Security
Subprocessors
The third-party providers Deskwise relies on to operate the Service. Each is bound by its own data-protection terms. We update this page when we add, replace, or remove a subprocessor.
Effective date: May 20, 2026 · Last updated: May 20, 2026
| Subprocessor | Purpose | Data | Location | DPA |
|---|---|---|---|---|
| Vapi | Voice AI infrastructure (real-time call orchestration) | Call audio, transcripts, phone numbers, assistant prompts | United States | DPA |
| Twilio | Telephony (PSTN inbound/outbound, SMS, number provisioning) | Phone numbers, SMS bodies, call metadata, caller IDs | United States | DPA |
| Stripe | Subscription billing + Stripe Connect Express payouts | Operator + affiliate billing metadata, transaction records, KYC. No card numbers stored by Deskwise. | United States | DPA |
| Clerk | Authentication and session management | Email, name, hashed credentials, session tokens, IP | United States | DPA |
| Supabase | Primary Postgres database hosting | All Operator and caller application data (transcripts, appointments, contacts, audit log) | United States (AWS us-east) | DPA |
| Resend | Transactional email (auth, receipts, support replies) | Recipient email addresses, message subject and body, delivery metadata | United States | DPA |
| Vercel | Application hosting, edge runtime, request routing | Request logs, IP, user agent, headers; no application data persisted at this layer | United States | DPA |
| Anthropic | Large language model (Claude) for agent reasoning and tool calls | Call transcripts and prompts at inference time. Zero-retention / no-training-on-content mode. | United States | DPA |
| OpenAI | Speech models and a fallback LLM, primarily reached through Vapi's voice pipeline (ElevenLabs / OpenAI Realtime) | Spoken audio and transcript turns at inference time. Zero-retention / no-training-on-content mode. | United States | DPA |
| Sentry | Error monitoring and performance tracing | Stack traces, user IDs, request URLs, browser metadata. PHI is scrubbed before send. | United States | DPA |
| Plausible Analytics | Cookieless, privacy-friendly product analytics for marketing pages | Aggregated page views, referrer, country. No personal identifiers, no cookies. | European Union | DPA |
- Vapi
- Purpose
- Voice AI infrastructure (real-time call orchestration)
- Data
- Call audio, transcripts, phone numbers, assistant prompts
- Location
- United States
- DPA
- DPA
- Twilio
- Purpose
- Telephony (PSTN inbound/outbound, SMS, number provisioning)
- Data
- Phone numbers, SMS bodies, call metadata, caller IDs
- Location
- United States
- DPA
- DPA
- Stripe
- Purpose
- Subscription billing + Stripe Connect Express payouts
- Data
- Operator + affiliate billing metadata, transaction records, KYC. No card numbers stored by Deskwise.
- Location
- United States
- DPA
- DPA
- Clerk
- Purpose
- Authentication and session management
- Data
- Email, name, hashed credentials, session tokens, IP
- Location
- United States
- DPA
- DPA
- Supabase
- Purpose
- Primary Postgres database hosting
- Data
- All Operator and caller application data (transcripts, appointments, contacts, audit log)
- Location
- United States (AWS us-east)
- DPA
- DPA
- Resend
- Purpose
- Transactional email (auth, receipts, support replies)
- Data
- Recipient email addresses, message subject and body, delivery metadata
- Location
- United States
- DPA
- DPA
- Vercel
- Purpose
- Application hosting, edge runtime, request routing
- Data
- Request logs, IP, user agent, headers; no application data persisted at this layer
- Location
- United States
- DPA
- DPA
- Anthropic
- Purpose
- Large language model (Claude) for agent reasoning and tool calls
- Data
- Call transcripts and prompts at inference time. Zero-retention / no-training-on-content mode.
- Location
- United States
- DPA
- DPA
- OpenAI
- Purpose
- Speech models and a fallback LLM, primarily reached through Vapi's voice pipeline (ElevenLabs / OpenAI Realtime)
- Data
- Spoken audio and transcript turns at inference time. Zero-retention / no-training-on-content mode.
- Location
- United States
- DPA
- DPA
- Sentry
- Purpose
- Error monitoring and performance tracing
- Data
- Stack traces, user IDs, request URLs, browser metadata. PHI is scrubbed before send.
- Location
- United States
- DPA
- DPA
- Plausible Analytics
- Purpose
- Cookieless, privacy-friendly product analytics for marketing pages
- Data
- Aggregated page views, referrer, country. No personal identifiers, no cookies.
- Location
- European Union
- DPA
- DPA
Notes
- US-only service. Deskwise serves United States operators only. All Operator and caller application data is held in the United States. The one exception is Plausible Analytics (marketing-site analytics), which is EU-hosted and receives only cookieless, aggregated, non-identifying page-view data.
- LLM zero-retention. Anthropic and OpenAI are invoked in zero-retention / no-training-on-content modes where the provider supports them. Prompt and completion content is not retained by the model provider beyond the inference call and is not used to train base models.
- No card data. All card numbers are handled by Stripe (PCI DSS Level 1). Deskwise does not see, store, or process full PANs.
- HIPAA. If you handle Protected Health Information, execute a Business Associate Agreement with us at contact@vellor-systems.com before using PHI-related features. Our HIPAA tier limits the subprocessors above to those that will sign a BAA.
Changes
We may add, replace, or remove subprocessors as the Service evolves. Material changes are communicated to Operators by email at least 30 days before they take effect, where reasonably practicable.
Questions
Privacy questions and subprocessor inquiries: contact@vellor-systems.com. Related pages: Privacy Policy, Terms, Security.
Vellor Systems LLC · Cheyenne, Wyoming, USA