Subprocessors
Last updated: October 8, 2025
This page lists third-party subprocessors that Floa Software Solutions Ltd ("Floa," "we," "us") engages to help deliver, secure, and support our Services. Terms used but not defined here have the meanings in our Data Processing Addendum (DPA).
How we use subprocessors (at a glance)
- General authorisation. Per our DPA, you authorise Floa to use subprocessors.
- Our responsibility. We impose data-protection obligations on subprocessors no less protective than our DPA and remain responsible for their performance.
- Notice of changes. We will update this page to reflect additions or replacements.
- Objections. You may object on reasonable, data-protection grounds within 10 days of publication by emailing privacy@getfloa.com. If unresolved, you may suspend the affected feature or terminate the impacted Services (pro-rata refund for prepaid, unused fees where applicable).
Data residency & transfers
- We aim to process and store Customer Personal Data in EU/UK regions where feasible (e.g., Azure West Europe and EU database regions).
- Where transfers outside the UK/EEA occur, we rely on EU SCCs (2021/914) and, for the UK, the UK Addendum, plus supplementary measures (e.g., TLS, encryption at rest, access controls).
Current subprocessors (core)
These providers are part of our core stack and will typically process Customer Personal Data whenever you use the platform.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Microsoft Azure | Cloud hosting, compute, storage, CDN, networking (incl. Front Door/Static Web Apps) | Account data, content stored/served by the app, usage/telemetry | EU | USA | SCCs + UK Addendum (as needed) | Encryption in transit/at rest; role-based access controls |
| Azure Application Insights (Microsoft) | Monitoring, logs, performance metrics | Pseudonymous telemetry (events, timings, headers/IP (may be truncated)) | EU | USA | SCCs + UK Addendum | Used for observability and incident response |
| Azure OpenAI (Microsoft) | AI inference (processing prompts/inputs to generate outputs) | Text/files you submit for generation; output metadata | EU | USA | SCCs + UK Addendum | We opt out of provider training by default where supported |
| Supabase | Managed Postgres DB, auth, storage | Account data, content you upload, metadata | EU | USA | SCCs + UK Addendum | Encryption at rest; fine-grained RLS policies |
Messaging & communications (feature-dependent)
These processors apply only if you enable outbound messaging or related features.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Twilio / SendGrid | Transactional email & SMS/WhatsApp delivery | Recipient identifiers (email/phone), message content, delivery metadata | EU/US (routing dependent) | USA | SCCs + UK Addendum | Anti-abuse and deliverability tooling |
| Resend | Email sending via API | Recipient identifiers, message content, delivery metadata | EU/US (routing dependent) | USA | SCCs + UK Addendum | Edge-function integration option |
Billing & payments (feature-/plan-dependent)
Used when you purchase or manage a paid subscription.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Stripe | Payment processing, subscription billing, invoicing | Billing contact, payment tokens, transaction metadata | EU/US (processor routing) | USA/UK | SCCs + UK Addendum | Card data handled by the processor; we do not store raw PANs |
| Xero | Accounting & invoicing | Invoice details, billing contact, amounts, tax IDs | EU/US (service hosting) | New Zealand | SCCs + UK Addendum | Bookkeeping and statutory records |
Customer support, CRM & marketing (context-dependent)
May process personal data you share with us for support, onboarding, or marketing site interactions.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Attio | CRM, marketing emails/forms (website) | Lead/contact info, communications metadata | EU/US (service hosting) | USA | SCCs + UK Addendum | For website leads and product updates |
| Microsoft 365 | Email & file storage (support comms, attachments) | Email headers/content, attachments you send | EU/US (workspace routing) | USA | SCCs + UK Addendum | Support inbox privacy@getfloa.com |
Analytics & error tracking (website/app)
Analytics tools may use cookies/SDKs. Where required, we obtain consent and apply IP masking or similar.
| Provider | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Google Analytics (GA4) | Product & website analytics | Pseudonymous IDs, event data, device/geo (approx.), IP (masked) | EU/US (processing) | USA | SCCs + UK Addendum | Consent-based where required; IP anonymization |
| Sentry | Error tracking | Error payloads, stack traces, limited request context | EU/US (project setting) | USA | SCCs + UK Addendum | Helps diagnose and resolve bugs |
Third parties you may interact with directly (not subprocessors)
Some third parties act as independent controllers, not our processors—for example advertising pixels (e.g., Meta, TikTok) or payment pages hosted directly by a payment provider. Their processing is governed by their own privacy policies. See our Privacy Policy and Cookies pages for details and consent controls.
Change log
We maintain a transparent history of material subprocessor changes.
- 8 Oct 2025 — Initial publication of public list; clarified AI provider training opt-out stance.
Objections & questions
- Objections (10-day window): Email privacy@getfloa.com with your Customer name, impacted feature(s), and specific data-protection grounds.
- Questions: We're happy to provide high-level security/transfer information (policy summaries, pen-test summaries) on request.
Notes & defaults
- AI model training: We do not permit third-party foundation model training on Customer Personal Data by default.
- Supplementary measures: TLS, encryption at rest, strict access controls, and transfer risk assessments are applied where appropriate.
- Regional choices: Where a regional option exists (e.g., EU hosting), we select EU/UK by default for Customer Personal Data unless operational needs or your configuration require otherwise.