SUBPROCESSORS

Public subprocessor list

To deliver XELIA we rely on specialized providers (telephony, AI, payments, hosting). This page lists each one, what data they access, and where they are hosted geographically. If we change the list, we update this page and notify customers with a signed DPA.

Last updated: May 6, 2026.

Subprocessors with data access

Each of the following providers processes data on your organization's behalf in the course of providing the service. All have an in-force DPA or equivalent with XELIA and operate under standard contractual clauses (SCC) where applicable for international transfers.

Provider
Purpose
Region
Data accessed
Provider
Hetzner Online GmbH
Purpose
Compute hosting (single production VPS)
Region
Germany (Falkenstein) / USA (Ashburn)
Data accessed
Data at rest + in transit on dedicated VPS
Provider
Cloudflare, Inc.
Purpose
CDN, WAF, DDoS, edge TLS 1.3
Region
Global (anycast network)
Data accessed
HTTP traffic in transit; no persistent storage
Provider
Telnyx LLC
Purpose
Telephony (MX/LATAM numbers, voice, SIP)
Region
USA
Data accessed
Call metadata and media originated by the tenant
Provider
Twilio, Inc.
Purpose
Legacy telephony (migrating to Telnyx) and historical WhatsApp bridge
Region
USA
Data accessed
Legacy call metadata and media
Provider
Stripe, Inc.
Purpose
Payment and subscription processing
Region
USA (PCI DSS Level 1)
Data accessed
Tokenized card data; XELIA never sees PAN
Provider
Anthropic, PBC
Purpose
LLM (Claude) for Chat Command Center reasoning
Region
USA
Data accessed
Prompt text; not used for training (zero-retention enterprise)
Provider
OpenAI, L.L.C.
Purpose
LLM (GPT-4o) and Realtime API (voice fallback)
Region
USA
Data accessed
Prompt text and audio; training opt-out configured
Provider
Deepgram, Inc.
Purpose
STT/TTS for real-time voice (Aura/Nova)
Region
USA
Data accessed
Call audio in transit
Provider
Meta Platforms, Inc.
Purpose
WhatsApp Business Platform (message send/receive)
Region
USA / Ireland
Data accessed
WhatsApp message metadata and content
Provider
Amazon Web Services, Inc.
Purpose
AWS SES — transactional email
Region
USA
Data accessed
Transactional email headers and bodies in transit
Provider
Google LLC
Purpose
Google Calendar API (OAuth) and Google Indexing API
Region
USA
Data accessed
Calendar metadata only when the user authorizes OAuth
Provider
Composio Inc.
Purpose
Third-party integration bridge (Gmail, etc.)
Region
USA
Data accessed
OAuth tokens managed by the tenant

Self-hosted components

The following components run inside XELIA's production infrastructure. They do not transmit data to third parties; they are listed here for technical transparency.

Component
Better Auth
Purpose
User authentication
Detail
Self-hosted in our infrastructure — credentials never leave our servers
Component
LiteLLM
Purpose
Unified LLM proxy and cost observability
Detail
Self-hosted in Docker on the production server
Component
PostgreSQL 16 + pgvector
Purpose
Relational database + vector search
Detail
Bare-metal on the XELIA production server
Component
Redis
Purpose
Cache and queues (BullMQ)
Detail
Self-hosted in Docker

Changes to the subprocessor list

Before onboarding any new subprocessor with access to customer personal data, we evaluate their security posture and sign a DPA or equivalent clauses. For customers with a signed DPA with XELIA, we notify any change with at least 30 days' notice to the registered Data Protection Officer email.

To subscribe to change notifications or request the DPA, write to dpo@xelia.ai.

Related references