Sub-processors list.
The third parties Message.com engages to deliver the platform, what each one touches, and where the processing happens. Published under GDPR Article 28(2). 30-day notice on every change.
01Scope
A sub-processor is any third party Message.com LLC ("Message") engages to process Personal Data on behalf of a customer. This page is published in accordance with Article 28(2) of the GDPR and Article 28(2) of the UK GDPR, and forms part of the Data Processing Addendum.
The list below is the complete catalog of sub-processors as of the effective date above. We update it whenever we add, remove, or replace a vendor. Customers can subscribe to changes by emailing [email protected]with the subject line "Sub-processor notifications".
Engagements with internal entities of Message.com LLC (subsidiaries, our own contractors operating under Message's direct control with confidentiality and security obligations equivalent to Message employees) are not listed here. They are governed by the same controls as Message staff.
02How we choose sub-processors
We do not add a vendor to the platform unless it earns it. Each candidate goes through a written assessment that covers, at minimum:
- Security posture: independent attestations (SOC 2 Type II, ISO 27001, PCI DSS where relevant), encryption in transit and at rest, access controls, breach history.
- Data protection: ability to sign a GDPR Article 28 contract, SCCs where transfers leave the EEA, UK IDTA where relevant, sensible deletion timelines.
- Operational maturity: published status pages, SLAs that match the criticality of the workload, transparent post-incident reporting.
- Necessity: we ship the vendor only if the platform genuinely cannot do the work in-house at the required quality or cost. We prefer to self-host when the unit economics make sense (see our self-hosted AI hardware strategy).
- Cost discipline: vendor pricing is modeled against unit economics before contract signature. We do not lock in vendors that erode margin at scale.
Every approved sub-processor signs a Data Processing Agreement with Message that imposes confidentiality, security, and breach notification obligations no less protective than the obligations Message owes to customers.
03Notification of changes
Message gives customers at least 30 days' advance notice of any intended addition or replacement of a sub-processor that processes Personal Data. Notifications are sent in two ways:
- An update to this page (the canonical source).
- An email to the security contact on file for each workspace, if the customer has opted into change notifications.
Customers may object to the change in writing within the 30-day window. If we cannot reach a workable solution (a different vendor, additional contractual safeguards, or a regional workaround), the customer may terminate the affected portion of the Service on 30 days' written notice and receive a pro-rated refund for the unused balance, in line with section 6 of the DPA.
Emergency replacements (vendor outage, sudden contract termination by the vendor, material security incident on the vendor side) may be made on shorter notice. Where this happens, Message will document the reason and update this page within 5 business days.
04Current sub-processors
The table below lists every sub-processor that processes customer Personal Data. Each entry shows the vendor, the service we use them for, the categories of data they touch, and the primary processing region. Where a vendor offers regional pinning, Enterprise customers can request that their workload be confined to a specific region (see International Data Transfer).
| Sub-processor | Service | Data accessed | Region |
|---|---|---|---|
| DigitalOcean | Compute, Managed Postgres, Managed Redis, object storage (Spaces) | All workspace data: conversations, contacts, files, transcripts | US (SFO3, NYC3), EU (FRA1) |
| Cloudflare | CDN, DDoS protection, edge caching for the widget and KB sites | HTTP metadata, IP addresses, widget bundle delivery (no message bodies) | Global (anycast) |
| AWS KMS | Envelope encryption key management for at-rest data and backups | No customer data; key material only | US (us-east-2) |
| Sentry | Application error tracking and performance monitoring | Stack traces, user IDs, request metadata (PII scrubbing enabled) | US (configurable to EU on request) |
| Resend | Transactional email delivery (password resets, ticket notifications, receipts) | Recipient email, sender email, subject line, body | US |
| BulkVS | SIP trunking and DID provisioning for inbound and outbound voice | Caller ID, called number, call duration, SIP signaling | US |
| Stripe | Billing, subscription management, payment processing | Billing contact, card last-4, invoices, subscription state | US (with EU data residency for EU customers) |
| DeepInfra | LLM fallback inference when self-hosted GPUs are unavailable | Conversation context required for the specific AI completion (no long-term storage) | US |
| Featherless | Secondary LLM fallback inference | Conversation context required for the specific AI completion (no long-term storage) | US |
| Fish Audio | Text-to-speech for phone AI (wait-time concierge, IVR prompts) | Text prompts sent for synthesis; no recording retention | US |
| Deepgram | Speech-to-text (batch transcription of call recordings) | Call audio bytes during transcription; deleted after processing | US |
| Grafana Labs (Grafana Cloud) | OpenTelemetry traces, metrics, logs for platform observability | Operational telemetry, request IDs (no message bodies) | US |
| GitHub (Microsoft) | Source control for platform code (no customer data) | Internal employee identifiers only | US |
| Linear | Internal ticketing for engineering and support workflows | Internal ticket content; customer data referenced only by case number | US |
| Tailscale | Zero-trust VPN for administrative access to production | Network metadata only; no customer payloads | US |
| Vercel | CDN for the marketing site at message.com | No customer Personal Data; marketing site visitor IPs only | Global (edge) |
| Anthropic | Batch summarization and offline KB writing tasks (never real-time chat or calls) | Knowledge base source content; no end-user conversation bodies | US |
05Onward sub-processors
Each sub-processor above may engage its own sub-processors (sometimes called "onward" or "sub-sub" processors). Message contractually requires every sub-processor to:
- Maintain a current list of its own sub-processors and make it available on request.
- Impose Article 28-equivalent obligations on each downstream party.
- Remain responsible to Message for the acts and omissions of any downstream processor.
Where a sub-processor publishes its own sub-processor list, the relevant link can be found in that vendor's trust center. Customers who want a consolidated view across the entire chain can request it from [email protected].
06AI inference and sub-processors
The AI features (message AI in widgets, agent assist in the inbox, ticket summaries, phone wait-time concierge) run primarily on Message-owned hardware. Self-hosted GPUs in Houston serve the Qwen large language model and the bge-large embedding model. No third-party sub-processor sees the inference payload in this default path.
Two cases route through a third party:
- When self-hosted capacity is unavailable, inference fails over to DeepInfra (primary) and Featherless (secondary). Each request carries only the context required to answer that specific turn. None of the providers train models on Message traffic.
- Phone surfaces use Fish Audio for text-to-speech and Deepgram for batch speech-to-text. Audio bytes are deleted by the vendor at the end of processing.
Enterprise customers can disable all third-party AI inference and pin all completions to Message-owned hardware. Talk to [email protected] for the configuration toggle.
07Audit rights
Customers may exercise the audit rights set out in section 9 of the DPAwith respect to Message's management of sub-processors. As a first step, Message will share the most recent SOC 2 Type II report and our internal sub-processor selection criteria under NDA.
Where a customer needs to audit a specific sub-processor directly, Message will use commercially reasonable efforts to facilitate that audit, subject to the sub-processor's own contractual terms. In practice, sub-processors of the scale we use (DigitalOcean, Cloudflare, AWS) publish independent attestations that satisfy customer audit requirements.
08Contact
Questions about sub-processors, change notifications, or specific regional requirements go to [email protected]. We answer every email from a named human within two business days.
Suspected security issues with any sub-processor should go to [email protected]. Coordinated disclosure terms are published on the Data Security Policy.
Need notifications when this list changes?
Email [email protected] with the subject Sub-processor notifications and we will add your security contact to the alert roster.
Start free trial →