Sub-Processors List

Sub-Processors Used by Clepto.io

At Clepto.io, we believe in transparency. This page lists all third-party sub-processors (service providers) we use to deliver our AI automation services.

What Are Sub-Processors?

Sub-processors are third-party companies that help us provide services to you. When you use our automation workflows, your data may be processed by these providers.

Your Control: You can choose which AI providers are used in your workflows. You are not required to use all providers listed below.

Updates

We will notify clients at least 30 days in advance before adding new sub-processors. Clients may object to new sub-processors if they have reasonable data protection concerns.

Infrastructure & Hosting

These providers support our core platform infrastructure.

Supabase

EU-based SOC 2 Type II GDPR-compliant

Service: Database hosting, backend infrastructure, authentication

Entity Location: USA (company headquartered)

Data Processing Location: European Union (EU region selected)

Data Processed:

Workflow configurations and execution data
Audit logs
User authentication data
Any client data stored in workflows

Compliance & Safeguards:

SOC 2 Type II certified
GDPR-compliant
EU-based data centers (no US transfer)
Encryption at rest (AES-256)
Encryption in transit (TLS 1.2+)
Data Processing Agreement in place

Privacy Policy: https://supabase.com/privacy

DPA: https://supabase.com/dpa

Hostinger

EU Company ISO 27001 GDPR-compliant

Service: Website and application hosting

Entity Location: Cyprus (European Union)

Data Processing Location: United Kingdom

Data Processed:

Website files and application code
Server logs and access logs
Backups

Compliance & Safeguards:

ISO 27001 certified
GDPR-compliant (EU company)
UK data centers (GDPR adequate)
Encryption in transit (TLS/SSL)
Regular security audits
Data Processing Agreement in place

Privacy Policy: https://www.hostinger.com/privacy-policy

Security: https://www.hostinger.com/security

AI Service Providers

These providers power the AI capabilities in our workflows. Your workflows only use the providers you select.

OpenAI

USA-based SCCs SOC 2

Service: AI language models (GPT-4, GPT-4o, GPT-3.5-turbo, etc.)

Entity Location: United States (California)

Data Processing Location: United States

Data Processed (if you use OpenAI models):

Text data sent to API (prompts and inputs)
Generated text outputs
API usage metadata

Compliance & Safeguards:

Standard Contractual Clauses (SCCs) for EU transfers
Enterprise Data Processing Agreement available
Business Associate Agreement (BAA) for HIPAA (enterprise)
Encryption in transit (TLS)
API data not used to train models (API terms)
30-day data retention by default (enterprise: configurable)

Privacy Policy: https://openai.com/policies/privacy-policy

DPA: https://openai.com/policies/data-processing-addendum

Note: Data sent to OpenAI is transferred to the United States. We have conducted Transfer Impact Assessments and determined risks are adequately mitigated by encryption and contractual safeguards.

Anthropic

USA-based SCCs SOC 2

Service: AI language models (Claude family: Claude Opus, Sonnet, Haiku)

Entity Location: United States (California)

Data Processing Location: United States

Data Processed (if you use Anthropic models):

Text data sent to API (prompts and inputs)
Generated text outputs
API usage metadata

Compliance & Safeguards:

Standard Contractual Clauses (SCCs) for EU transfers
Data Processing Agreement available
Encryption in transit (TLS)
Enterprise: API data not used to train models
Data retention policies (90 days default, configurable)

Privacy Policy: https://www.anthropic.com/legal/privacy

DPA: https://www.anthropic.com/legal/dpa

Note: Data sent to Anthropic is transferred to the United States. We have conducted Transfer Impact Assessments and determined risks are adequately mitigated.

Google (Gemini AI)

USA/EU ISO 27001 SOC 2/3

Service: AI language models (Gemini Pro, Gemini Flash, etc.)

Entity Location: United States (Google LLC)

Data Processing Location: United States / European Union (multi-region options available)

Data Processed (if you use Google models):

Text data sent to API (prompts and inputs)
Generated text outputs
API usage metadata

Compliance & Safeguards:

Google Cloud Data Processing Agreement
Standard Contractual Clauses (SCCs)
EU data residency options available
ISO 27001, SOC 2, SOC 3 certified
GDPR-compliant infrastructure
Encryption in transit and at rest

Privacy Policy: https://policies.google.com/privacy

Google Cloud DPA: https://cloud.google.com/terms/data-processing-addendum

Note: Google offers EU data residency options. Clients can request EU-only processing.

Mistral AI ⭐ (EU-Only Provider)

France (EU) GDPR-native No US Transfer

Service: AI language models (Mistral Large, Medium, Small, etc.)

Entity Location: France (European Union)

Data Processing Location: France (European Union)

Data Processed (if you use Mistral models):

Text data sent to API (prompts and inputs)
Generated text outputs
API usage metadata

Compliance & Safeguards:

EU-based company and infrastructure (no US transfer)
GDPR-compliant by default
Data Processing Agreement available
Encryption in transit (TLS)
No data retention for API calls (processed and discarded)

Privacy Policy: https://mistral.ai/terms/

⭐ EU-only provider - data never leaves European Union. Best choice for strict GDPR compliance.

Groq

USA-based SCCs

Service: High-speed AI inference platform (various models)

Entity Location: United States

Data Processing Location: United States

Data Processed (if you use Groq):

Text/data sent for AI inference
Inference results
API usage metadata

Compliance & Safeguards:

Standard Contractual Clauses (available)
Encryption in transit (TLS)
Data Processing Agreement available

Privacy Policy: https://groq.com/privacy-policy/

Note: Data transferred to United States. TIA conducted, risks mitigated.

Perplexity AI ⏳

USA-based Standard Contractual Clauses (SCCs)

Service: AI-powered search and research capabilities

Entity Location: United States

Data Processing Location: United States

Data Processed (if you use Perplexity features):

Search queries
Research requests
Generated answers and citations

Compliance & Safeguards:

Encryption in transit (TLS)
Data Processing Agreement (in progress)
Standard data retention policies

⚠️ STATUS: Use with caution

DPA not yet finalized with Clepto.io
Recommended only for non-sensitive queries
Contact contact@clepto.io before enabling for sensitive workflows
We will notify you when DPA is finalized

Privacy Policy: https://www.perplexity.ai/privacy

Next Steps:

We are working to finalize DPA
Expected completion: Q1 2026
Will notify all clients when available
Contact: contact@clepto.io for current status

Analytics & Website Services

Google Analytics

USA/EU ISO 27001 Consent-based

Service: Website analytics and traffic measurement

Entity Location: United States (Google LLC)

Data Processing Location: United States / European Union

Data Processed:

Website visit data (pages viewed, time on site)
Device and browser information
Approximate location (city/country level)
IP addresses (anonymized)

Compliance & Safeguards:

IP anonymization enabled
Google Analytics Data Processing Terms accepted
Data retention: 26 months
No personally identifiable information (PII) collected
Consent-based tracking (via cookie banner)

Privacy Policy: https://policies.google.com/privacy

Google Analytics Terms: https://marketingplatform.google.com/about/analytics/terms/us/

Opt-out: https://tools.google.com/dlpage/gaoptout

Note: Used only on clepto.io website, not in client workflows. Visitors can reject via cookie banner.

Change Notification Process

How We Notify You of Changes:

New Sub-Processor Added:

Notification Format:

Email to: All registered clients
Send to: Your contact email on file
Subject: "Clepto.io Sub-Processor Update - [Provider Name]"
Timeline: Minimum 30 days before the provider processes any data
Example: Email sent Jan 1 → Provider starts Jan 31 or later
Content: Full details about new provider, data processed, safeguards

Update Timeline:

Day 1: Email notification sent to all clients
Days 2-14: Review period (you can object)
Days 15-30: Remediation period (if you object, we adjust)
Day 31: Provider becomes active (unless objection ongoing)

This page updated: Immediately upon notification

Contact Questions To: contact@clepto.io

Your Right to Object:

You have 14 days from notification to object
Email objections to: privacy@clepto.io
If we cannot resolve your concerns, you may terminate affected services without penalty

Sub-Processor Changes:

Updates to existing sub-processor details (e.g., new data center location) will be reflected on this page
Material changes trigger 30-day notice

Subscribe to Updates: Email privacy@clepto.io with subject "Subscribe to Sub-Processor Updates" to receive automatic notifications.

How to Choose Sub-Processors

When building your workflow, you can:

✅ Use EU-only providers:

Supabase (EU region)
Hostinger (UK)
Mistral AI (France)
Google Gemini (with EU region option)

✅ Avoid US providers:

Select only Mistral AI for AI processing
No data transferred outside EU

✅ Minimize data sent to AI providers:

Use pseudonymization (remove names/emails before sending to AI)
Process only necessary data
We can help design privacy-protective workflows

Data Flow Transparency

Example: Newsletter Generation Workflow

Your Data → Supabase (EU) → AI Provider (Your Choice) → Generated Content → Human Review → Output
                 ↓
           Audit Logs (EU)

What gets sent where:

Stored in Supabase (EU): All workflow configurations, audit logs, your control data
Sent to AI Provider: Only the specific text you configure for AI processing (e.g., "write newsletter about topic X")
Stays with You: Final outputs, human review decisions, your business data

Security & Compliance Summary

Provider	Location	GDPR Compliant	DPA in Place	Encryption	Certification
Supabase	EU	✅ Yes	✅ Yes	✅ TLS + AES-256	SOC 2 Type II
Hostinger	UK/EU	✅ Yes	✅ Yes	✅ TLS/SSL	ISO 27001
OpenAI	USA	⚠️ SCCs	✅ Yes	✅ TLS	SOC 2
Anthropic	USA	⚠️ SCCs	✅ Yes	✅ TLS	SOC 2 (pending public)
Google	USA/EU	✅ Yes (EU option)	✅ Yes	✅ TLS + at rest	ISO 27001, SOC 2/3
Mistral AI	France (EU)	✅ Yes	✅ Yes	✅ TLS	GDPR native
Groq	USA	⚠️ SCCs	✅ Yes	✅ TLS	Standard practices
Perplexity	USA	⚠️ SCCs	⏳ Pending	✅ TLS	Standard practices
Google Analytics	USA	⚠️ Consent required	✅ Yes	✅ TLS	ISO 27001

Legend:

✅ Fully compliant
⚠️ Requires additional safeguards (SCCs, consent)
⏳ In progress

Frequently Asked Questions

Q: Do you share my data with all these providers?

A: No. Only the providers you select in your workflow will process your data. For example, if you only use Mistral AI, your data never goes to OpenAI or Anthropic.

Q: Can I use only EU-based providers?

A: Yes! You can configure workflows to use only Supabase (EU), Hostinger (UK), and Mistral AI (France). This keeps all data within Europe.

Q: What if a provider has a data breach?

A: We monitor all sub-processors for security incidents. If a breach occurs, we will notify you within 24 hours and assist with required notifications to authorities/data subjects.

Q: Can I audit these sub-processors?

A: You can request copies of our Data Processing Agreements with sub-processors (redacted for confidentiality). Most major providers also publish SOC 2 or ISO 27001 reports.

Q: How do I object to a sub-processor?

A: Email privacy@clepto.io within 14 days of our notification. We'll work with you to find alternatives or adjust your workflow.

Q: Do you add new sub-processors without telling me?

A: No. We provide 30 days' advance notice before adding any new sub-processor.

Contact & More Information

Questions about sub-processors?

Email: privacy@clepto.io
Privacy Policy: https://clepto.io/privacy.html
Cookie Policy: https://clepto.io/cookies.html
Request DPA: Contact us for a copy of our Data Processing Agreement

Address:

CLEPTO.IO SERVICES PRIVATE LIMITED
SNO.107-108, PT-B, ROSEWOOD, SFL-J-603, PIMPLE SAUDAGAR
Sangavi, Pune-411027, Maharashtra, India
CIN: U62013PN2025PTC248011

Revision History

Version	Date	Changes
1.0	November 16, 2025	Initial publication

This page is updated regularly. Bookmark this URL to stay informed about our sub-processors.

Sub-Processors List

Sub-Processors Used by Clepto.io

What Are Sub-Processors?

Updates

Infrastructure & Hosting

Supabase

Data Processed:

Compliance & Safeguards:

Hostinger

Data Processed:

Compliance & Safeguards:

AI Service Providers

OpenAI

Data Processed (if you use OpenAI models):

Compliance & Safeguards:

Anthropic

Data Processed (if you use Anthropic models):

Compliance & Safeguards:

Google (Gemini AI)

Data Processed (if you use Google models):

Compliance & Safeguards:

Mistral AI ⭐ (EU-Only Provider)

Data Processed (if you use Mistral models):

Compliance & Safeguards:

Groq

Data Processed (if you use Groq):

Compliance & Safeguards:

Perplexity AI ⏳

Data Processed (if you use Perplexity features):

Compliance & Safeguards:

Next Steps:

Analytics & Website Services

Google Analytics

Data Processed:

Compliance & Safeguards:

Change Notification Process

How We Notify You of Changes:

New Sub-Processor Added:

Your Right to Object:

Sub-Processor Changes:

How to Choose Sub-Processors

✅ Use EU-only providers:

✅ Avoid US providers:

✅ Minimize data sent to AI providers:

Data Flow Transparency

Example: Newsletter Generation Workflow

What gets sent where:

Security & Compliance Summary

Frequently Asked Questions

Q: Do you share my data with all these providers?

Q: Can I use only EU-based providers?

Q: What if a provider has a data breach?

Q: Can I audit these sub-processors?

Q: How do I object to a sub-processor?

Q: Do you add new sub-processors without telling me?

Contact & More Information

Questions about sub-processors?

Address:

Revision History

Request a Consultation

Thanks — we've got your request

Join Our Newsletter