Subprocessors
Last updated: January 9, 2026
This page lists third-party subprocessors that Floa Software Solutions Ltd ("Floa," "we," "us") engages to help deliver, secure, and support our Services. Terms used but not defined here have the meanings in our Data Processing Addendum (DPA).
How we use subprocessors (at a glance)
- General authorisation. Per our DPA, you authorise Floa to use subprocessors.
- Our responsibility. We impose data-protection obligations on subprocessors no less protective than our DPA and remain responsible for their performance.
- Notice of changes. We will update this page to reflect additions or replacements.
- Objections. You may object on reasonable, data-protection grounds within 10 days of publication by emailing privacy@getfloa.com. If unresolved, you may suspend the affected feature or terminate the impacted Services (pro-rata refund for prepaid, unused fees where applicable).
Data residency & transfers
- We aim to process and store Customer Personal Data in EU/UK regions where feasible (e.g., Azure West Europe and EU database regions).
- Where transfers outside the UK/EEA occur, we rely on EU SCCs (2021/914) and, for the UK, the UK Addendum, plus supplementary measures (e.g., TLS, encryption at rest, access controls).
Current subprocessors (core)
These providers are part of our core stack and will typically process Customer Personal Data whenever you use the platform.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Microsoft Azure | Cloud hosting, compute, storage, CDN, networking (incl. Front Door/Static Web Apps) | Account data, content stored/served by the app, usage/telemetry | EU | USA | SCCs + UK Addendum (as needed) | Encryption in transit/at rest; role-based access controls |
| Azure Application Insights (Microsoft) | Monitoring, logs, performance metrics | Pseudonymous telemetry (events, timings, headers/IP (may be truncated)) | EU | USA | SCCs + UK Addendum | Used for observability and incident response |
| Azure AI Foundry (Microsoft) | AI inference (processing prompts/inputs to generate outputs via Claude and other models) | Text/files you submit for generation; output metadata | EU | USA | SCCs + UK Addendum | We opt out of provider training by default where supported |
| Google AI (Google Cloud) | AI inference (processing prompts/inputs to generate outputs) | Text/files you submit for generation; output metadata | EU/US | USA | SCCs + UK Addendum | We opt out of provider training by default where supported |
| Supabase | Managed Postgres DB, auth, storage | Account data, content you upload, metadata | EU | USA | SCCs + UK Addendum | Encryption at rest; fine-grained RLS policies |
Messaging & communications (feature-dependent)
These processors apply only if you enable outbound messaging or related features.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Twilio / SendGrid | Transactional email & SMS/WhatsApp delivery | Recipient identifiers (email/phone), message content, delivery metadata | EU/US (routing dependent) | USA | SCCs + UK Addendum | Anti-abuse and deliverability tooling |
| Resend | Email sending via API | Recipient identifiers, message content, delivery metadata | EU/US (routing dependent) | USA | SCCs + UK Addendum | Edge-function integration option |
Billing & payments (feature-/plan-dependent)
Used when you purchase or manage a paid subscription.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Stripe | Payment processing, subscription billing, invoicing | Billing contact, payment tokens, transaction metadata | EU/US (processor routing) | USA/UK | SCCs + UK Addendum | Card data handled by the processor; we do not store raw PANs |
| Xero | Accounting & invoicing | Invoice details, billing contact, amounts, tax IDs | EU/US (service hosting) | New Zealand | SCCs + UK Addendum | Bookkeeping and statutory records |
Customer support, CRM & marketing (context-dependent)
May process personal data you share with us for support, onboarding, or marketing site interactions.
| Subprocessor | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| Attio | CRM, marketing emails/forms (website) | Lead/contact info, communications metadata | EU/US (service hosting) | USA | SCCs + UK Addendum | For website leads and product updates |
| Google Workspace | Email & file storage (support comms, attachments) | Email headers/content, attachments you send | EU/US (workspace routing) | USA | SCCs + UK Addendum | Support inbox privacy@getfloa.com |
| Help Scout | Customer support ticketing and help desk | Support ticket content, contact info, conversation history | EU/US (service hosting) | USA | SCCs + UK Addendum | Manages customer support requests and documentation |
Analytics & error tracking (website/app)
Analytics tools may use cookies/SDKs. Where required, we obtain consent and apply IP masking or similar.
| Provider | Purpose | Categories of Data | Processing Location(s) | Entity Country | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| PostHog | Product & platform analytics | Pseudonymous IDs, event data, feature usage, device/geo (approx.) | EU (EU Cloud) | USA | SCCs + UK Addendum | Product analytics and feature tracking; EU data residency available |
| Sentry | Error tracking | Error payloads, stack traces, limited request context | EU/US (project setting) | USA | SCCs + UK Addendum | Helps diagnose and resolve bugs |
Third parties you may interact with directly (not subprocessors)
Some third parties act as independent controllers, not our processors—for example advertising pixels (e.g., Meta, TikTok) or payment pages hosted directly by a payment provider. Their processing is governed by their own privacy policies. See our Privacy Policy and Cookies pages for details and consent controls.
Change log
We maintain a transparent history of material subprocessor changes.
- 9 Jan 2026 — Updated AI providers (Azure AI Foundry, Google AI); replaced Microsoft 365 with Google Workspace; added Help Scout for support; replaced Google Analytics with PostHog for platform analytics.
- 8 Oct 2025 — Initial publication of public list; clarified AI provider training opt-out stance.
Objections & questions
- Objections (10-day window): Email privacy@getfloa.com with your Customer name, impacted feature(s), and specific data-protection grounds.
- Questions: We're happy to provide high-level security/transfer information (policy summaries, pen-test summaries) on request.
Notes & defaults
- AI model training: We do not permit third-party foundation model training on Customer Personal Data by default.
- Supplementary measures: TLS, encryption at rest, strict access controls, and transfer risk assessments are applied where appropriate.
- Regional choices: Where a regional option exists (e.g., EU hosting), we select EU/UK by default for Customer Personal Data unless operational needs or your configuration require otherwise.