Data Processing Agreement & Subprocessors
Last updated: March 4, 2026
1. Introduction
When FrontlineHQ ("we," "our," or "us") processes personal data on behalf of Business Users (our customers), we act as a Data Processor under the General Data Protection Regulation (GDPR) and a Service Provider under the California Consumer Privacy Act (CCPA). This page describes our Data Processing Agreement (DPA) framework and lists all subprocessors that may handle personal data as part of delivering our services.
2. Data Processing Agreement Overview
Our DPA governs how we process personal data on behalf of our Business Users. It covers the following areas:
- Subject matter and duration of processing: The DPA applies for the duration of the service agreement between FrontlineHQ and the Business User.
- Nature and purpose of processing: We process personal data solely to provide and improve the AI automation services requested by the Business User.
- Categories of data subjects and personal data: Data subjects include end users (customers of the Business User) and the Business Users themselves. Personal data may include names, email addresses, phone numbers, chat messages, call transcripts, and lead information.
- Rights and obligations of the controller: The Business User, as the data controller, determines the purposes and means of processing and is responsible for ensuring a lawful basis for processing.
- Instructions for data processing: We process personal data only in accordance with the Business User's documented instructions, unless required by law to do otherwise.
- Confidentiality obligations: All personnel authorized to process personal data are bound by confidentiality agreements.
- Sub-processor engagement and oversight: We maintain an up-to-date list of subprocessors and ensure each is bound by data protection obligations no less protective than those in our DPA.
- Data subject rights assistance: We assist Business Users in responding to data subject access, rectification, erasure, and portability requests.
- Data deletion or return upon termination: Upon termination of the service agreement, we will delete or return all personal data within 90 days, unless retention is required by law.
- Audit rights: Business Users have the right to audit our data processing practices, subject to reasonable notice and confidentiality obligations.
- Data breach notification procedures: We will notify the Business User of any personal data breach without undue delay and no later than 72 hours after becoming aware of the breach.
3. Requesting a DPA
Business Users on paid plans can request a signed copy of our Data Processing Agreement by emailing legal@frontlinehq.ai or info@frontlinehq.ai. Please include your business name and the email address associated with your FrontlineHQ account. We will provide a countersigned DPA within five business days.
4. Subprocessors
The following subprocessors are engaged by FrontlineHQ to assist in delivering our services. Each subprocessor is contractually bound to protect personal data and process it only as instructed.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting and authentication | User accounts, business profiles, conversations, leads, voice call records | United States |
| Anthropic | AI language model for chatbot responses | Chat messages, conversation history, system prompts | United States |
| Google (Gemini AI) | AI language model (fallback) | Chat messages, conversation history, system prompts | United States |
| Retell AI | Voice agent platform | Call recordings, transcripts, voice agent configuration | United States |
| Stripe Inc. | Payment processing | Customer name, email, billing information, subscription details | United States |
| Resend Inc. | Transactional email delivery | Business owner emails, lead emails, notification content | United States |
| Twilio Inc. | SMS notifications | Phone numbers, SMS message content | United States |
| Vercel Inc. | Application hosting and edge network | Server logs, request metadata | United States (Global Edge) |
| Sentry (Functional Software Inc.) | Error monitoring and diagnostics | Error context, stack traces (may include user identifiers) | United States |
5. Notification of Changes
We will notify Business Users at least 30 days before adding or replacing a subprocessor. Notifications are sent to the email address associated with your FrontlineHQ account. You may object to a new subprocessor by contacting us within the 30-day notice period. If we are unable to address your objection, you may terminate the affected services in accordance with your service agreement.
6. Data Transfer Mechanisms
For data transfers outside the European Economic Area (EEA) and the United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. All subprocessors listed above maintain appropriate technical and organizational safeguards to protect personal data in accordance with GDPR requirements. Where applicable, we also conduct transfer impact assessments to ensure an adequate level of data protection in the recipient country.
7. Contact
If you have questions about our Data Processing Agreement, our subprocessor list, or how we handle personal data, please contact us:
For more details about how we handle personal data, see our Privacy Policy and GDPR Compliance pages.