Sub-processor Register
Last updated: April 2026
⚠️ Operational register — legal verification required
This document is an operational register and does not constitute legal advice. Items marked "Verification pending" require confirmation before use in customer-facing documents.
The register below provides operational information about third-party vendors processing personal data within the CallWise service. The Customer (Controller) grants general consent to use these sub-processors by accepting the Data Processing Agreement (DPA).
We provide at least 14 days notice of planned changes to this register. Contact: hello@awesomeworks.ai
Master Register
| Vendor | Role | Location | Transfer mechanism | Privacy policy | Verification status |
|---|---|---|---|---|---|
| Twilio | VoIP telephony, call routing, recording, CDR | USA / global | DPF / SCC (to verify) | twilio.com/legal | Verification pending |
| OpenAI | LLM analysis, summaries, prompts, optional embeddings | USA | DPF / SCC (to verify) | openai.com/policies | Verification pending |
| AssemblyAI | ASR transcription / speech-to-text, speaker diarization | USA | DPF / SCC (to verify) | assemblyai.com/legal | Verification pending |
| Hetzner Cloud | Infrastructure hosting — servers, object storage, databases | Germany (DE/EU) | n/a (data in EEA) | hetzner.com/legal | EEA ✓ |
| Resend | Transactional email delivery (account verification, password reset, team invites) | USA | SCC (to verify) | resend.com/privacy | Verification pending |
Note — AssemblyAI Usage Data carveout
§13 AssemblyAI DPA — Usage Data
AssemblyAI's DPA includes a carveout for "Usage Data" — data collected to maintain, improve and secure the service (system logs, performance metrics, diagnostic data). This data may be processed by AssemblyAI for its own operational purposes independently of customer instructions.
Implication: Before including AssemblyAI in a customer DPA, verify the current scope of "Usage Data" in AssemblyAI's documentation and assess whether it is acceptable for that customer and their DPIA.
Data scope per vendor
Twilio
- phone numbers (call parties),
- call metadata (time, duration, direction, status),
- audio recordings of telephone calls,
- webhook payloads (call events).
AssemblyAI
- audio files submitted for transcription,
- call content fragments,
- transcription timestamps and metadata,
- speaker diarization data.
OpenAI
- transcript fragments (analysis context),
- system and user prompts,
- analysis and summary outputs,
- optional semantic embeddings.
Note: OpenAI API (unlike ChatGPT) does not use API data to train models by default. Verify current terms in the OpenAI Enterprise documentation.
Hetzner Cloud
- all data stored in CallWise infrastructure (databases, object storage),
- data at rest is encrypted.
✓ Infrastructure in Germany — data remains in the EEA.
Resend
- recipient email addresses,
- transactional email content (e.g. verification links, team invitations).
Scope is conditional — applies only where transactional emails may contain personal data of end customers.
What still requires verification
- • Exact legal entity per vendor (which company signs the DPA),
- • DPA acceptance status and availability of the appropriate SCC module (processor → sub-processor),
- • EU-US Data Privacy Framework status for specific vendors at the date of review,
- • Vendor-side data retention and deletion guarantees,
- • Further sub-processors used by each vendor,
- • Contractual vs. marketing-level data residency claims.
Register maintenance rules
- Do not mark any transfer mechanism as confirmed without a dated evidence source.
- Do not copy marketing claims from vendor websites as legal facts.
- Track the exact legal entity and plan/tier used by CallWise per vendor.
- If vendor usage is feature-dependent, state this explicitly.
- When vendor scope changes, update this register, the vendor profile and customer-facing materials.
Contact
For sub-processor and data transfer enquiries, please contact:
hello@awesomeworks.ai