Legal
Sub-processors
A list of the third-party services we use to process personal data on your behalf, what they do, what data they receive, and where they operate.
Last Updated: 9 April 2026
What is a sub-processor?
A sub-processor is a third-party service that processes personal data on our behalf to help us deliver GloriaMundo. Under UK GDPR, we are required to tell you who these services are, what they do with your data, and where they are located.
We will give at least 30 days' notice before adding a new sub-processor that handles personal data. Changes will be published on this page. We recommend bookmarking it and checking back periodically, or emailing [email protected] to ask us to notify you of changes.
Current sub-processors
| Service | Purpose | Data categories | Location | Privacy notice |
|---|---|---|---|---|
| Anthropic, PBC | LLM inference for AI generation (direct API for architect and tool-search calls) | User messages, conversation context, workflow prompts | United States | Link |
| BrightData Ltd | Proxy-based web scraping and browser automation for workflow research steps | URLs to scrape, JavaScript execution context, search queries | Israel; global proxy network | Link |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, and web application firewall | All HTTP traffic (IP addresses, request URLs, headers) | Global edge network; United States (headquarters) | Link |
| Composio, Inc. | OAuth token management and third-party integration execution for connected services | OAuth tokens for connected services, integration execution payloads, user entity identifiers | United States | Link |
| E2B (FoundryLabs, Inc.) | Sandboxed Python code execution for workflow steps | User-authored and AI-generated code, workflow step payloads, data fetched during execution | United States | Link |
| Firecrawl (Mendable, Inc.) | Batch web crawling and structured data extraction for workflow research steps | URLs to crawl, extraction schemas, search queries | United States | Link |
| Google LLC (Google Cloud Platform) | Infrastructure hosting (Cloud Run, Cloud SQL, Memorystore, Cloud Storage, Cloud Logging); authentication (Google Sign-In); image generation (Vertex AI Imagen) | All application data at rest and in transit; SSO tokens; application logs; image generation prompts; shared workflow preview images | United Kingdom (europe-west2 for Cloud Run, Cloud SQL, Memorystore); United States (Vertex AI, Cloud Logging, Analytics) | Link |
| Graphlit | Document ingestion, indexing, and semantic retrieval (RAG) for uploaded files | Uploaded documents (PDF, DOCX, TXT, web pages), ingested text content, semantic search queries | United States | Link |
| Inngest, Inc. | Durable workflow orchestration and execution | Workflow payloads including user identifiers, step definitions, and step results (which may contain personal data fetched from connected services) | United States | Link |
| Loops HQ, Inc. | Email automation, waitlist management, and lifecycle campaigns | User email address, name, signup date, lifecycle event data | United States | Link |
| Mailslurp (Corrily, Inc.) | Disposable email addresses for testing and verification | Email addresses, inbound email content | United States | Link |
| OpenRouter, Inc. | LLM inference routing for most AI generation calls | User messages, conversation context, workflow prompts | United States | Link |
| PostHog, Inc. | Product analytics and event tracking | User identifiers, feature usage events, session properties | United States | Link |
| Functional Software, Inc. (Sentry) | Error tracking and performance monitoring | Stack traces, request metadata, IP addresses, user identifiers attached to error events | United States | Link |
| Serper | Web search API (Google Search proxy) for workflow research steps | Search queries, filters, time ranges (queries may contain personal data from workflow context) | United States | Link |
| Stripe, Inc. | Payment processing and billing | Billing address, payment card details (we never see full card numbers), customer email, tax identification | United States | Link |
| Tavily | AI-powered web search and content extraction for workflow research steps | Search queries, extraction parameters (queries may contain personal data from workflow context) | United States | Link |
| Turnkey Infrastructure, Inc. | Cryptographic key management for the credential vault | Wallet identifiers, signing requests, key derivation material | United States | Link |
| Twilio, Inc. | SMS and voice communication capabilities for agent interactions | Phone numbers, message content | United States | Link |
| Twilio, Inc. (SendGrid) | Transactional email delivery for notifications | Recipient email addresses, notification content | United States | Link |
| Zep, Inc. | Conversation memory storage and retrieval (when the Memory feature is enabled) | Conversation context, user messages, stored memory facts | United States | Link |
Notes
- Google Cloud Platform sub-services (Cloud Run, Cloud SQL, Memorystore, Cloud Storage, Cloud Logging, Vertex AI) are listed as a single entry because they fall under a single Data Processing Addendum with Google.
- Twilio appears twice because it provides two distinct services: SMS/voice communication (Twilio) and transactional email delivery (SendGrid, a Twilio subsidiary). Both fall under Twilio's privacy notice and Data Processing Addendum.
- Web search and extraction services (Serper, Tavily, Firecrawl, BrightData) are used only when your workflows include research steps. If you do not use research workflows, your data is not sent to these services.
- For details on how we use these sub-processors and what data flows through them, see our Privacy Policy.