Sub-Processors
Last updated: 12 November 2025
This page lists third-party service providers (“sub-processors”) that Digibility Solutions Private Limited engages to help deliver, secure, and support our services. Each sub-processor processes limited personal data on our behalf under a Data Processing Agreement (DPA) with confidentiality, security, and (where applicable) Standard Contractual Clauses (SCCs).
We update this list when we add or replace a sub-processor. For material changes, we provide advance notice where legally required. To ask questions or subscribe to updates, email support@digibility.ai.
What is a sub-processor?
A sub-processor is a third party engaged by Digibility to process personal data for Digibility (e.g., hosting, email delivery, analytics). This is different from integrations you connect (e.g., Instagram, Facebook, LinkedIn, Google Business Profile), which act as independent controllers of your data once you authorize them.
Current sub-processors
| Provider | Category / Service | What they do | Types of data | Primary processing location(s) | Key safeguards |
|---|---|---|---|---|---|
| Google Cloud Platform (incl. Firebase, Cloud Storage, Cloud Run, Cloud Scheduler, Secret Manager, Operations Suite) | Cloud hosting, databases, storage, jobs, logging | Host application back-end, databases, file storage, scheduled jobs, logs/metrics | Account profile, workspace content/metadata, logs, IPs | India, EU, US (region depends on tenant & failover) | DPA, SCCs/UK Addendum, encryption at rest & in transit |
| Google Cloud CDN / Firebase Hosting | Content delivery | Fast, cached delivery of app/web assets | Request metadata, IPs | Global PoPs | DPA, TLS, minimal data |
| Cloudflare (if enabled) | CDN, edge security | DDoS protection, WAF, DNS, TLS | Request metadata, IPs | Global PoPs | DPA, SCCs, TLS; no content inspection |
| SendGrid (Twilio) | Email delivery | Transactional emails (onboarding, notices, receipts) | Name, email, template variables | US/EU | DPA, SCCs, TLS |
| WhatsApp Business Platform via Meta / Gupshup | Messaging | Onboarding and critical updates via WhatsApp (opt-in only) | Name, phone, message metadata | India, US, EU (per provider routing) | BSP DPA, encryption in transit, opt-in/STOP controls |
| Razorpay (India) | Payments | Payment processing for Indian customers | Billing contact, order IDs, last 4 digits, payment status (no full card data) | India | Merchant agreement, PCI-DSS |
| Stripe (Global) | Payments | Payment processing outside India | Billing contact, order IDs, last 4 digits, payment status (no full card data) | EU/US (per account region) | DPA, SCCs, PCI-DSS |
| Freshdesk (Freshworks) | Support desk | Ticketing, email support, help center | Contact details, ticket content | India/EU/US (per account region) | DPA, SCCs, TLS |
| Sentry | Error monitoring | Collects application errors and stack traces | Error payloads, IPs, limited request context | EU/US (per project setting) | DPA, SCCs, data scrubbing controls |
| PostHog / GA4 (consent-based analytics) | Product & site analytics | Event analytics to improve features and UX | Pseudonymous IDs, events, device/URL data | EU/US (per deployment) | DPA, SCCs, IP truncation, cookie consent gating |
| Tally | Forms | Collect wishlist/lead forms | Form fields you submit | EU | DPA, SCCs, TLS |
| Mailgun / Customer.io (if enabled) | Email campaigns | Opt-in product updates, onboarding sequences | Email, engagement metrics | EU/US | DPA, SCCs, unsubscribe controls |
| Datadog (if enabled) | Logs & monitoring | Centralized logs, metrics, alerts | Pseudonymous IDs, logs/metrics | EU/US | DPA, SCCs, TLS |
Notes:
- We minimize data sent to each provider and use the least-privilege access model.
- Some providers offer regional hosting; we select regions to align with customer tenancy and resilience.
- “If enabled” entries are used only when the feature is active in your environment and, where required, after consent.
Integrations you connect (not our sub-processors)
When you authorize connections inside Digibility, the following platforms receive data under their terms and privacy policies. You can revoke access at any time in Digibility and at the platform:
- Instagram / Facebook (Meta) — official APIs via OAuth
- LinkedIn — official APIs via OAuth
- Google Business Profile — official APIs via OAuth
- YouTube (coming soon)
These platforms are typically independent controllers of your data. Digibility does not store your social passwords; we use OAuth tokens and the scopes you approve.
How we vet and manage sub-processors
- Contracts & DPAs: Every sub-processor signs a DPA with confidentiality, security, and breach-notification terms.
- Security controls: TLS in transit, AES-256 at rest, role-based access, key management, backups, and disaster recovery.
- Privacy by design: We limit the categories and duration of data shared and enable data-minimization features (e.g., IP truncation, error-payload scrubbing).
- International transfers: Where data moves across borders, we rely on SCCs/UK Addendum or other valid transfer mechanisms.
- Reviews: We reassess vendors periodically and when services change.
Changes to this list
We may add, replace, or remove sub-processors as our service evolves. For material changes, we will post updates here and, where required, notify admins before the change takes effect. Questions or objections can be sent to support@digibility.ai. If an objection cannot be resolved, you may disable the affected feature or export/delete your data.
Contact
Privacy & data protection: support@digibility.ai
Grievance Officer (India DPDP): Amit Gupta, info@digibility.ai, #503, Tower C3, Nyati Esteban 1, Undri, Pune, MH 411060.
DPA requests (enterprise): dpo@digibility.ai
One-line summary
We use a small set of vetted providers to run Digibility. We send them only what’s necessary, secure it with contracts and encryption, and publish changes here.
