Trust
Sub-processors
Last updated: May 20, 2026
Vouch uses a small, vetted set of sub-processors to deliver the Platform. Every sub-processor is contractually bound to confidentiality and security obligations at least as strict as our own, and is permitted to use customer data only to deliver the service to us. This page lists them. We update it when the list changes.
How we choose sub-processors
- Each sub-processor is reviewed for security posture (SOC 2, ISO 27001, or equivalent), data-handling commitments, breach-notification commitments, and regional residency.
- Each is bound by a written agreement that mirrors our own obligations to customers — including no use of customer data for the sub-processor's own purposes and no AI model training on our traffic.
- Customers under a Data Processing Agreement receive advance notice of new sub-processors with an opportunity to object before processing begins.
- Sub-processors that handle data only on behalf of the customer's own configuration — for example, an email or SMS provider the customer brings their own credentials for — are the customer's data exporters, not Vouch's sub-processors. They are listed separately below.
1. Infrastructure and identity
| Vendor / service | Purpose | Data categories | Region |
|---|---|---|---|
| Microsoft Azure (Container Apps, Postgres, Storage, Key Vault, Front Door, Static Web Apps) | Application hosting, managed database, object storage, secrets management, edge delivery | All workspace data (encrypted in transit and at rest) | Customer-selected Azure region (default: US East; EU region available on request) |
| Microsoft Entra ID | Identity and SSO for Vouch admin web and supporting tooling (when used) | User name, work email, role, authentication metadata | Global (Microsoft 365 tenancy) |
2. AI model providers
AI features (reply drafting, recommendations, sentiment analysis, content assistance) call the foundation-model APIs below. Traffic to these providers runs under commercial terms that prohibit training on our prompts or outputs. Provider-side retention is limited to short-window abuse review (up to 30 days at Anthropic). See our AI Policy for the full description.
| Vendor / service | Purpose | Data categories | Region |
|---|---|---|---|
| Anthropic | Foundation model API (Claude) for reply drafting, recommendations, content assistance, sentiment and theme extraction, Vouch Score, and translation | Prompt contents (review text, brand-voice settings, template inputs); no customer lists | US (Anthropic API). No training on traffic; provider-side retention limited to 30 days for trust-and-safety abuse review under Anthropic's commercial terms. |
3. Customer-configured integrations (not Vouch sub-processors)
When you connect a third-party service to your workspace using your own credentials — for example, your Google Business Profile, your Yelp account, your email or SMS provider, your CRM, or your SAML identity provider — that service is your data importer or exporter, not ours. Vouch acts on your behalf within the scopes you approve, under those services’ own terms.
- Review platforms: Google Business Profile, Yelp, Facebook, Tripadvisor, Trustpilot, and similar — connected with your own account credentials and OAuth scopes.
- Messaging carriers: the email, SMS, and WhatsApp providers you bring your own credentials or sender configuration for (e.g. 10DLC brand registrations, Meta WABA, your own SMTP relay).
- Identity providers: your SAML IdP or Microsoft Entra ID tenancy used for SSO.
- CRM and calendar systems connected via OAuth or API key under your control.
We list these for transparency. Their terms and privacy policies apply to your use of them, and Vouch is not responsible for their independent processing of personal data.
4. Notification of changes
When we add, remove, or replace a sub-processor that materially affects how customer data is processed, we update this page and notify customers under a Data Processing Agreement at least 30 days in advance. Customers can object during that window; if we cannot find a workable alternative for an objected sub-processor, the customer may terminate the affected service with a pro-rated refund.
To subscribe to sub-processor change notifications, email support@aartha.ai with the subject “Subscribe: sub-processor changes”.
5. Contact
Privacy and sub-processor questions: support@aartha.ai
Procurement / security questionnaires: support@aartha.ai