US / EU |
| Make.com | Workflow automation and integration services | EU |
| Front | Client email communication and shared inbox management | US |
| Slack | Internal team communication (may include client-related discussions) | US |
Cloud Infrastructure and Hosting
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and application hosting | US |
| Google Cloud Platform | Cloud infrastructure and application services | US |
| Google Firebase | Application backend and hosting | US |
| Supabase | Database backend for applications and website | US |
| Vercel | Website hosting and deployment | US |
| GitHub | Source code management and version control | US |
AI and Automation
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude) | AI-powered analysis, content generation, and workflow assistance | US |
| OpenAI (ChatGPT) | AI-powered agents and automation | US |
Workiflow maintains paid business plans with both AI providers, under terms that prohibit training on inputs and outputs. Client data is never used to train AI models.
Communication and Collaboration
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Workspace | Email, documents, calendars, and internal collaboration | US |
| Zoom | Video conferencing, phone, scheduling, and meeting recordings | US |
| Recall.ai | Meeting bot for automated recording, transcription, and note-taking | US |
| Resend | Transactional and automated email delivery | US |
Recall.ai joins meetings as an automated participant to capture recordings and transcripts. Meeting content may include client discussions, strategy sessions, and sensitive business information. Recordings and transcripts are used for internal reference, meeting follow-ups, and service delivery. Clients will be informed when a meeting bot is present.
Time Tracking and Operations
| Sub-processor | Purpose | Location |
|---|---|---|
| Everhour | Time tracking and activity monitoring (includes periodic screenshots during active work sessions) | US |
Everhour's screenshot feature captures periodic screen images during tracked work sessions. These screenshots may incidentally contain client data visible on screen. Screenshots are used solely for internal time verification and are retained in accordance with our data retention policies.
Financial and Billing
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and invoicing | US |
| QuickBooks | Accounting, invoicing, and financial record-keeping | US |
| Mercury | Business banking and payment operations | US |
Financial sub-processors may process limited client information such as company name, billing contact details, and transaction amounts in connection with invoicing and payment processing.
Security
| Sub-processor | Purpose | Location |
|---|---|---|
| At-Bay (Stance) | Security monitoring, vulnerability management, and threat detection | US |
How We Manage Sub-processors
Before engagement.
We assess each sub-processor's security practices, data handling policies, and compliance posture before granting access to any personal data.
Contractual protections.
Every sub-processor is bound by a written agreement that imposes data protection obligations consistent with our DPA and applicable data protection laws.
Ongoing review.
We periodically review our sub-processors to ensure continued compliance with our security and privacy standards.
Notification of Changes
When we engage a new sub-processor, we update this page and notify clients with an active Data Processing Agreement at least fourteen (14) days before the new sub-processor begins processing personal data.
If you have concerns about a new sub-processor, you may object in writing within the notification period as described in our DPA.
Questions
If you have questions about our sub-processors or data processing practices, contact us at security@workiflow.com.