Sub-Processors
This document lists the third-party services ("sub-processors") that may receive, process, or store end-user personal data — including WhatsApp message content, phone numbers, contact profile fields, location data, and media — as part of operating the Turn platform.
It is intended to support data-protection and privacy obligations under any applicable regime.
A sub-processor appears here if end-user data — or end-user-derived data such as error diagnostics containing message context, or request payloads terminated at the edge — can reach a service operated outside our own infrastructure.
Where a vendor offers a choice of region, the Processing location column describes the residency options available rather than a single fixed location. The Safeguards & certifications column links to each vendor's public trust or compliance page for reference.
How this page is organised
Two top-level sections, split by who holds the vendor relationship:
- Sub-processors managed by Turn. Turn holds the vendor account and contract, enters into a DPA with the vendor, lists the vendor on Turn's customer-facing sub-processor list, and Turn is the entity that needs to obtain end-user consent (or another lawful basis under GDPR Art. 6) for the routing of personal data through these vendors, via Turn's customer-facing terms and privacy notice.
- Sub-processors managed by customers (BYO). The customer supplies the credentials, dataset, or destination themselves; Turn only writes to / reads from whatever the customer points it at. The customer signs the DPA directly with the vendor and the customer is responsible for obtaining end-user consent (or another lawful basis) for routing personal data through that vendor. These do not appear on Turn's customer-facing sub-processor list — they are documented here for transparency and so it is clear which product surface drives the data flow.
Column conventions
- Processing location. Where the vendor processes and stores data, and what data-residency options it offers. For customer-configured (BYO) vendors this is determined by the endpoint or destination the customer points Turn at.
- Safeguards & certifications. The vendor's security certifications and transfer safeguards, with a link to the vendor's public trust or compliance page for reference.
- Required column.
Yesmeans the sub-processor is engaged for every customer in the scope of this section (for Turn-managed vendors, every customer of Turn; for BYO vendors, every customer who has turned the feature on).Nomeans the sub-processor is only engaged when an additional feature, credential or integration is configured on top. - Purpose column. Names the vendor-side role and the Turn-side feature(s) it powers, so it is clear which product surface stops working if the vendor is removed.
Out of scope
Self-hosted infrastructure that runs on our own clusters (databases, caches, search indexes, and internal monitoring and observability tooling) is not listed as a sub-processor — only the managed/cloud variants and external SaaS endpoints are.
Sub-processors managed by Turn
These are the vendors Turn contracts with directly. It is Turn's practice, everywhere possible, to enter into a data processing agreement (DPA) with the vendor. Adding, removing, or materially changing a vendor in this section is a notifiable event under our customer DPA.
Messaging carrier
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| WhatsApp Business / Cloud API | Meta Platforms, Inc. | All inbound and outbound messages, media, service phone numbers, WhatsApp profile names, WhatsApp IDs, delivery/read receipts | Send and receive WhatsApp messages — the core conversational inbox, every journey send/receive step, and all message-template delivery | Default processing in Meta data centres (US), encrypted at rest. EU at-rest residency available via Cloud API Local Storage; messages are still decrypted and processed through Meta infrastructure in transit/in use. Transfers under Meta Hosting Terms + the WhatsApp Business Data Transfer Addendum | ISO/IEC 27001; SOC 2 Type II; SOC 3; GDPR/LGPD — Meta compliance center | Yes |
| Meta Graph API | Meta Platforms, Inc. | WhatsApp Business Account metadata, phone-number provisioning data | WABA management and embedded signup — the number-onboarding flow and WABA configuration screens in the operator console | Same as above (Meta data centres, US; EU at-rest via Local Storage) | ISO/IEC 27001; SOC 2 Type II; SOC 3; GDPR/LGPD — Meta compliance center | Yes |
| Sudonum | Sudonum (Pty) Ltd | Metadata for the service phone numbers Turn provisions to its customers (the numbers those customers operate on) — not end-user contact phone numbers. Sudonum holds only this service-number metadata and provisioning data | Service phone-number provisioning for select regions — supplies the service/business numbers offered to Turn's customers during the number-onboarding flow when the requested region is served by Sudonum | South Africa–based (Stellenbosch); cross-border transfers made only under contractual safeguards per its privacy policy | States compliance with POPIA and GDPR and the use of appropriate technical and organisational security measures — Sudonum privacy policy | Yes |
AI / ML providers
The only AI vendor that Turn itself contracts with is Modal Labs, which hosts Turn's own fine-tuned MedGemma endpoint. Every other AI vendor available in the platform (OpenAI, Anthropic, Google Gemini, DeepInfra, customer-supplied Chat-Completions endpoints) is bring-your-own — see Customer-configured AI / ML providers.
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Modal Labs (Turn-hosted MedGemma) | Modal Labs, Inc. | Message text, conversation history | Hosting for Turn's fine-tuned MedGemma endpoint — a limited, opt-in trial for select customers, gated behind a feature flag; not a standard offering. Provided by Turn with no customer credential | Runs on public cloud; per-workload region selection available (e.g. pinning to EU data centres) on Team/Enterprise plans. No account-wide EU-only guarantee | SOC 2 Type II; HIPAA (BAA, Enterprise); PCI via Stripe. No ISO 27001 published — Modal trust center | No |
Error tracking and observability
Frontend (browser) exceptions are additionally captured by PostHog — see Product analytics.
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Sentry (backend + browser) | Functional Software, Inc. | Exception stack traces and breadcrumbs; personal data (message snippets, contact IDs, identifiers in URLs) is scrubbed before events are sent to Sentry | Error tracking — backend (Turn API, journeys engine, workers) and the operator web app | US data region (hosted on Google Cloud). Personal data is scrubbed from events before they leave Turn's infrastructure | ISO/IEC 27001; SOC 2 Type II; HIPAA attestation; EU-US/UK/Swiss Data Privacy Framework; GDPR DPA — Sentry trust center | Yes |
Product analytics
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| PostHog | PostHog Inc. | Operator (organisation user) interactions in the web app and frontend exception events (error stack traces); not WhatsApp end-user content | Product analytics for the operator console — feature adoption, funnels, and session-level usage in the Turn web app — plus frontend error tracking (browser exception events) | Customer-selected region: PostHog Cloud EU (AWS Frankfurt / eu-central-1) or PostHog Cloud US (AWS US region), fully independent instances | SOC 2 Type II; HIPAA (BAA); GDPR; CCPA; annual penetration test. ISO 27001 not published — PostHog trust center | Yes |
Cloud storage and infrastructure
Turn runs on either Amazon Web Services or Google Cloud Platform. Each customer environment is provisioned on one of the two, and the application provisioned is identical on both — the same workloads, the same data, and the same purpose. The clouds differ only in the underlying primitives they provide: for example object storage is Amazon S3 on AWS and Cloud Storage on GCP, and each cloud has its own database, cache, secret- and key-management services. The two rows below therefore share the same data categories and purpose, and differ only in the service names, region options, and certifications.
Two GCP-specific notes: a shared tooling and control-plane project on GCP (including Secret Manager) is engaged for every environment regardless of the cluster's cloud, so Google is a sub-processor even for AWS-hosted environments; and the Lua-app Google integrations (Sheets, Vision, Healthcare) are only engaged when a customer installs a Lua app that uses them.
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Amazon Web Services (EKS, S3, RDS PostgreSQL, ElastiCache Redis, KMS, CloudWatch/CloudTrail, VPC networking, Backup) | Amazon Web Services, Inc. | All workload traffic, encrypted-at-rest data (database, cache, object storage), logs and metrics for Turn workloads; inbound/outbound WhatsApp media (images, audio, documents) and bulk exports held in object storage | Underlying compute, networking, database, cache, secret/key management and object storage for every Turn workload — the conversational inbox, journeys engine, REST API, workers, and the media attachments and exports those workloads read and write | Global, with EU regions including Europe (Belgium, eu-west-1) and the AWS European Sovereign Cloud (Germany, GA Jan 2026). Region selected per deployment | ISO/IEC 27001, 27017, 27018, 27701; SOC 1/2/3; PCI DSS Level 1; HIPAA-eligible; FedRAMP; German C5; EU-US Data Privacy Framework; GDPR (DPA + SCCs) — AWS compliance programs | AWS-hosted environments only |
| Google Cloud Platform (GKE, Cloud Storage, Cloud SQL PostgreSQL, Memorystore Redis, Secret Manager, Cloud Logging/Monitoring, VPC/Cloud NAT, Sheets/Vision/Healthcare APIs) | Google LLC | All workload traffic, encrypted-at-rest data (database, cache, object storage), logs and metrics for Turn workloads; inbound/outbound WhatsApp media (images, audio, documents) and bulk exports held in object storage | Underlying compute, networking, database, cache, secret/key management and object storage for every Turn workload — the conversational inbox, journeys engine, REST API, workers, and the media attachments and exports those workloads read and write | Configurable per region; europe-west1 is St. Ghislain, Belgium, with five EU regions available and Assured Workloads for EU data-residency enforcement | ISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; PCI DSS; FedRAMP; HIPAA; EU-US/Swiss DPF + UK extension; GDPR (Cloud DPA + SCCs) — Google Cloud trust center | Yes |
Email, push, and operational notifications
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Mandrill | Mailchimp / Intuit | Recipient email address and message contents — Turn customer (operator) email addresses only, never end-user contacts | Transactional email delivery to Turn's customers — operator invites, password resets, and billing emails | US data centres. No EU-only residency for Mandrill; EU-to-US transfers under SCCs / Data Privacy Framework | SOC 2 Type II; ISO/IEC 27001; PCI; GDPR (Data Privacy Framework + SCCs) — Mailchimp security | Yes |
| Firebase Cloud Messaging | Google LLC | Browser push subscription endpoints and encrypted notification payloads (Web Push payload encryption — the relay cannot read notification content) | Vendor-operated push relay for operator browser push notifications — new-message and handover alerts in the web app on Chrome-family browsers | Global Google infrastructure; no configurable residency for FCM. Transfers under SCCs + Data Privacy Framework | ISO/IEC 27001; SOC 1; SOC 2; GDPR; EU-US/Swiss DPF + UK extension (FCM scope — note 27017/27018 apply to other Firebase services, not FCM) — Firebase privacy | Yes |
| Apple APNs / Mozilla autopush (web-push relays) | Apple Inc., Mozilla Foundation | Push subscription endpoints and encrypted notification payloads (Web Push payload encryption — the relay cannot read notification content) | Vendor-operated push relays for operator browser push notifications — same role as Firebase Cloud Messaging above; which relay is engaged is determined by the operator's browser (Safari → APNs, Firefox → autopush) | Global Apple / Mozilla-hosted infrastructure; no EU residency documented. Desktop Firefox push runs on Mozilla's own autopush infrastructure (FCM/APNs bridging applies only to mobile Firefox) | Apple APNs: ISO/IEC 27001 and 27018 (APNs in scope); no SOC 2 — Apple certifications. Mozilla: no formal certifications; GDPR-aligned — Mozilla privacy | Yes |
| Slack (incoming webhooks + Bot API) | Slack Technologies, LLC | Internal operational alerts; may include organisation/contact identifiers in handover or alert messages | Platform-internal alerting, plus the operator handover block in journeys (destination workspace customer-supplied; API client and DPA with Slack are Turn's) | Data Residency available for defined regions including the EU (encrypted data at rest). Transfers under DPA + SCCs | ISO/IEC 27001:2022, 27017, 27018, 27701, 42001; SOC 2 Type II; SOC 3; FedRAMP Moderate; HIPAA; GDPR; CCPA; CSA STAR — Slack compliance | Yes |
Billing
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Paddle Billing | Paddle.com Market Ltd. | Operator/billing contact details, subscription and invoice data | Subscription management and merchant of record — the billing and subscription pages in the operator console | Runs on AWS. No documented customer-selectable EU residency; transfers under DPA / SCCs | SOC 2 Type II; PCI DSS (SAQ A); GDPR. ISO 27001 not certified (no published certificate) — Paddle trust center | Yes |
| Paddle Retain (ProfitWell) | Paddle.com Market Ltd. | Operator email address, subscription identifiers, cancellation-flow interactions — operator data only, never end-user contacts | Subscription retention analytics and the in-app cancellation flow in the operator console — the ProfitWell/Retain SDK loaded in the web app | Part of Paddle; runs on the same infrastructure as Paddle Billing (AWS). No documented customer-selectable EU residency; transfers under DPA / SCCs | Covered by Paddle's safeguards: SOC 2 Type II; PCI DSS (SAQ A); GDPR — Paddle trust center | Yes |
CRM and customer success
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| HubSpot | HubSpot, Inc. | Operator contact and company details, WABA metadata, usage metrics | CRM and onboarding tracking — sign-up funnel, WABA onboarding state, and account-management workflows | Regional AWS data centres: US, EU (Frankfurt), Canada, Australia. EU residency selectable for new customers since July 2021 | SOC 2 Type II; SOC 3; EU Cloud Code of Conduct (GDPR); HIPAA attestation. HubSpot is not itself ISO 27001 certified — that is inherited from AWS — HubSpot security | Yes |
| Plain | Plain Systems Ltd. | Operator support-ticket content and company details | Customer support — the operator-facing help and support-ticket flow | AWS eu-west-2 (London) only — single-region EU/UK residency by default | SOC 2 Type II; GDPR / UK DPA aligned + DPA. ISO 27001 not published — Plain security | Yes |
Edge network, DNS, and zero-trust access
Cloudflare sits in front of Turn's public hostnames as the authoritative DNS provider and, where proxying is enabled, as the TLS-terminating reverse proxy — this is the required, always-on edge in front of customer-facing traffic. Separately, Cloudflare Zero Trust Access and Cloudflare Tunnels secure developer and operator workstation access to internal admin and developer tooling; these sit outside the end-user data path and are not required for the platform to serve customers.
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Cloudflare DNS + proxied edge | Cloudflare, Inc. | TLS-terminated HTTP(S) request and response bodies (which for proxied hostnames can include WhatsApp webhook payloads and operator API traffic), request metadata, client IP addresses | Authoritative DNS, TLS termination, DDoS protection and edge caching — every public Turn hostname (the operator web app, the customer-facing REST API, journey webhook ingress) | Global anycast network. EU Data Localization Suite / Regional Services confines decryption and Layer-7 processing to EU ISO-27001 data centres when enabled | ISO/IEC 27001:2022, 27018, 27701; SOC 2 Type II; PCI DSS Level 1; GDPR — Cloudflare trust hub | Yes |
| Cloudflare Zero Trust Access | Cloudflare, Inc. | Developer/operator identity (email, identity-provider claims), session cookies, request metadata for access-gated hostnames | SSO / identity-aware proxy for developer and operator workstation access to internal admin and developer tooling — not in the end-user data path | Global anycast network; EU Data Localization Suite available | ISO/IEC 27001:2022, 27018, 27701; SOC 2 Type II; PCI DSS Level 1; GDPR — Cloudflare trust hub | No |
Cloudflare Tunnels (cloudflared) | Cloudflare, Inc. | TLS-terminated traffic between developer/operator workstations and internal tooling routed through the tunnel | Egress-only secure tunnel for developer and operator workstation access to internal admin and developer tooling — replaces public load balancers for those internal services; not in the end-user data path | Global anycast network; EU Data Localization Suite available | ISO/IEC 27001:2022, 27018, 27701; SOC 2 Type II; PCI DSS Level 1; GDPR — Cloudflare trust hub | No |
On-call and incident response
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| PagerDuty | PagerDuty, Inc. | Alert payloads — can include cluster identifiers, organisation slugs, error counts, and (incidentally) message-identifier fragments embedded in alert annotations | On-call routing, incident escalation and runbook delivery — platform-operator on-call for cluster outages, error-rate spikes, billing-cost anomalies, and uptime-check failures | US and EU service regions; EU hosted on AWS Frankfurt (eu-central-1) and Ireland (eu-west-1). Some data types (logs, billing, support, analytics, Global User Profiles) process outside the chosen region | ISO/IEC 27001; SOC 2 Type II; FedRAMP (Low); PCI DSS; GDPR (DPA + SCCs) — PagerDuty security | Yes |
Operator authentication
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Google SSO (Sign in with Google) | Google LLC | Operator email address, name, Google profile, OAuth access/refresh tokens | Public SSO identity provider — the "Sign in with Google" option for the Turn web app. Operator identity only — not WhatsApp end-user data | Global Google infrastructure; EU data-residency options available | ISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; EU-US/Swiss DPF + UK extension; GDPR — Google Cloud trust center | No |
| Microsoft Entra ID (Azure AD) | Microsoft Corporation | Operator email address, name, OAuth refresh/access tokens, tenant identifier | Public SSO identity provider — the "Sign in with Microsoft" option for the Turn web app. Operator identity only — not WhatsApp end-user data | Global service; the EU Data Boundary (declared complete Feb 2025) stores and processes EU customer data within the EU. Residency behaviour varies by tenant geography | ISO/IEC 27001, 27017, 27018, 27701; SOC 1/2/3; FedRAMP High; CSA STAR; HIPAA; GDPR — Microsoft Trust Center | No |
| Facebook Login (Sign in with Facebook) | Meta Platforms, Inc. | Operator email address, name, Facebook profile, OAuth access tokens | Public SSO identity provider — the "Sign in with Facebook" option for the Turn web app. Operator identity only — not WhatsApp end-user data | Meta data centres (US); transfers under SCCs / Data Privacy Framework | ISO/IEC 27001; SOC 2 Type II; SOC 3; GDPR — Meta compliance center | No |
Sub-processors managed by customers (BYO)
These are vendors the customer chooses to bring in themselves. The customer supplies the credentials, dataset, or destination URL through a per-organisation configuration, and Turn simply sends or pulls data against whatever the customer has configured.
For every entry in this section:
- The customer is responsible for the DPA that governs these.
- The customer is responsible for obtaining end-user consent (or another GDPR Art. 6 lawful basis) for routing personal data through that vendor — Turn's own customer-facing privacy notice and DPA do not cover BYO vendors.
- The vendor is not listed on Turn's customer-facing sub-processor inventory. Adding, removing or changing a BYO vendor on this page does not trigger a customer-DPA notification.
The Processing location and Safeguards & certifications columns below describe the vendor's own posture where the vendor is a fixed, named service (the AI providers); for fully customer-chosen destinations (webhooks, Lua HTTP calls, generic Chat-Completions endpoints, the customer's own BigQuery project) the location and safeguards are whatever the customer configures.
Customer-configured AI / ML providers
API keys (and, for the generic chat-completions case, the endpoint URL) live per-organisation, encrypted at rest, and are selected on each Assistant. The consuming product surface in every case is the AI Agent / Assistants layer and the journey AI block (text generation, classification, transcription, TTS) — plus, for Gemini specifically, the WhatsApp voice-calling AI agent.
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| OpenAI API (Responses, Chat, Whisper, TTS) | OpenAI, L.L.C. | Message text, conversation history, contact-field values, voice audio | LLM inference, speech-to-text and text-to-speech for the AI Agent / Assistants and the journey AI block | US by default; business customers can select data residency at rest (US, Europe, UK and others) and US/Europe data processing on supported endpoints. API data is not used to train models by default | SOC 2 Type II; ISO/IEC 27001:2022, 27017, 27018, 27701; CSA STAR; HIPAA (BAA); GDPR — OpenAI trust portal | No |
| Anthropic API (Claude) | Anthropic PBC | Message text, conversation history, contact-field values | LLM inference for the AI Agent / Assistants and the journey AI block | US-based; data-residency options available on the Claude API. Commercial/API data is not used for training without opt-in | SOC 2 Type I & II; ISO/IEC 27001:2022; ISO/IEC 42001:2023; HIPAA (BAA); GDPR — Anthropic trust center | No |
| Google Gemini API | Google LLC | Message text, conversation history, images, real-time audio (calling) | LLM inference and multimodal for the AI Agent / Assistants and the journey AI block, plus the WhatsApp voice-calling AI agent | Google Cloud regions; region governed by the endpoint / inference profile. Paid-tier API data is not used for training | ISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; HIPAA; EU-US/Swiss DPF + UK extension; GDPR (Cloud DPA + SCCs) — Google Cloud trust center | No |
| DeepInfra (Llama et al.) | DeepInfra Inc. | Message text, conversation history | LLM inference for open-weight models in the AI Agent / Assistants and the journey AI block | US only — own inference infrastructure in US data centres; no EU residency. Request/response payloads not logged or used for training | SOC 2; ISO/IEC 27001 (earned 2025); GDPR and HIPAA measures — DeepInfra trust center | No |
| Customer-configured Chat-Completions endpoint | Varies | Whatever the journey passes to the block | Bring-your-own LLM for the AI Agent / Assistants and the journey AI block | Determined by the customer-configured endpoint | Determined by the customer-configured endpoint | No |
Customer-controlled data warehouse export
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Google BigQuery | Google LLC | Message bodies, contact fields, conversation logs, attachment references, analytics events | Customer-facing data warehouse export — the BigQuery export integration streams an organisation's messages and contacts to a dataset in the customer's GCP project, using credentials the customer supplies | The customer's own GCP project and region | Google Cloud certifications apply to the underlying platform (ISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; GDPR) — Google Cloud trust center | No |
Customer-controlled outbound integrations
These don't have a fixed vendor — the destination is chosen by the organisation operating the journey.
| Service | Provider | Data processed | Purpose | Processing location | Safeguards & certifications | Required |
|---|---|---|---|---|---|---|
| Webhook block destinations | Customer-configured | Any journey context the customer chooses to send | Outbound webhooks from journeys — the Webhook block in the journey builder | Determined by the customer-chosen destination URL | Determined by the customer-chosen destination | No |
| Lua app HTTP calls | Customer-configured | Any data the installed app chooses to send | Custom integrations via the Apps engine — HTTP calls made by an installed Lua app | Determined by the customer-chosen destination | Determined by the customer-chosen destination | No |