Sub-processors

Voice AI orchestration — agent runtime, in-browser web SDK (LiveKit-based WebRTC), tool-call webhook routing, end-of-call event delivery.

Data processed

Audio streams, call metadata, transcript fragments, agent configuration, tool-call payloads.

Location

United States; EU region available

Safeguard

Signed DPA on file (Retell AI Customer DPA, executed May 2026). EU 2021 SCCs (Module 2 / Module 3) and UK IDTA incorporated. Anthropic (Claude LLM) and Deepgram (STT) are engaged by Retell as sub-sub-processors and listed below.

Text-to-speech synthesis for AI voice output (multilingual_v2 / turbo_v2_5 voice models); voice design for assistant voices.

Data processed

Text prompts (bot response text), synthesized audio output, voice-design inputs.

Location

United States

Safeguard

Signed DPA on file. EU-US Data Privacy Framework (certified); EU 2021 SCCs and UK IDTA incorporated.

CRM, pipelines, workflows, automations, SMS and email follow-up, client portals, booking calendars, contact storage.

Data processed

Contact details (name, phone, email), booking metadata, SMS and email content, call summaries, workflow events.

Location

United States

Safeguard

Signed DPA on file. EU-US Data Privacy Framework + UK Extension + Swiss-US DPF (certified); EU 2021 SCCs and UK IDTA incorporated.

Website and API hosting — serves justidosolutions.com and the booking API.

Data processed

Request logs (IP, user agent, path, timestamps), form submissions in transit, deployment artefacts.

Location

United States; Global CDN edge

Safeguard

Signed DPA on file. EU 2021 SCCs and UK IDTA incorporated per vercel.com/legal/dpa.

Hosted Redis (key-value store) used as rate-limit infrastructure — caps how many requests a single visitor IP (or, on the subscription-billing webhook, a single CRM contact) can make to our API endpoints (audit form, voice-AI web demo token mint, voice-agent tool calls, subscription-billing webhook) within a sliding time window. Prevents bot abuse, voice-AI usage cost spikes, and duplicate subscription creation.

Data processed

Visitor IP addresses (rightmost X-Forwarded-For value) and, on the subscription-billing webhook, a CRM contact identifier; counter values keyed to those identifiers; sliding-window timestamps. No call content, no form submission bodies, no audit-trail PII.

Location

AWS multi-region (Upstash global edge)

Safeguard

Upstash Customer DPA on file (incorporated by reference into Upstash Terms of Service per § 1.1(b) of the DPA; effective from Justido’s Upstash account creation, April 2026). EU 2021 SCCs (Module Two / Module Three) incorporated. SOC 2 Type II.

Error tracking and performance monitoring across browser and server runtimes; surfaces application failures with stack traces and breadcrumbs.

Data processed

Error stack traces, browser metadata (user agent, OS), URL paths and query parameters, IP addresses, breadcrumb events.

Location

United States (us-west-1)

Safeguard

Signed DPA on file (Sentry MSA + DPA, executed May 2026). EU-US Data Privacy Framework (certified, Functional Software, Inc.); EU 2021 SCCs incorporated.

Subscription billing for Justido customer engagements — card capture, charge processing, recurring subscription management, retry-on-failure, customer self-serve billing portal, tax handling. US LLC engagements bill in USD via Stripe, LLC; DACH GmbH engagements bill in EUR via Stripe Payments Europe, Limited (SPEL).

Data processed

Customer billing details (name, business name, billing address, email), tokenised payment-method identifiers, transaction history, tax IDs where applicable. Tokenised — raw card data never touches Justido infrastructure.

Location

United States (Stripe, LLC); Ireland (Stripe Payments Europe, Limited — for EU-account engagements)

Safeguard

Signed DPA on file (Stripe DPA, last updated 18 November 2025; incorporated by reference into the Stripe Services Agreement at account creation per Art. 28(3) GDPR). EU 2021 SCCs Module 1 (C2C) + Module 2 (C2P) incorporated via Stripe Data Transfers Addendum at stripe.com/legal/dta; UK IDTA + Swiss adaptations included. EU-US Data Privacy Framework + UK Extension + Swiss-US DPF (certified, Stripe, LLC). PCI DSS Level 1 (highest certification, confirmed annually by QSA). SOC 1 + SOC 2 reports available on request.

SMS delivery, voice / phone-number provisioning, and PSTN routing within Justido-managed client CRM sub-accounts (HighLevel). Used for client workflow SMS (audit lead notifications, contact form follow-ups, client-configured automations) and for voice infrastructure of client sub-accounts. Not used for transactional email.

Data processed

Phone numbers (E.164), SMS message content, call metadata (numbers, timestamps, duration); audio routed in transit.

Location

United States (Twilio US regions; Twilio operates EU regions but Justido’s current footprint is US-routed)

Safeguard

Signed DPA on file (Twilio Data Protection Addendum, incorporated by reference into the Twilio Services Agreement at account creation). EU 2021 SCCs (Module 2 / Module 3) and UK IDTA incorporated. EU-US Data Privacy Framework (certified). ISO 27001 and SOC 2 Type II.

AI assistant over Microsoft 365 — read-only access (Outlook mail, SharePoint, OneDrive, Teams, Calendar) via Anthropic’s native Microsoft 365 connector. Lets Claude search, read and summarise Justido’s own Microsoft 365 content to support the team. No send, edit, or delete. This is Justido’s separate direct engagement of Anthropic — distinct from Anthropic’s role as a sub-sub-processor inside the Retell voice pipeline (listed below).

Data processed

Business email, calendar entries, documents and chat messages in Justido’s Microsoft 365 tenant — and any personal data they contain — read at request time to answer staff queries. Not used for model training under Anthropic’s commercial terms.

Location

United States

Safeguard

Engaged directly by Justido under Anthropic’s commercial terms (Anthropic Commercial DPA auto-incorporated; zero-retention / no-training; abuse-monitoring retention only). EU 2021 SCCs incorporated; UK IDTA where applicable; EU-US Data Privacy Framework where certified. Connector access is read-only and restricted to named administrators.

Business email, calendar, document storage and collaboration (Exchange Online, SharePoint, OneDrive, Teams) for Justido’s own operations. Hosts the Microsoft 365 environment that the Anthropic connector reads.

Data processed

Business correspondence and documents held in Justido’s Microsoft 365 tenant; may contain personal data of prospective customers, partners and Client contacts appearing in that correspondence.

Location

European Union — tenant region Germany (Microsoft EU Data Boundary)

Safeguard

Microsoft Product Terms + Data Protection Addendum on file. Data processed within the EU/EEA under Microsoft’s EU Data Boundary (tenant region Germany); EU 2021 SCCs apply to any onward or support transfers outside the EEA. ISO 27001, SOC 1/2.