Skip to main content

Sub-Processors

This document lists the third-party services ("sub-processors") that may receive, process, or store end-user personal data — including WhatsApp message content, phone numbers, contact profile fields, location data, and media — as part of operating the Turn platform.

It is intended to support data-protection and privacy obligations under any applicable regime.

A sub-processor appears here if end-user data — or end-user-derived data such as error diagnostics containing message context, or request payloads terminated at the edge — can reach a service operated outside our own infrastructure.

Where a vendor offers a choice of region, the Processing location column describes the residency options available rather than a single fixed location. The Safeguards & certifications column links to each vendor's public trust or compliance page for reference.

How this page is organised

Two top-level sections, split by who holds the vendor relationship:

  • Sub-processors managed by Turn. Turn holds the vendor account and contract, enters into a DPA with the vendor, lists the vendor on Turn's customer-facing sub-processor list, and Turn is the entity that needs to obtain end-user consent (or another lawful basis under GDPR Art. 6) for the routing of personal data through these vendors, via Turn's customer-facing terms and privacy notice.
  • Sub-processors managed by customers (BYO). The customer supplies the credentials, dataset, or destination themselves; Turn only writes to / reads from whatever the customer points it at. The customer signs the DPA directly with the vendor and the customer is responsible for obtaining end-user consent (or another lawful basis) for routing personal data through that vendor. These do not appear on Turn's customer-facing sub-processor list — they are documented here for transparency and so it is clear which product surface drives the data flow.

Column conventions

  • Processing location. Where the vendor processes and stores data, and what data-residency options it offers. For customer-configured (BYO) vendors this is determined by the endpoint or destination the customer points Turn at.
  • Safeguards & certifications. The vendor's security certifications and transfer safeguards, with a link to the vendor's public trust or compliance page for reference.
  • Required column. Yes means the sub-processor is engaged for every customer in the scope of this section (for Turn-managed vendors, every customer of Turn; for BYO vendors, every customer who has turned the feature on). No means the sub-processor is only engaged when an additional feature, credential or integration is configured on top.
  • Purpose column. Names the vendor-side role and the Turn-side feature(s) it powers, so it is clear which product surface stops working if the vendor is removed.

Out of scope

Self-hosted infrastructure that runs on our own clusters (databases, caches, search indexes, and internal monitoring and observability tooling) is not listed as a sub-processor — only the managed/cloud variants and external SaaS endpoints are.


Sub-processors managed by Turn

These are the vendors Turn contracts with directly. It is Turn's practice, everywhere possible, to enter into a data processing agreement (DPA) with the vendor. Adding, removing, or materially changing a vendor in this section is a notifiable event under our customer DPA.

Messaging carrier

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
WhatsApp Business / Cloud APIMeta Platforms, Inc.All inbound and outbound messages, media, service phone numbers, WhatsApp profile names, WhatsApp IDs, delivery/read receiptsSend and receive WhatsApp messages — the core conversational inbox, every journey send/receive step, and all message-template deliveryDefault processing in Meta data centres (US), encrypted at rest. EU at-rest residency available via Cloud API Local Storage; messages are still decrypted and processed through Meta infrastructure in transit/in use. Transfers under Meta Hosting Terms + the WhatsApp Business Data Transfer AddendumISO/IEC 27001; SOC 2 Type II; SOC 3; GDPR/LGPD — Meta compliance centerYes
Meta Graph APIMeta Platforms, Inc.WhatsApp Business Account metadata, phone-number provisioning dataWABA management and embedded signup — the number-onboarding flow and WABA configuration screens in the operator consoleSame as above (Meta data centres, US; EU at-rest via Local Storage)ISO/IEC 27001; SOC 2 Type II; SOC 3; GDPR/LGPD — Meta compliance centerYes
SudonumSudonum (Pty) LtdMetadata for the service phone numbers Turn provisions to its customers (the numbers those customers operate on) — not end-user contact phone numbers. Sudonum holds only this service-number metadata and provisioning dataService phone-number provisioning for select regions — supplies the service/business numbers offered to Turn's customers during the number-onboarding flow when the requested region is served by SudonumSouth Africa–based (Stellenbosch); cross-border transfers made only under contractual safeguards per its privacy policyStates compliance with POPIA and GDPR and the use of appropriate technical and organisational security measures — Sudonum privacy policyYes

AI / ML providers

The only AI vendor that Turn itself contracts with is Modal Labs, which hosts Turn's own fine-tuned MedGemma endpoint. Every other AI vendor available in the platform (OpenAI, Anthropic, Google Gemini, DeepInfra, customer-supplied Chat-Completions endpoints) is bring-your-own — see Customer-configured AI / ML providers.

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Modal Labs (Turn-hosted MedGemma)Modal Labs, Inc.Message text, conversation historyHosting for Turn's fine-tuned MedGemma endpoint — a limited, opt-in trial for select customers, gated behind a feature flag; not a standard offering. Provided by Turn with no customer credentialRuns on public cloud; per-workload region selection available (e.g. pinning to EU data centres) on Team/Enterprise plans. No account-wide EU-only guaranteeSOC 2 Type II; HIPAA (BAA, Enterprise); PCI via Stripe. No ISO 27001 published — Modal trust centerNo

Error tracking and observability

Frontend (browser) exceptions are additionally captured by PostHog — see Product analytics.

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Sentry (backend + browser)Functional Software, Inc.Exception stack traces and breadcrumbs; personal data (message snippets, contact IDs, identifiers in URLs) is scrubbed before events are sent to SentryError tracking — backend (Turn API, journeys engine, workers) and the operator web appUS data region (hosted on Google Cloud). Personal data is scrubbed from events before they leave Turn's infrastructureISO/IEC 27001; SOC 2 Type II; HIPAA attestation; EU-US/UK/Swiss Data Privacy Framework; GDPR DPA — Sentry trust centerYes

Product analytics

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
PostHogPostHog Inc.Operator (organisation user) interactions in the web app and frontend exception events (error stack traces); not WhatsApp end-user contentProduct analytics for the operator console — feature adoption, funnels, and session-level usage in the Turn web app — plus frontend error tracking (browser exception events)Customer-selected region: PostHog Cloud EU (AWS Frankfurt / eu-central-1) or PostHog Cloud US (AWS US region), fully independent instancesSOC 2 Type II; HIPAA (BAA); GDPR; CCPA; annual penetration test. ISO 27001 not published — PostHog trust centerYes

Cloud storage and infrastructure

Turn runs on either Amazon Web Services or Google Cloud Platform. Each customer environment is provisioned on one of the two, and the application provisioned is identical on both — the same workloads, the same data, and the same purpose. The clouds differ only in the underlying primitives they provide: for example object storage is Amazon S3 on AWS and Cloud Storage on GCP, and each cloud has its own database, cache, secret- and key-management services. The two rows below therefore share the same data categories and purpose, and differ only in the service names, region options, and certifications.

Two GCP-specific notes: a shared tooling and control-plane project on GCP (including Secret Manager) is engaged for every environment regardless of the cluster's cloud, so Google is a sub-processor even for AWS-hosted environments; and the Lua-app Google integrations (Sheets, Vision, Healthcare) are only engaged when a customer installs a Lua app that uses them.

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Amazon Web Services (EKS, S3, RDS PostgreSQL, ElastiCache Redis, KMS, CloudWatch/CloudTrail, VPC networking, Backup)Amazon Web Services, Inc.All workload traffic, encrypted-at-rest data (database, cache, object storage), logs and metrics for Turn workloads; inbound/outbound WhatsApp media (images, audio, documents) and bulk exports held in object storageUnderlying compute, networking, database, cache, secret/key management and object storage for every Turn workload — the conversational inbox, journeys engine, REST API, workers, and the media attachments and exports those workloads read and writeGlobal, with EU regions including Europe (Belgium, eu-west-1) and the AWS European Sovereign Cloud (Germany, GA Jan 2026). Region selected per deploymentISO/IEC 27001, 27017, 27018, 27701; SOC 1/2/3; PCI DSS Level 1; HIPAA-eligible; FedRAMP; German C5; EU-US Data Privacy Framework; GDPR (DPA + SCCs) — AWS compliance programsAWS-hosted environments only
Google Cloud Platform (GKE, Cloud Storage, Cloud SQL PostgreSQL, Memorystore Redis, Secret Manager, Cloud Logging/Monitoring, VPC/Cloud NAT, Sheets/Vision/Healthcare APIs)Google LLCAll workload traffic, encrypted-at-rest data (database, cache, object storage), logs and metrics for Turn workloads; inbound/outbound WhatsApp media (images, audio, documents) and bulk exports held in object storageUnderlying compute, networking, database, cache, secret/key management and object storage for every Turn workload — the conversational inbox, journeys engine, REST API, workers, and the media attachments and exports those workloads read and writeConfigurable per region; europe-west1 is St. Ghislain, Belgium, with five EU regions available and Assured Workloads for EU data-residency enforcementISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; PCI DSS; FedRAMP; HIPAA; EU-US/Swiss DPF + UK extension; GDPR (Cloud DPA + SCCs) — Google Cloud trust centerYes

Email, push, and operational notifications

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
MandrillMailchimp / IntuitRecipient email address and message contents — Turn customer (operator) email addresses only, never end-user contactsTransactional email delivery to Turn's customers — operator invites, password resets, and billing emailsUS data centres. No EU-only residency for Mandrill; EU-to-US transfers under SCCs / Data Privacy FrameworkSOC 2 Type II; ISO/IEC 27001; PCI; GDPR (Data Privacy Framework + SCCs) — Mailchimp securityYes
Firebase Cloud MessagingGoogle LLCBrowser push subscription endpoints and encrypted notification payloads (Web Push payload encryption — the relay cannot read notification content)Vendor-operated push relay for operator browser push notifications — new-message and handover alerts in the web app on Chrome-family browsersGlobal Google infrastructure; no configurable residency for FCM. Transfers under SCCs + Data Privacy FrameworkISO/IEC 27001; SOC 1; SOC 2; GDPR; EU-US/Swiss DPF + UK extension (FCM scope — note 27017/27018 apply to other Firebase services, not FCM) — Firebase privacyYes
Apple APNs / Mozilla autopush (web-push relays)Apple Inc., Mozilla FoundationPush subscription endpoints and encrypted notification payloads (Web Push payload encryption — the relay cannot read notification content)Vendor-operated push relays for operator browser push notifications — same role as Firebase Cloud Messaging above; which relay is engaged is determined by the operator's browser (Safari → APNs, Firefox → autopush)Global Apple / Mozilla-hosted infrastructure; no EU residency documented. Desktop Firefox push runs on Mozilla's own autopush infrastructure (FCM/APNs bridging applies only to mobile Firefox)Apple APNs: ISO/IEC 27001 and 27018 (APNs in scope); no SOC 2 — Apple certifications. Mozilla: no formal certifications; GDPR-aligned — Mozilla privacyYes
Slack (incoming webhooks + Bot API)Slack Technologies, LLCInternal operational alerts; may include organisation/contact identifiers in handover or alert messagesPlatform-internal alerting, plus the operator handover block in journeys (destination workspace customer-supplied; API client and DPA with Slack are Turn's)Data Residency available for defined regions including the EU (encrypted data at rest). Transfers under DPA + SCCsISO/IEC 27001:2022, 27017, 27018, 27701, 42001; SOC 2 Type II; SOC 3; FedRAMP Moderate; HIPAA; GDPR; CCPA; CSA STAR — Slack complianceYes

Billing

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Paddle BillingPaddle.com Market Ltd.Operator/billing contact details, subscription and invoice dataSubscription management and merchant of record — the billing and subscription pages in the operator consoleRuns on AWS. No documented customer-selectable EU residency; transfers under DPA / SCCsSOC 2 Type II; PCI DSS (SAQ A); GDPR. ISO 27001 not certified (no published certificate) — Paddle trust centerYes
Paddle Retain (ProfitWell)Paddle.com Market Ltd.Operator email address, subscription identifiers, cancellation-flow interactions — operator data only, never end-user contactsSubscription retention analytics and the in-app cancellation flow in the operator console — the ProfitWell/Retain SDK loaded in the web appPart of Paddle; runs on the same infrastructure as Paddle Billing (AWS). No documented customer-selectable EU residency; transfers under DPA / SCCsCovered by Paddle's safeguards: SOC 2 Type II; PCI DSS (SAQ A); GDPR — Paddle trust centerYes

CRM and customer success

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
HubSpotHubSpot, Inc.Operator contact and company details, WABA metadata, usage metricsCRM and onboarding tracking — sign-up funnel, WABA onboarding state, and account-management workflowsRegional AWS data centres: US, EU (Frankfurt), Canada, Australia. EU residency selectable for new customers since July 2021SOC 2 Type II; SOC 3; EU Cloud Code of Conduct (GDPR); HIPAA attestation. HubSpot is not itself ISO 27001 certified — that is inherited from AWS — HubSpot securityYes
PlainPlain Systems Ltd.Operator support-ticket content and company detailsCustomer support — the operator-facing help and support-ticket flowAWS eu-west-2 (London) only — single-region EU/UK residency by defaultSOC 2 Type II; GDPR / UK DPA aligned + DPA. ISO 27001 not published — Plain securityYes

Edge network, DNS, and zero-trust access

Cloudflare sits in front of Turn's public hostnames as the authoritative DNS provider and, where proxying is enabled, as the TLS-terminating reverse proxy — this is the required, always-on edge in front of customer-facing traffic. Separately, Cloudflare Zero Trust Access and Cloudflare Tunnels secure developer and operator workstation access to internal admin and developer tooling; these sit outside the end-user data path and are not required for the platform to serve customers.

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Cloudflare DNS + proxied edgeCloudflare, Inc.TLS-terminated HTTP(S) request and response bodies (which for proxied hostnames can include WhatsApp webhook payloads and operator API traffic), request metadata, client IP addressesAuthoritative DNS, TLS termination, DDoS protection and edge caching — every public Turn hostname (the operator web app, the customer-facing REST API, journey webhook ingress)Global anycast network. EU Data Localization Suite / Regional Services confines decryption and Layer-7 processing to EU ISO-27001 data centres when enabledISO/IEC 27001:2022, 27018, 27701; SOC 2 Type II; PCI DSS Level 1; GDPR — Cloudflare trust hubYes
Cloudflare Zero Trust AccessCloudflare, Inc.Developer/operator identity (email, identity-provider claims), session cookies, request metadata for access-gated hostnamesSSO / identity-aware proxy for developer and operator workstation access to internal admin and developer tooling — not in the end-user data pathGlobal anycast network; EU Data Localization Suite availableISO/IEC 27001:2022, 27018, 27701; SOC 2 Type II; PCI DSS Level 1; GDPR — Cloudflare trust hubNo
Cloudflare Tunnels (cloudflared)Cloudflare, Inc.TLS-terminated traffic between developer/operator workstations and internal tooling routed through the tunnelEgress-only secure tunnel for developer and operator workstation access to internal admin and developer tooling — replaces public load balancers for those internal services; not in the end-user data pathGlobal anycast network; EU Data Localization Suite availableISO/IEC 27001:2022, 27018, 27701; SOC 2 Type II; PCI DSS Level 1; GDPR — Cloudflare trust hubNo

On-call and incident response

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
PagerDutyPagerDuty, Inc.Alert payloads — can include cluster identifiers, organisation slugs, error counts, and (incidentally) message-identifier fragments embedded in alert annotationsOn-call routing, incident escalation and runbook delivery — platform-operator on-call for cluster outages, error-rate spikes, billing-cost anomalies, and uptime-check failuresUS and EU service regions; EU hosted on AWS Frankfurt (eu-central-1) and Ireland (eu-west-1). Some data types (logs, billing, support, analytics, Global User Profiles) process outside the chosen regionISO/IEC 27001; SOC 2 Type II; FedRAMP (Low); PCI DSS; GDPR (DPA + SCCs) — PagerDuty securityYes

Operator authentication

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Google SSO (Sign in with Google)Google LLCOperator email address, name, Google profile, OAuth access/refresh tokensPublic SSO identity provider — the "Sign in with Google" option for the Turn web app. Operator identity only — not WhatsApp end-user dataGlobal Google infrastructure; EU data-residency options availableISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; EU-US/Swiss DPF + UK extension; GDPR — Google Cloud trust centerNo
Microsoft Entra ID (Azure AD)Microsoft CorporationOperator email address, name, OAuth refresh/access tokens, tenant identifierPublic SSO identity provider — the "Sign in with Microsoft" option for the Turn web app. Operator identity only — not WhatsApp end-user dataGlobal service; the EU Data Boundary (declared complete Feb 2025) stores and processes EU customer data within the EU. Residency behaviour varies by tenant geographyISO/IEC 27001, 27017, 27018, 27701; SOC 1/2/3; FedRAMP High; CSA STAR; HIPAA; GDPR — Microsoft Trust CenterNo
Facebook Login (Sign in with Facebook)Meta Platforms, Inc.Operator email address, name, Facebook profile, OAuth access tokensPublic SSO identity provider — the "Sign in with Facebook" option for the Turn web app. Operator identity only — not WhatsApp end-user dataMeta data centres (US); transfers under SCCs / Data Privacy FrameworkISO/IEC 27001; SOC 2 Type II; SOC 3; GDPR — Meta compliance centerNo

Sub-processors managed by customers (BYO)

These are vendors the customer chooses to bring in themselves. The customer supplies the credentials, dataset, or destination URL through a per-organisation configuration, and Turn simply sends or pulls data against whatever the customer has configured.

For every entry in this section:

  • The customer is responsible for the DPA that governs these.
  • The customer is responsible for obtaining end-user consent (or another GDPR Art. 6 lawful basis) for routing personal data through that vendor — Turn's own customer-facing privacy notice and DPA do not cover BYO vendors.
  • The vendor is not listed on Turn's customer-facing sub-processor inventory. Adding, removing or changing a BYO vendor on this page does not trigger a customer-DPA notification.

The Processing location and Safeguards & certifications columns below describe the vendor's own posture where the vendor is a fixed, named service (the AI providers); for fully customer-chosen destinations (webhooks, Lua HTTP calls, generic Chat-Completions endpoints, the customer's own BigQuery project) the location and safeguards are whatever the customer configures.

Customer-configured AI / ML providers

API keys (and, for the generic chat-completions case, the endpoint URL) live per-organisation, encrypted at rest, and are selected on each Assistant. The consuming product surface in every case is the AI Agent / Assistants layer and the journey AI block (text generation, classification, transcription, TTS) — plus, for Gemini specifically, the WhatsApp voice-calling AI agent.

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
OpenAI API (Responses, Chat, Whisper, TTS)OpenAI, L.L.C.Message text, conversation history, contact-field values, voice audioLLM inference, speech-to-text and text-to-speech for the AI Agent / Assistants and the journey AI blockUS by default; business customers can select data residency at rest (US, Europe, UK and others) and US/Europe data processing on supported endpoints. API data is not used to train models by defaultSOC 2 Type II; ISO/IEC 27001:2022, 27017, 27018, 27701; CSA STAR; HIPAA (BAA); GDPR — OpenAI trust portalNo
Anthropic API (Claude)Anthropic PBCMessage text, conversation history, contact-field valuesLLM inference for the AI Agent / Assistants and the journey AI blockUS-based; data-residency options available on the Claude API. Commercial/API data is not used for training without opt-inSOC 2 Type I & II; ISO/IEC 27001:2022; ISO/IEC 42001:2023; HIPAA (BAA); GDPR — Anthropic trust centerNo
Google Gemini APIGoogle LLCMessage text, conversation history, images, real-time audio (calling)LLM inference and multimodal for the AI Agent / Assistants and the journey AI block, plus the WhatsApp voice-calling AI agentGoogle Cloud regions; region governed by the endpoint / inference profile. Paid-tier API data is not used for trainingISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; HIPAA; EU-US/Swiss DPF + UK extension; GDPR (Cloud DPA + SCCs) — Google Cloud trust centerNo
DeepInfra (Llama et al.)DeepInfra Inc.Message text, conversation historyLLM inference for open-weight models in the AI Agent / Assistants and the journey AI blockUS only — own inference infrastructure in US data centres; no EU residency. Request/response payloads not logged or used for trainingSOC 2; ISO/IEC 27001 (earned 2025); GDPR and HIPAA measures — DeepInfra trust centerNo
Customer-configured Chat-Completions endpointVariesWhatever the journey passes to the blockBring-your-own LLM for the AI Agent / Assistants and the journey AI blockDetermined by the customer-configured endpointDetermined by the customer-configured endpointNo

Customer-controlled data warehouse export

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Google BigQueryGoogle LLCMessage bodies, contact fields, conversation logs, attachment references, analytics eventsCustomer-facing data warehouse export — the BigQuery export integration streams an organisation's messages and contacts to a dataset in the customer's GCP project, using credentials the customer suppliesThe customer's own GCP project and regionGoogle Cloud certifications apply to the underlying platform (ISO/IEC 27001:2022, 27017, 27018, 27701; SOC 1/2/3; GDPR) — Google Cloud trust centerNo

Customer-controlled outbound integrations

These don't have a fixed vendor — the destination is chosen by the organisation operating the journey.

ServiceProviderData processedPurposeProcessing locationSafeguards & certificationsRequired
Webhook block destinationsCustomer-configuredAny journey context the customer chooses to sendOutbound webhooks from journeys — the Webhook block in the journey builderDetermined by the customer-chosen destination URLDetermined by the customer-chosen destinationNo
Lua app HTTP callsCustomer-configuredAny data the installed app chooses to sendCustom integrations via the Apps engine — HTTP calls made by an installed Lua appDetermined by the customer-chosen destinationDetermined by the customer-chosen destinationNo