Legal
Sub-processors
Last updated: January 2025
Maxxo.ai uses the following sub-processors to deliver our services. This list is maintained in accordance with our obligations under UK GDPR and our Data Processing Agreements with clients.
Infrastructure & Hosting
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase (AWS) | Database hosting, authentication, file storage | All platform data | EU (Frankfurt) | N/A (EU) |
| Vercel | Application hosting and CDN | Website traffic, application requests | Global (EU primary) | UK SCCs |
AI & Machine Learning
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Anthropic | AI conversation processing (Claude) | Conversation content, enquiry data | USA | UK SCCs |
| OpenAI | Text embeddings for knowledge base search | Document content, conversation snippets | USA | UK SCCs |
| ElevenLabs | Voice synthesis and speech processing | Voice call audio, transcripts | USA | UK SCCs |
Communications
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Twilio | SMS and WhatsApp messaging | Phone numbers, message content | USA | UK SCCs |
| Resend | Transactional email delivery | Email addresses, notification content | USA | UK SCCs |
Payments
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Stripe | Payment processing and billing | Billing contact details, payment methods | USA | UK SCCs |
Data Processing Details
Anthropic (Claude AI)
What we send: Conversation messages, knowledge base context, system instructions
What we receive: AI-generated responses
Retention: No persistent storage; data processed in real-time only
Security: SOC 2 Type II certified, encrypted in transit
OpenAI
What we send: Text chunks for embedding generation
What we receive: Vector embeddings (numerical representations)
Retention: No persistent storage; API data not used for training
Security: SOC 2 Type II certified, encrypted in transit
ElevenLabs
What we send: Text for speech synthesis, call audio for transcription
What we receive: Audio files, transcripts
Retention: Temporary processing only
Security: Encrypted in transit and at rest
Twilio
What we send: Phone numbers, message content
What we receive: Delivery status, inbound messages
Retention: Message logs retained per our instructions
Security: SOC 2 Type II certified, ISO 27001
Supabase
What we store: All platform data including accounts, care homes, conversations, documents
Location: AWS eu-central-1 (Frankfurt)
Retention: As per our data retention policy
Security: SOC 2 Type II certified, encrypted at rest (AES-256)
Changes to Sub-processors
We will notify clients of any changes to this list at least 30 days before engaging a new sub-processor for processing client data. Clients may object to changes as set out in our Data Processing Agreement.
Change Log
| Date | Change |
|---|---|
| January 2025 | Initial list published |
Questions
If you have questions about our sub-processors or data processing practices, please contact us at legal@maxxo.ai.
© 2025 Maxxo.ai. All rights reserved.