random-assistant.com/Legal

Sub-Processors

The third parties that touch your data, what for, and where.

Last updated 27 May 2026

Change notice. We notify customers 15 days before adding or changing a sub-processor. See DPA §5 for the objection process.
Vendor Purpose Data categories Region Certifications
Anthropic Ireland Limited LLM inference for chat, drafts, briefs, and meeting prep. Prompt and response content. Never customer credentials. EU. Enterprise tier under zero-retention terms. SOC 2 Type II.
OpenRouter LLM routing for cheap-tier tasks (classification, extraction). Prompt and response content. Never customer credentials. EU egress. Zero retention enabled. None
Hostinger International Limited Cloud infrastructure hosting (compute and database) and transactional email via SMTP (signup verification, early-access notifications, system alerts). All customer data, including recipient email and email body. EU (Frankfurt). ISO 27001.
Stripe Payments Europe Payment processing on the operator side only. Billing email, company name, tax ID, tokenised payment method. EU. PCI DSS Level 1.
Google LLC OAuth provider when you connect Gmail, Google Calendar, or Google Tasks. Only the scopes you explicitly authorise. US, with EU Standard Contractual Clauses. ISO 27001, ISO 27017, ISO 27018, SOC 2.

Each integration request follows data minimisation: we ask only for the OAuth scopes we use. You can read the scope list in your provider's authorisation prompt before clicking Allow, and you can revoke access from the provider's own security settings at any time.