Public Subprocessors

Effective date: 11/16/2025
Last updated: 11/16/2025
Controller contact: support@symphoraautomation.com

Overview KYLER HURD LLC, DBA Symphora Automation (“Symphora”, “we”, “us”, or “Company”) uses third‑party service providers (“Subprocessors”) to help deliver our Services. Subprocessors process personal data on our behalf to provide functionality such as AI/LLM processing, messaging and telephony, CRM and workflow automation, integrations, payment processing, and hosting. This page lists current subprocessors, their purpose, categories of personal data they may process, and where they typically process data.

How we choose subprocessors We evaluate subprocessors for security, privacy, and regulatory compliance. We require subprocessors to enter into contractual commitments that include data protection obligations consistent with our Data Processing Addendum (DPA). We also seek industry standard security attestations (SOC 2, ISO 27001) where available.

Your choices and rights

  • You may object to a new subprocessor within 10 days days of our notice if you have a documented, reasonable basis related to legal restrictions on transfer or processing. To object, email support@symphoraautomation.com with the subject line “Subprocessor Objection — [Vendor Name]”.

  • If you object and we cannot reasonably accommodate your objection, the parties will work in good faith to find an alternative solution; if none is possible, you may terminate the applicable SOW for convenience with pro‑rated refund of pre‑paid fees.

    Current Subprocessors Note: The list below names subprocessors and describes typical categories of data processed. Where vendors operate global infrastructures, data may be processed in multiple jurisdictions including the United States and other countries. For vendor privacy/security documentation, click the vendor name.

    OpenAI

  • Purpose: AI model inference and language model services used to generate messages, perform intent detection, summarize content, and assist with appointment scheduling.

  • Data categories: message content (prompts/responses), minimal PII included in messages (names, phone numbers, appointment details), metadata (timestamps, request IDs).

  • Typical locations: United States (may route through other locations per vendor infrastructure).

  • Security & docs: Privacy policy | OpenAI

    Notes: We use OpenAI’s data handling controls where available to minimize vendor training on customer data. Avoid sending unnecessary PII in prompts.

    Twilio

  • Purpose: SMS delivery, voice calls, phone number provisioning, call/webhook routing, delivery status callbacks.

  • Data categories: phone numbers, message content, delivery receipts, call metadata (timestamps, duration), webhook payloads.

  • Typical locations: United States and global carrier networks.

  • Security & docs: Twilio Data Privacy 

  • Notes: We rely on Twilio for STOP/START handling and advise clients to preserve opt‑in records.

    GoHighLevel

  • Purpose: CRM, lead management, appointment scheduling integration, contact data storage, campaign workflows.

  • Data categories: contact names, phone numbers, emails, CRM notes, appointment records, tags.

  • Typical locations: United States.

  • Security & docs: Privacy Policy | HighLevel 

    Zapier

  • Purpose: Integration and automation between Symphora systems and third‑party apps (e.g., CRM, email, spreadsheets).

  • Data categories: contact and CRM data, message metadata, appointment IDs, webhook payloads.

  • Typical locations: United States.

  • Security & docs: Data Privacy Overview | Zapier 

    Stripe (including Stripe Connect where used)

  • Purpose: Payment processing, invoicing, settlement reporting, and commission routing.

  • Data categories: transaction amounts, settlement records, last four digits of payment methods, customer billing information, payout data. Note: Symphora does not store full card numbers; Stripe tokenizes card data.

  • Typical locations: United States and global data centers.

  • Security & docs: Privacy Policy 

  • Notes: If Stripe Connect is used to enable payouts or routing, we will note that in the applicable SOW and obtain necessary agreements.

    Google Voice

  • Purpose: Telephony routing and voice calling capabilities (where used).

  • Data categories: phone numbers, call metadata, call recordings (if enabled).

  • Typical locations: United States.

  • Security & docs: Google Voice Privacy Disclosure 

  • Notes: Clients and end‑users must be notified of call recording where required by law.

    Google Cloud

  • Purpose: Backend infrastructure, data storage, analytics, and security monitoring.

  • Data categories: stored files, encrypted message data, metadata, analytics logs, and system performance data.

  • Typical locations: United States, with optional global replication depending on service region.

  • Security and docs: Google Cloud Privacy

    Notes: Google Cloud provides secure infrastructure for storage and internal systems that support automation reliability.

    Vercel

  • Purpose: Hosting, serverless execution, deployment, logging, and performance optimization.

  • Data categories: IP addresses, request data, server logs, metadata related to automated workflows.

  • Typical locations: United States and global edge network regions.

  • Security and docs: Vercel Data Privacy

    Notes: Vercel is used to run backend functions and serve automation endpoints for fast and reliable performance.

    Squarespace

  • Purpose: Website hosting, content delivery, form submissions, and site level analytics.

  • Data categories: visitor information, form data entered on the website, IP addresses, device information, and usage analytics.

  • Typical locations: United States with global content delivery routing.

  • Security and docs: Squarespace Privacy

    Notes: Squarespace hosts the main website and handles public site interactions including user initiated form submissions.

Other subprocessors (examples / category placeholders)

  • Analytics & monitoring: [FILL IN: e.g., Google Analytics / PostHog / Sentry — Name and Link] — Purpose: Usage analytics, error tracking; Data categories: IP addresses, device info, usage logs.

  • Email delivery: [FILL IN: e.g., SendGrid / Mailgun — Name and Link] — Purpose: transactional emails; Data categories: email addresses, message content, delivery receipts.

  • Call transcription/voice AI: [FILL IN: e.g., Google Speech‑to‑Text / Rev / ElevenLabs — Name and Link] — Purpose: transcribe calls; Data categories: call recordings, transcripts.

  • Identity & auth: [FILL IN: e.g., Auth0 / Firebase Auth] — Purpose: authentication; Data categories: account identifiers, login metadata.

How we protect your data We require subprocessors to sign contracts with data protection obligations consistent with our DPA. Subprocessors are only authorized to process data as necessary to provide their services and must implement appropriate security measures (encryption in transit, access controls, breach notification). We periodically review subprocessors for compliance and maintain records of their security attestations where available.

Changes to this list: We may add or remove subprocessors as our business needs evolve. We will provide notice of new subprocessors as required by our agreements and permit you to object as described above. This page is updated on the “Last updated” date above; please check it regularly.

Questions and contact: For questions or to object to a subprocessor, contact: support@symphoraautomation.com.