# Aither — Sub-processor Inventory **Last reviewed:** 11 May 2026 · **Owner:** Max Geurtsen · **Public; review on every change** Aither uses the following sub-processors to deliver its services. All are bound by their own DPA (signed copies on file). Any addition or replacement is announced via this page; clients have 30 days to object before the change takes effect. ## Hosting & infra | Vendor | Purpose | Region | DPA signed | Cert. | |-------------|------------------------------------------------|---------------|------------|------------------| | Vercel Inc. | Edge hosting, serverless functions | Vercel EU edge| Yes | SOC 2, ISO 27001 | | GitHub Inc. | Source code repository, Actions CI | US (encrypted)| Yes | SOC 2, ISO 27001 | | Supabase | Customer database (course progress, accounts) | EU (Frankfurt)| Yes | SOC 2 | ## AI & language | Vendor | Purpose | Region | DPA signed | Notes | |----------------------------|---------------------------------------------------|-------------------------------------|------------|----------------------------------------| | Anthropic | Claude Sonnet 4.6 — primary LLM | US (EU endpoint where available) | Yes | Zero-retention API; no training | | OpenAI | GPT-4 family — fallback / specific tasks | US | Yes | Zero-retention API tier | | ElevenLabs Inc. | Text-to-speech (Rachel voice) for chatbot replies| US | Yes | No PII transmitted; via Aither proxy | ## Email & messaging | Vendor | Purpose | Region | DPA signed | |-----------|------------------------------------------------------|-----------|------------| | Brevo | Transactional + lead routing emails | EU (FR) | Yes | | Resend | Backup transactional email | EU | Yes | ## Payments | Vendor | Purpose | Region | DPA signed | Cert. | |-----------|--------------------------------------------------------|-----------|------------|------------------| | Stripe | Course checkout, Pilot Build deposits, subscriptions | EU (IE) | Yes | PCI-DSS L1, SOC 2| | Mollie | NL-friendly fallback for iDEAL | EU (NL) | Yes | PCI-DSS L1 | ## Scheduling & meetings | Vendor | Purpose | Region | DPA signed | |-----------|--------------------------------------------------------|--------|------------| | Calendly | 15/30-minute discovery call booking | US | Yes | ## Analytics | Vendor | Purpose | Region | DPA signed | |-------------|--------------------------------------------------------------------------|--------|------------| | Vercel Analytics | Aggregate page views (no PII, IP-anonymised) | EU edge| Yes | | (No Google Analytics, no Meta Pixel, no LinkedIn ads pixel by default) | | | ## Data flows summary | Data type | Where collected | Where stored | Retention | |--------------------|-------------------------|-------------------------------------|-----------------------------| | Lead emails | Chatbot inline form | Brevo + Max's mailbox | 24 months then archived | | Course progress | User account portal | Supabase EU | Until user deletes account | | Quickscan results | Quickscan form | Brevo email + 30-day Vercel KV cache| 30 days | | Chat conversations | Chatbot | Browser localStorage only | User-controlled; not server-stored | | Voice synthesis | Chatbot voice replies | None — streamed, then discarded | n/a | ## Optional sub-processors (used only if client opts in for specific features) - **HubSpot** / **Pipedrive** / **Salesforce** — CRM integrations (in client's own account) - **Slack** — workspace notifications (client workspace, not Aither's) - **Microsoft 365 / Google Workspace** — email + calendar integrations (client's own accounts) - **Hetzner** — for clients requiring full EU-only hosting of open-weight models (Llama, Mixtral) ## Change log | Date | Change | |------------|--------------------------------------------------------------| | 2026-05-11 | v1.0 published. ElevenLabs added for voice TTS feature. |