| Vendor | Purpose | Location | Data types |
|---|---|---|---|
| Google Cloud Services (GCS) | Cloud hosting, storage, authentication | EU | Customer Content, Outputs, telemetry, authentication |
| Stripe | Payment processing | EU/US | Billing metadata (name, email, plan, address) |
| Fal.ai (Features & Labels Inc.) | Avatar media generation (video/audio rendering) | US | Creator recordings (video/audio), generated Outputs |
| ElevenLabs | Audio generation (text-to-speech) | US | Customer scripts/text, generated audio |
| Google Workspace | Email & support | EU | Customer contact info, support messages |
| Slack | Customer support via shared channels | EU | Customer contact info, support messages, feedback |
| Posthog | Product analytics | EU | Usage telemetry, event tracking |
GDPR compliance and data transfers
Saltfish AB is established in Sweden and subject to the General Data Protection Regulation (GDPR) for all processing activities, regardless of where data is stored or processed.
- EU/EEA processing: Where possible, sub-processors are configured to use EU/EEA data centers to minimize cross-border transfers.
- Transfers outside the EU/EEA: Certain sub-processors (e.g. media-generation providers) may process personal data on global infrastructure, including in the United States.
- Safeguards:Where such transfers occur, Saltfish relies on the European Commission’s Standard Contractual Clauses (SCCs), together with supplementary measures, as described in our DPA.
- No training:“Neither Saltfish nor its sub-processors use Customer Content, Outputs, or Personal Data for model training or product improvement.”
- Deletion:Sub-processors are required to delete personal data in line with Saltfish’s DPA timelines, subject to unavoidable technical retention limits disclosed to Customers.
Notice and objection:Saltfish provides at least 30 days’ prior notice of material changes to this list. Customers may object on reasonable privacy or security grounds in accordance with the DPA.