Use cases

WISMO Damaged & missing items Subscriptions Product advice Refunds & returns

Resources

Case studies Blog
Integrations Sign in

Sub-processors

Last updated 18 May 2026

On this page
  1. How we use Sub-processors
  2. How we authorise and review Sub-processors
  3. Notification of changes
  4. Current Sub-processors
  5. Systems that are not Engaige Sub-processors
  6. How to raise a concern or object to a Sub-processor
  7. Contact

This page lists the third parties (the Sub-processors) that Engaige Technologies B.V. (Engaige) engages to process Customer Content on behalf of its Customers as part of the Engaige Service. It is the authoritative Sub-processor page referenced in Section 11 of the Engaige Data Processing Agreement (the DPA) and is the primary channel through which Engaige gives notice of intended changes under Section 7 of the DPA.

This page does not cover service providers that Engaige uses as a data controller for its own marketing, sales, recruitment and business-operations purposes (for example, the providers behind our website, CRM, email, and analytics for visitors and prospects). Those are described in our Privacy Policy.

How we use Sub-processors

Engaige is the processor for Customer Content under the DPA. To deliver the Engaige Service, we engage a small number of carefully selected Sub-processors that each play a specific role — for example, hosting our database, running large-language-model inference, or monitoring errors. Every Sub-processor on this page is bound by a written data-processing agreement with Engaige that imposes data-protection obligations equivalent to those Engaige owes its Customers under the DPA, and Engaige remains fully liable to the Customer for each Sub-processor’s performance.

We organise some of our Sub-processors into categories rather than naming a single fixed provider. A category is a functional layer of the Service — for example, LLM providers — within which Engaige may use, route between, or change providers, provided that each provider satisfies the equivalence criteria for that category set out in Section 6 of the DPA. The Customer’s authorisation in Section 7 of the DPA extends to all providers within an approved category that satisfy the equivalence criteria. The category approach lets us adopt new and better models as they become available without exposing Customers to providers that fall short of the standard we have committed to.

How we authorise and review Sub-processors

For every Sub-processor in the LLM category, Engaige verifies, before routing any production traffic, that the provider:

  1. exposes an EEA-resident endpoint that Engaige uses to serve Customer traffic;
  2. has contractually committed not to use Customer Content submitted via its API to train or improve its models;
  3. operates under a data processing agreement materially equivalent to the protections in the Engaige DPA — in particular the security, confidentiality, breach-notification and assistance obligations; and
  4. makes available a Chapter V GDPR transfer mechanism (EU–U.S. Data Privacy Framework certification where the importer is a U.S. entity, otherwise the EU Standard Contractual Clauses) covering any incidental administrative or support access from outside the EEA.

Engaige monitors these criteria on an ongoing basis and treats any failure to satisfy them as a material change under Section 6 of the DPA.

For Sub-processors outside the LLM category, Engaige applies a comparable diligence process focused on the technical and organisational measures, transfer mechanism and contractual data-protection terms appropriate to the service the provider delivers.

In each case the Sub-processor is bound by a written data-processing agreement that, where the provider is established outside the EEA or processes Customer Content from outside the EEA, includes the EU Standard Contractual Clauses (Module Two or Module Three as applicable) and any supplementary measures Engaige considers necessary in light of the Court of Justice of the European Union’s case law and the European Data Protection Board’s recommendations on international transfers.

Notification of changes

Engaige gives notice of intended changes to its Sub-processors by updating this page. Customers can also subscribe a designated privacy contact to email notifications of updates by writing to privacy@letsengaige.com.

For changes that introduce a Sub-processor in a new functional area, or that materially relax the equivalence criteria for an existing category, Engaige observes the thirty (30) day prior-notice and objection procedure set out in Section 7 of the DPA. For changes that add, remove or route traffic between providers within an existing approved category (LLM providers), the routing-within-an-approved-category provisions of Section 7 apply: the Customer’s general written authorisation in the DPA extends to all providers in the category that satisfy the equivalence criteria, and Engaige updates this page no later than the date on which production traffic begins to route to the new provider.

If a Customer reasonably objects on data-protection grounds to a new Sub-processor, the procedure and remedies in Section 7 of the DPA apply.

Current Sub-processors

The Sub-processors set out below are approved as at the date of this page.

LLM providers (category)

This category covers the large-language-model inference and vector-embedding generation that power the Engaige Service. Each provider in the category satisfies the four equivalence criteria above.

Microsoft Azure OpenAI Service (EU region). Large-language-model inference served from an EEA-resident endpoint under Azure’s data-residency commitments. Contracted under the Microsoft Products and Services Data Protection Addendum. Microsoft does not use Customer Content submitted via the Azure OpenAI Service API to train or improve its models. Prompt and completion content may be retained by Microsoft for up to thirty (30) days for abuse monitoring; abuse-monitoring access is governed by the Microsoft Products and Services DPA. Transfer mechanism for any incidental U.S. support access: EU–U.S. Data Privacy Framework certification and the EU Standard Contractual Clauses in the Microsoft DPA.

Anthropic (EEA region). Large-language-model inference using the Claude family of models, via Anthropic’s EEA-resident API offering. Contracted under the Anthropic Commercial Terms and the Anthropic Data Processing Addendum. Anthropic does not use Customer Content submitted via the API to train or improve its models. Transfer mechanism for any incidental U.S. support access: EU–U.S. Data Privacy Framework certification and the EU Standard Contractual Clauses in the Anthropic DPA.

OpenAI (EU data residency). Large-language-model inference via OpenAI’s EU-data-residency API offering, served from an EEA-resident endpoint. Contracted under the OpenAI Business Terms and the OpenAI Data Processing Addendum. OpenAI does not use Customer Content submitted via the API to train or improve its models. Transfer mechanism for any incidental U.S. support access: EU–U.S. Data Privacy Framework certification and the EU Standard Contractual Clauses in the OpenAI DPA.

Google (EEA region). Large-language-model inference and vector-embedding generation via Google Gemini models served from an EEA endpoint within Engaige’s EEA-based Google Cloud project. Contracted under the Google Cloud Data Processing Addendum. Google does not use Customer Content submitted via the Vertex AI / Gemini API to train or improve its foundation or embedding models. Transfer mechanism for any incidental U.S. support access: EU–U.S. Data Privacy Framework certification (Google LLC) and the EU Standard Contractual Clauses in the Google Cloud DPA.

Core platform

Google Cloud Platform (EU region). Compute, object storage and managed-secrets infrastructure underlying the Engaige Service. Customer Content stored within Engaige’s primary database and object stores resides in the EEA. This engagement is separate from the LLM category above. Contracted under the Google Cloud Data Processing Addendum. Transfer mechanism for any incidental U.S. support access: EU–U.S. Data Privacy Framework certification (Google LLC) and the EU Standard Contractual Clauses in the Google Cloud DPA.

Weaviate (EU region). Vector database used for semantic search and retrieval; stores a subset of Customer Content in the form of vector representations and associated metadata. Retention aligns with the primary database for the duration of the Master Agreement, with deletion on the timelines in Section 12 of the DPA. Transfer mechanism: the EU Standard Contractual Clauses under the Weaviate data processing agreement.

Supabase (EU region). Authentication service and managed Postgres database. Customer Content stored in Supabase resides in the EEA. Transfer mechanism: the EU Standard Contractual Clauses under the Supabase data processing agreement.

Hookdeck Inc. (Canada). Webhook processing and delivery. Event payloads are retained for up to seven (7) days, after which they are automatically purged. Transfer mechanism: the EU Standard Contractual Clauses (Module Three, processor to sub-processor) under the Hookdeck data processing agreement.

Resend, Inc. (EU region). Transactional email delivery used to send platform-generated emails to the Customer’s users. Customer Content processed by Resend is limited to recipient email addresses and email body content. Customer Content is processed in the EEA (eu-west-1). Transfer mechanism: the EU Standard Contractual Clauses under the Resend data processing agreement.

Analytics and observability

Sentry (EU region). Application error monitoring with server-side personal-data scrubbing configured for Engaige’s tenant. Customer Content is processed in the EEA. Transfer mechanism for any incidental U.S. support access: EU–U.S. Data Privacy Framework certification and the EU Standard Contractual Clauses.

PostHog (EU region). Product analytics and session replay with input masking and form blocking enabled for Engaige’s tenant. Customer Content is processed in the EEA. Transfer mechanism for any incidental U.S. support access: EU–U.S. Data Privacy Framework certification and the EU Standard Contractual Clauses.

Langfuse (EU region). Large-language-model call observability and tracing; stores prompts, completions and model metadata for the purposes of debugging, evaluation and quality monitoring of the AI-assisted Service. Customer Content is processed in the EEA. Transfer mechanism: the EU Standard Contractual Clauses under the Langfuse data processing agreement.

Customer support

Pylon (Pylon Labs Inc., US). Shared inbox and ticketing platform used to receive and triage Customer support requests submitted to Engaige. Engaige instructs the Customer’s authorised contacts not to include end-user personal data in support communications; any personal data included by the Customer (including incidental end-user personal data in support requests, attachments or screenshots) is processed by Pylon as a Sub-processor of Engaige. Pylon is SOC 2 Type II and ISO 27001 certified. Transfer mechanism for U.S. processing: the EU Standard Contractual Clauses (Module Two) and the UK Addendum under the Pylon data processing agreement.

Systems that are not Engaige Sub-processors

For the avoidance of doubt, the following systems are not Sub-processors of Engaige. They are Customer-controlled systems with which Engaige integrates by API under the Customer’s instructions; the Customer is the controller (or, where it is itself a processor, the processor) for those systems and is responsible for its own contractual relationship with each provider.

  • The Customer’s own customer-experience platform (for example, Kustomer, Zendesk, Intercom, HubSpot Service, Freshdesk, Salesforce Service Cloud, Front, Gorgias and similar).
  • Any action-tool systems the Customer configures the AI agent to call (for example, Shopify, n8n and similar).
  • Any knowledge or policy sources the Customer connects to the Service from its own systems.

How to raise a concern or object to a Sub-processor

A Customer that wishes to object on reasonable data-protection grounds to a new Sub-processor, or to raise any other concern about a current Sub-processor, should follow the procedure in Section 7 of the DPA. Objections and concerns can be sent to privacy@letsengaige.com.

Contact

For questions about Sub-processors, transfer mechanisms or this page, contact privacy@letsengaige.com.

Engaige Technologies B.V., registered in the Netherlands under Chamber of Commerce (KvK) number 90976827.