ChatBar AI Subprocessors

Last Updated: November 2025

Our Commitment to Transparency

At ChatBar AI, we believe you have the right to know exactly who processes your data and where it’s stored. This page lists all subprocessors that handle customer account information when you use our services.

Because ChatBar AI processes only anonymous conversation data by default, our subprocessor list is significantly shorter than typical chatbot platforms. We don’t collect personal information from your end users, which means fewer third parties have access to data.

What Is a Subprocessor?

A subprocessor is a third-party service provider that processes personal data on our behalf to help us deliver ChatBar AI’s services. Under GDPR, we’re required to inform you about these subprocessors and obtain your consent (through our Data Processing Agreement) before engaging them.

Important distinction:

Subprocessors process your personal data (customer account information, billing details)
Infrastructure providers that process only anonymous conversation data are not subprocessors under GDPR, as anonymous data is not personal data (GDPR Recital 26)

This page lists only subprocessors that process personal data. For information about our overall infrastructure, see our Trust Centre.

Our Subprocessors

ChatBar AI engages only two subprocessors that process personal data:

Infrastructure & Hosting

Subprocessor	Service	Location	Data Processed	Security & Compliance
Google Cloud Platform	Cloud infrastructure and hosting	Multi-region (EU and Asia-Pacific available)	Customer account information (names, emails, login credentials, configuration settings)	• ISO 27001, ISO 27017, ISO 27018 • SOC 2 Type II • GDPR compliant with DPA • 68% carbon-free energy (Frankfurt) • ISO 50001:2018 (energy management) • TLS 1.2/1.3 encryption in transit • AES-256 encryption at rest

Subprocessor

Service

Location

Data Processed

Security & Compliance

Google Cloud Platform

Cloud infrastructure and hosting

Multi-region (EU and Asia-Pacific available)

Customer account information (names, emails, login credentials, configuration settings)

• ISO 27001, ISO 27017, ISO 27018

• SOC 2 Type II

• GDPR compliant with DPA

• 68% carbon-free energy (Frankfurt)

• ISO 50001:2018 (energy management)

• TLS 1.2/1.3 encryption in transit

• AES-256 encryption at rest

Payment Processing

Subprocessor	Service	Location	Data Processed	Security & Compliance
Stripe, Inc.	Payment processing and subscription management	United States (EU data residency available)	Customer billing information (names, email addresses, payment card details – tokenized)	• PCI DSS Level 1 Service Provider • SOC 1, SOC 2, SOC 3 Type II • ISO 27001 • GDPR compliant with DPA • EU-U.S. Data Privacy Framework certified • TLS 1.2/1.3 encryption • Tokenization (ChatBar never sees card numbers)

Subprocessor

Service

Location

Data Processed

Security & Compliance

Stripe, Inc.

Payment processing and subscription management

United States (EU data residency available)

Customer billing information (names, email addresses, payment card details – tokenized)

• PCI DSS Level 1 Service Provider

• SOC 1, SOC 2, SOC 3 Type II

• ISO 27001

• GDPR compliant with DPA

• EU-U.S. Data Privacy Framework certified

• TLS 1.2/1.3 encryption

• Tokenization (ChatBar never sees card numbers)

Anonymous Conversation Data Infrastructure

ChatBar AI also uses dedicated server infrastructure to process anonymous conversation data. Because this data contains no personal identifiers (no names, emails, IP addresses, or other identifying information), it is not considered “personal data” under GDPR Recital 26, and these providers are not subprocessors.

Our anonymous data infrastructure spans:

European Union (Helsinki, Strasbourg, Frankfurt)
Asia-Pacific (Singapore)
United States

For more information about our infrastructure security and certifications, see our Trust Centre.

AI Model Providers (Anonymous Data Only)

For transparency, we also disclose the AI model providers we use to power conversational AI. These providers process only anonymous conversation data with no personal identifiers.

Provider	Service	Data Processed	Notes
OpenAI	Large language models (GPT series)	Anonymous conversation data only	No personal data, no customer account data, no identifiable information
Anthropic	Large language models (Claude series)	Anonymous conversation data only	No personal data, no customer account data, no identifiable information
Mistral AI	Large language models (Mistral series)	Anonymous conversation data only	EU-based provider, GDPR compliant, no personal data
Groq	Large language model inference	Anonymous conversation data only	High-performance inference, no personal data

Important: Because conversation data is truly anonymous (no names, emails, IP addresses, or other identifiers), it is not considered “personal data” under GDPR Recital 26. However, we list these providers here in the interest of full transparency.

You control which AI models are used through your ChatBar AI Dashboard configuration.

What We Don’t List Here

The following services are not subprocessors because they process only ChatBar AI’s own operational or marketing data, not customer data:

Google Analytics – Website analytics (our marketing site only)
Google Tag Manager – Tag management (our marketing site only)
Google Ads – Advertising (our marketing campaigns)
LinkedIn Insight Tag – Advertising (our marketing campaigns)
Meta Pixel – Advertising (our marketing campaigns)

FluentCRM – Email marketing (our prospect communications)

These services are covered in our Cookie Policy and Privacy Policy.

Data Residency Options

ChatBar AI offers flexible data residency options to meet your compliance requirements:

European Union Customers

Recommended configuration:

Customer account data: Google Cloud Platform (Frankfurt region or other EU locations)
Anonymous conversation data: EU regions (Helsinki, Strasbourg, Frankfurt) for optimal performance
Billing: Stripe (with EU data residency option)

Benefits:

All personal data stays in the EU
No international data transfers for customer accounts
Simplified GDPR compliance
Up to 68% carbon-free energy (Frankfurt)

Asia-Pacific Customers

Recommended configuration:

Customer account data: Google Cloud Platform (Singapore region)
Anonymous conversation data: Any region for optimal performance
Billing: Stripe (with regional processing)

Benefits:

Low latency for regional customers
Google Cloud’s sustainability initiatives
ISO 27001 certified infrastructure
Singapore PDPA compliant

Global Customers

Recommended configuration:

Customer account data: Multi-region with primary in your jurisdiction
Anonymous conversation data: Global distribution for performance
Billing: Stripe (global)

Benefits:

Optimized performance worldwide
Redundancy and disaster recovery
Flexibility to meet diverse compliance requirements

Contact us to discuss custom data residency configurations: privacy@chatbar-ai.com

International Data Transfers

When customer account data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

For EU Customer Data

Stripe (US):

Standard Contractual Clauses (SCCs) – 2021 European Commission approved clauses
EU-U.S. Data Privacy Framework certification
EU data residency option available
PCI DSS Level 1 security standards

Google Cloud Platform (if using non-EU regions):

Standard Contractual Clauses (SCCs)
Encryption in transit (TLS 1.2/1.3) and at rest (AES-256)
Access controls and audit logging

Our recommendation: Keep EU customer account data in EU regions (Google Cloud Platform Frankfurt or other EU locations) to avoid international transfers entirely.

Subprocessor Security Requirements

All subprocessors processing customer account data are contractually required to maintain:

Encryption: Data encrypted in transit (TLS 1.2/1.3) and at rest (AES-256 or equivalent)
Access controls: Role-based access with multi-factor authentication
Security monitoring: 24/7 monitoring and logging
Incident response: Documented procedures with defined notification timelines
Regular audits: Third-party security assessments (SOC 2, ISO 27001, or equivalent)
GDPR compliance: Data Processing Agreements and appropriate safeguards

Subprocessor Changes

We review our subprocessor list quarterly and will notify you of any material changes at least 30 days in advance via email to your account administrator.

Material changes include:

Adding a new subprocessor
Changing existing subprocessors
Removing data protection safeguards
Significant changes to data processing locations

Minor changes (such as updating contact information or adding redundant infrastructure) will be reflected on this page within 5 business days.

How to Object to a Subprocessor Change

If you object to a new subprocessor, you have the right to:

Notify us within 30 days of receiving the change notification
Request alternative arrangements (we’ll work with you to find a solution)
Terminate your agreement without penalty if we cannot accommodate your objection

To object: Email privacy@chatbar-ai.com with “Subprocessor Objection” in the subject line.

Your Rights and Controls

As a ChatBar AI customer, you have the following rights regarding subprocessors:

Right to Information

Access to this subprocessor list (updated quarterly)
Details about data processing locations
Information about security certifications
Copies of Data Processing Agreements (upon request)

Right to Audit

Request subprocessor security certifications (SOC 2, ISO 27001 reports under NDA)
Conduct security questionnaires
Request evidence of compliance measures

To request: Email privacy@chatbar-ai.com with at least 30 days’ notice.

Right to Object

Object to new subprocessors (30-day notice period)
Request alternative data processing arrangements
Terminate agreement if objections cannot be accommodated

Right to Data Portability

Export your data at any time via ChatBar AI Dashboard
Receive data in machine-readable format
Transfer data to another service provider

Data Processing Agreement (DPA)

ChatBar AI provides a comprehensive Data Processing Agreement (DPA) that covers:

Scope and nature of data processing
Subprocessor authorization and notification
Security measures and obligations
Data subject rights support
Breach notification procedures
Audit rights and procedures
Data deletion and return

Enterprise customers: Contact your account manager or email legal@chatbar-ai.com to execute a DPA.

Standard customers: Our standard Terms of Service include GDPR-compliant data processing terms.

Why Our Subprocessor List Is So Short

Most chatbot platforms have dozens of subprocessors because they collect and process extensive personal data from end users. ChatBar AI’s privacy-first architecture means we:

Don’t collect PII from end users – No names, emails, IP addresses, or tracking data from people using your chatbot
Process only what’s necessary – Customer account data (for you, the business customer) and anonymous conversations
Minimize third-party access – Only two subprocessors handle personal data (Google for infrastructure, Stripe for payments)

This simplified architecture means:

Faster deployment – Less legal review required
Reduced compliance burden – Fewer DPAs to manage
Lower risk – Minimal personal data exposure
Enhanced privacy – Your users’ conversations remain truly private

Transparency and Compliance

ChatBar AI is committed to transparency in data processing:

Public subprocessor list: Updated quarterly on this page
Advance notice: 30 days for material changes
Security certifications: Available upon request
Regular audits: Annual security assessments by independent third parties
GDPR alignment: Full compliance with EU data protection law
Singapore PDPA compliance: Aligned with local regulations
Singapore MAIG alignment: Ethical AI governance framework

Contact Us

For Subprocessor Questions

Email: privacy@chatbar-ai.com
Response time: 5 business days for general inquiries

For Data Processing Agreements

Email: legal@chatbar-ai.com
Response time: 10 business days for DPA requests

For Security Inquiries

Email: security@chatbar-ai.com
Response time: 24 hours for security-related questions

For Custom Data Residency

Email: enterprise@chatbar-ai.com
Response time: 3 business days for enterprise inquiries

Additional Resources

Trust Centre: chatbar-ai.com/built-for-trust – Comprehensive security and compliance information
Privacy Policy: chatbar-ai.com/privacy-policy – How we handle your personal data
Cookie Policy: chatbar-ai.com/cookie-policy – Cookies on our marketing website
Ethical AI Statement: chatbar-ai.com/ethical-ai-statement – Our AI governance practices
Sustainability: chatbar-ai.com/sustainability – Our environmental commitment

Document Version: 2.0
Last Updated: January 2026
Next Review: April 2026

This Subprocessor List is part of our commitment to transparency and GDPR compliance. For binding contractual terms regarding data processing, please refer to your executed Data Processing Agreement or our Terms of Service.