Subprocessors
Effective Date: April 5, 2026 Last Updated: May 24, 2026
Overview
hiroi uses the following third-party service providers ("sub-processors") to process data as part of the hiroi omni-channel AI agent platform. This list is maintained in accordance with our Data Processing Agreement.
Current Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Microsoft Azure | Application hosting, database, content safety, and AI infrastructure | All application data (encrypted); Azure SQL Database; Azure AI Content Safety analysis | United States (East 2) |
| Azure Communication Services | Outbound/inbound voice calls, SMS, and email delivery | Phone numbers, call audio, call metadata, SMS content, email addresses, email content | United States |
| OpenAI | AI response generation (GPT-4o) and text embeddings | Chat messages, call transcripts, system prompts, document content for embedding | United States |
| Anthropic | AI response generation (Claude) | Chat messages, call transcripts, system prompts | United States |
| Stripe | Payment processing and subscription management | Customer ID, payment method tokens, transaction data | United States |
| Cloudflare | CDN, DNS, DDoS protection, WAF | Network traffic metadata, IP addresses | Global (edge network) |
Sub-Processor Details
Microsoft Azure
- Service: Azure Container Apps for application hosting; Azure SQL Database for persistent storage; Azure AI Content Safety for per-message content moderation
- Data processed: All application data is hosted on Azure infrastructure. Azure SQL stores all persistent data including user accounts, contact records, AI agent configurations, call transcripts, SMS message logs, email campaign data, conversation history, consent records, and opt-out records. Azure AI Content Safety analyzes chat messages for harmful content before AI processing. Application secrets stored in Azure Container Apps environment secrets.
- Data retention by sub-processor: Application data retained per our retention schedule.
- Security: SOC 2 Type II, ISO 27001, FedRAMP, HIPAA eligible, EU-US Data Privacy Framework participant
Azure Communication Services (ACS)
- Service: Outbound and inbound AI phone calls; outbound and inbound SMS; email delivery
- Data processed: Phone numbers provisioned through ACS; call audio and call metadata (duration, caller ID, outcome); SMS message content (outbound and inbound); email addresses and email content.
- Regulatory coverage: ACS provides carrier-grade telephony subject to FCC regulations. A2P 10DLC registration for US SMS is managed through ACS.
- Data retention by sub-processor: Subject to Microsoft's communications data retention terms. Call recordings are returned to hiroi infrastructure; ACS does not independently retain call recordings.
- Security: SOC 2 Type II, ISO 27001, FedRAMP, HIPAA eligible
OpenAI
- Service: OpenAI API for AI response generation (GPT-4o); text-embedding-3-small for document and query embeddings (RAG)
- Data processed: Conversation messages, call transcripts, system prompts, and knowledge base content are sent to OpenAI's API. Document content is sent for embedding during RAG indexing and query.
- Data retention by sub-processor: API data not used for training; retained up to 30 days for abuse monitoring by default under zero data retention configurations.
- Security: SOC 2 Type II certified
Anthropic
- Service: Claude API for AI response generation
- Data processed: Conversation messages, call transcripts, and configured system prompts are sent to Anthropic's API. Knowledge base content may be included as context.
- Data retention by sub-processor: API inputs/outputs not used for model training. Retained up to 7 days by default for safety monitoring.
- Security: SOC 2 Type II certified
Stripe
- Service: Payment processing, subscription management, and invoicing
- Data processed: Payment method tokens, customer identifiers, transaction metadata, and credit balance events. hiroi does not handle or store raw payment card data.
- Data retention by sub-processor: Subject to Stripe's data processing agreement and PCI-DSS requirements.
- Security: PCI-DSS Level 1, SOC 2 Type II certified
Cloudflare
- Service: CDN, DNS resolution, DDoS protection, Web Application Firewall (WAF)
- Data processed: Network traffic metadata (IP addresses, request headers, URLs) for routing, security, and performance. Cloudflare does not have access to encrypted application data or communication content.
- Data retention by sub-processor: Network logs retained short-term per Cloudflare's data processing terms.
- Security: SOC 2 Type II, ISO 27001, EU-US Data Privacy Framework participant
Data Retention by Sub-Processor
| Sub-Processor | Data Retention | Reference |
|---|---|---|
| Microsoft Azure | Per our retention schedule; encrypted backups per Microsoft terms | Microsoft Privacy Statement |
| ACS | Call audio returned to hiroi; ACS retains metadata per Microsoft terms | Microsoft Privacy Statement |
| OpenAI | API data not used for training; retained up to 30 days for abuse monitoring | OpenAI API Data Usage Policy |
| Anthropic | API inputs/outputs not used for training; retained up to 7 days for safety monitoring | Anthropic Privacy Policy |
| Stripe | Per PCI-DSS and regulatory requirements | Stripe Privacy Policy |
| Cloudflare | Network logs retained short-term | Cloudflare Privacy Policy |
Changes to Sub-Processors
In accordance with our Data Processing Agreement:
- We notify customers at least 30 days before engaging a new sub-processor
- Notifications are sent via email to the account owner's registered email address and posted to this page
- Customers may object to new sub-processors within 14 days of notification
- This page is updated when sub-processor changes take effect
Subscribe to Updates
To receive notifications about sub-processor changes, ensure your account email is up to date in your account settings.
Contact
For questions about our sub-processors:
hiroi - Privacy Email: privacy@hiroi.ai