Sub-processors List
Last Updated: 2 November 2025
This page lists all third-party sub-processors used by TaskAGI to provide our services. As required by GDPR Article 28, we disclose all entities that may process customer data on our behalf. This list supplements our Privacy Policy and Data Processing Agreement.
1. What is a Sub-processor?
A sub-processor is a third-party service provider that TaskAGI engages to process personal data on our behalf. Under GDPR, we must:
Important: The 365+ third-party integrations available on TaskAGI are NOT sub-processors. When YOU use integrations (Google, Stripe, etc.) in your workflows, YOU are the Data Controller sending data to those services. We are not responsible for those third parties' data practices.
- Obtain your authorization to use sub-processors (via DPA acceptance)
- Ensure sub-processors provide sufficient data protection guarantees
- Impose the same data protection obligations on sub-processors that apply to us
- Maintain a list of authorized sub-processors
- Notify you of sub-processor changes (30 days' advance notice)
Important: The 365+ third-party integrations available on TaskAGI are NOT sub-processors. When YOU use integrations (Google, Stripe, etc.) in your workflows, YOU are the Data Controller sending data to those services. We are not responsible for those third parties' data practices.
2. Core Infrastructure Sub-processors
These sub-processors are essential to TaskAGI's operation and may process all types of customer data.
Data Transfers: DigitalOcean and Cloudflare are USA-based companies. Data transfers from EU/UK to USA are protected by Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework compliance.
| Sub-processor | Service Provided | Data Location | Data Processed |
|---|---|---|---|
| DigitalOcean LLC Privacy Policy |
Cloud hosting and infrastructure (servers, databases, file storage) | EU (Frankfurt, Germany) and USA data centers | All customer data (account info, workflows, execution logs, uploaded files) |
| Cloudflare, Inc. Privacy Policy |
CDN, DDoS protection, DNS, caching | Global network (data may pass through USA) | IP addresses, HTTP request metadata, cached content |
Data Transfers: DigitalOcean and Cloudflare are USA-based companies. Data transfers from EU/UK to USA are protected by Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework compliance.
3. Payment Processing Sub-processors
These sub-processors handle billing, payment, and subscription management.
PCI-DSS Compliance: Payment card data is processed by Stripe and PayPal (PCI-DSS Level 1 certified). TaskAGI does NOT store raw payment card numbers.
| Sub-processor | Service Provided | Data Location | Data Processed |
|---|---|---|---|
| Stripe, Inc. Privacy Policy |
Payment processing, subscription billing, invoicing | USA (primary), EU servers available | Payment card details, billing address, transaction history, customer name/email |
| PayPal Holdings, Inc. Privacy Policy |
Alternative payment processing | USA, EU (Luxembourg) | PayPal account email, transaction amounts, customer name |
PCI-DSS Compliance: Payment card data is processed by Stripe and PayPal (PCI-DSS Level 1 certified). TaskAGI does NOT store raw payment card numbers.
4. Analytics and Monitoring Sub-processors
These sub-processors help us understand usage patterns, improve performance, and monitor service health.
Cookie Consent: Analytics and advertising cookies require user consent under GDPR. See our Cookie Policy for details.
| Sub-processor | Service Provided | Data Location | Data Processed |
|---|---|---|---|
| Google LLC (Google Analytics) Privacy Policy |
Website analytics (GA4) | USA | IP addresses (anonymized), page views, user behavior, device info, cookies (see Cookie Policy) |
| Google LLC (Google Ads) Privacy Policy |
Advertising and conversion tracking | USA | Cookies, conversion events, ad interaction data |
| Crisp IM SAS Privacy Policy |
Customer support chat widget | EU (France) | Chat messages, email address, name (if provided), browsing context |
Cookie Consent: Analytics and advertising cookies require user consent under GDPR. See our Cookie Policy for details.
5. AI Model Provider Sub-processors
When you use AI models through TaskAGI, YOUR input data is sent to these third-party AI providers. These sub-processors ONLY process data when YOU explicitly use AI integrations in workflows.
Data Retention: Most AI providers delete API inputs within 30 days per their data retention policies. Check individual provider policies for details.
Training Data: OpenAI and Anthropic do NOT use API inputs to train models. Google may use data to improve services unless you opt out. See our AI Model Usage Policy.
| Sub-processor | Service Provided | Data Location | Data Processed |
|---|---|---|---|
| OpenAI, L.L.C. Privacy Policy |
AI text and image generation (GPT-4, DALL-E) | USA | Your AI prompts and inputs (NOT used for training per OpenAI API policy) |
| Anthropic PBC Privacy Policy |
AI text generation (Claude models) | USA | Your AI prompts and inputs (NOT used for training) |
| Google LLC (Vertex AI) Privacy Policy |
AI text and vision (Gemini models) | USA, EU (multi-region) | Your AI prompts and inputs |
| ElevenLabs Inc. Privacy Policy |
Text-to-speech voice generation | USA | Text inputs for voice generation |
| Replicate, Inc. Privacy Policy |
Various AI models (image, video, audio) | USA | Model inputs (images, prompts, etc.) |
Data Retention: Most AI providers delete API inputs within 30 days per their data retention policies. Check individual provider policies for details.
Training Data: OpenAI and Anthropic do NOT use API inputs to train models. Google may use data to improve services unless you opt out. See our AI Model Usage Policy.
6. Communication and Email Sub-processors
These sub-processors send transactional and marketing emails on our behalf.
| Sub-processor | Service Provided | Data Location | Data Processed |
|---|---|---|---|
| Amazon Web Services (AWS SES) Privacy Policy |
Transactional email delivery | USA, EU (Ireland) | Email addresses, email content (password resets, notifications, receipts) |
| Mailgun Technologies, Inc. Privacy Policy |
Marketing and transactional email | USA, EU (Ireland) | Email addresses, subscriber lists, email open/click data |
7. Security and Error Monitoring Sub-processors
These sub-processors help us detect and fix errors, monitor security incidents, and improve service reliability.
| Sub-processor | Service Provided | Data Location | Data Processed |
|---|---|---|---|
| Sentry Software LLC Privacy Policy |
Error tracking and performance monitoring | USA | Error logs, stack traces, user IDs (hashed), IP addresses, browser metadata |
8. Third-Party Integration Providers (NOT Sub-processors)
IMPORTANT DISTINCTION: TaskAGI offers 365+ third-party integrations (Google, Stripe, Salesforce, OpenAI, etc.). These are NOT TaskAGI sub-processors because:
Example:
Your Responsibility:
- YOU are the Data Controller when you connect integrations and send data to them
- TaskAGI acts as a data transmission conduit - we facilitate the connection but do NOT process the data on our behalf
- YOU are bound by the integration provider's own Terms of Service and Privacy Policy
- TaskAGI is NOT responsible for how third-party integrations process your data
Example:
- If you use TaskAGI to send customer emails via Mailchimp, YOU are Mailchimp's customer (Data Controller)
- Mailchimp's terms and privacy policy apply to YOUR use of their service
- TaskAGI is NOT a sub-processor of Mailchimp data in this scenario
Your Responsibility:
- Ensure you have legal basis to send data to third-party integrations
- Review each integration's privacy policy and data handling practices
- Comply with third-party Terms of Service
- See our Data Processing Agreement for details on your obligations as Data Controller
9. International Data Transfers
9.1. Transfers Outside EU/UK: Many sub-processors are based in the USA, which the EU does not consider to have "adequate" data protection. We protect these transfers using:
9.2. Data Localization Options: Enterprise customers may request EU-only data storage (additional fees apply). Contact sales@taskagi.net for details.
9.3. Schrems II Compliance: Following the Schrems II ruling, we conduct Transfer Impact Assessments (TIAs) for USA-based sub-processors to ensure SCCs provide effective protection.
- Standard Contractual Clauses (SCCs): EU-approved contract terms ensuring GDPR-level protection
- EU-US Data Privacy Framework: Some sub-processors are certified (Stripe, Google, etc.)
- UK International Data Transfer Addendum (IDTA): For UK data transfers
9.2. Data Localization Options: Enterprise customers may request EU-only data storage (additional fees apply). Contact sales@taskagi.net for details.
9.3. Schrems II Compliance: Following the Schrems II ruling, we conduct Transfer Impact Assessments (TIAs) for USA-based sub-processors to ensure SCCs provide effective protection.
10. Sub-processor Change Notifications
10.1. 30-Day Advance Notice: We will notify you at least 30 days in advance before:
10.2. Notification Method:
10.3. Your Right to Object:
10.4. Emergency Changes:
- Adding a new sub-processor
- Changing the purpose or nature of existing sub-processor usage
- Replacing a sub-processor with a different provider
10.2. Notification Method:
- Email to your registered account email address
- In-app notification banner
- Updates to this page (check the "Last Updated" date at the top)
10.3. Your Right to Object:
- You have 30 days to object to a new or changed sub-processor
- If you object, you may terminate your contract without penalty (see DPA Section 5.3)
- To object: Email privacy@taskagi.net with "Sub-processor Objection" in the subject line
10.4. Emergency Changes:
- If immediate sub-processor changes are required due to service outages, security incidents, or legal requirements, we may implement changes with shorter notice
- We will notify you as soon as reasonably practicable
11. Sub-processor Data Protection Obligations
All sub-processors are contractually required to:
- Process data only on TaskAGI's documented instructions
- Implement appropriate technical and organizational security measures (TOMs)
- Ensure confidentiality of personnel who access data
- Assist TaskAGI with data subject rights requests, DPIAs, and breach notifications
- Delete or return data upon contract termination
- Allow audits and inspections (directly or via third-party auditors)
- Notify TaskAGI of data breaches within 24 hours
- Comply with GDPR and UK DPA 2018 requirements
12. Subscribe to Updates
To receive email notifications when this sub-processor list changes:
RSS Feed: Coming soon - we plan to offer an RSS feed for automated sub-processor change monitoring.
- Ensure your account email is up to date in Account Settings
- Email privacy@taskagi.net with "Subscribe to Sub-processor Updates" to receive dedicated notifications
- Check this page periodically (bookmark it or set a calendar reminder)
RSS Feed: Coming soon - we plan to offer an RSS feed for automated sub-processor change monitoring.
13. Contact
Sub-processor Questions: privacy@taskagi.net
Object to Sub-processor: privacy@taskagi.net (Subject: "Sub-processor Objection")
Data Protection Officer (DPO): dpo@taskagi.net
Related Documents:
Object to Sub-processor: privacy@taskagi.net (Subject: "Sub-processor Objection")
Data Protection Officer (DPO): dpo@taskagi.net
Related Documents: