Legal
Subprocessors
A subprocessor is a third-party service that processes data on our behalf to make GhostWhirl work. We keep this list short on purpose and update it whenever it changes — see our Privacy Policy for the full framework.
Current subprocessors
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Application hosting, object storage, managed Postgres | Account data, encrypted meeting backups, application logs | United States, European Union |
| Cloudflare | CDN, DDoS protection, edge TLS termination | IP addresses, request metadata | Global edge network |
| Stripe | Payment processing for US, EU and UK customers | Email, billing address, card details (held by Stripe, never us) | United States, European Union |
| Razorpay | Payment processing for India and APAC customers | Email, billing address, payment instrument metadata | India |
| OpenAI | LLM inference for chat, reasoning and coding answers | Prompt text and conversation context (no audio, no training) | United States |
| Anthropic | LLM inference for reasoning, coding and long-context tasks | Prompt text and conversation context (no audio, no training) | United States |
| xAI | LLM inference for fast chat answers | Prompt text (no audio, no training) | United States |
| Deepgram | Speech-to-text transcription for meeting audio | Short audio windows during a live call (not retained) | United States |
| Postmark | Transactional email (account verification, receipts) | Email address, message content | United States |
| Sentry | Crash reports and error monitoring | Anonymous stack traces, app version, OS version | United States, European Union |
| Plausible Analytics | Privacy-friendly website analytics | Aggregated, anonymised page views (no IP storage) | European Union |
| GitHub | Auto-update artifact distribution and source control | Public app installer downloads only | United States |
How we vet a new subprocessor
- Signed Data Processing Agreement (DPA) with EU SCCs where applicable.
- SOC 2 Type II or ISO 27001 certification, or equivalent assurance.
- Zero-retention / no-training terms for any AI inference provider.
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Documented breach notification SLAs.
Notification of changes
We notify customers on paid plans at least 30 days before adding or replacing a subprocessor that materially affects how their data is handled. To receive these notifications, make sure your account email is current in the GhostWhirl app (Settings → Profile).
Don’t see a provider you expect? We deliberately exclude analytics or marketing tools that fingerprint visitors. If you believe a provider is missing or out of date, email privacy@ghostwhirl.com.
Need a signed DPA?
We have a standard Data Processing Agreement ready to countersign — email legal and we’ll send it within one business day.
Email legalRead the Privacy Policy