Skip to main content
Bower uses the following third-party services (“sub-processors”) to operate the platform. Each processes data on our behalf under a Data Processing Agreement (DPA). We will update this page whenever we add or remove a sub-processor.

How our DPAs work

For most providers, the DPA is incorporated by reference into the vendor’s commercial terms — when we accept those terms to use the service, the DPA’s data-protection obligations (including GDPR Standard Contractual Clauses for international transfers, UK/Swiss equivalents, and CCPA/CPRA) apply automatically, with no separate signature required. Where a provider offers a separately executed DPA, we link it next to the service below. Separately, HIPAA protections require a signed Business Associate Agreement (BAA). Only providers with a signed BAA (currently Google Cloud) may process data for HIPAA-enabled (PHI) workspaces — every other provider is blocked server-side for those workspaces. See HIPAA compliance for what that allows and blocks.

Infrastructure & hosting

ServicePurposeData processedLocation
Google Cloud PlatformInfrastructure, database, file storage, async job processingAll user data, files, database recordsUS (us-central1)
Firebase AuthenticationUser authentication (email/password, Google OAuth)Email addresses, authentication tokensUS
Cloudflare TurnstileBot protection during sign-upIP addresses, browser fingerprint dataGlobal (edge)

AI processing

When you use AI features (Bird chat, voice transcription, photo text extraction, document processing), your content is sent to one of these providers for inference. Your data is not used to train AI models.
ServicePurposeData processedLocation
Google AI (Gemini, Vertex AI)AI chat (Bird), live voice/video mode, OCR/image text extraction, text embeddings, semantic memoryText, images, audio, video streamsUS
Google Cloud Speech-to-TextVoice note transcription (primary)Audio recordingsUS
OpenAI (DPA)Voice note transcription fallback — used only if Google Speech-to-Text is temporarily unavailable. Not used in Restricted mode.Audio recordings, voice transcriptsUS
Voice transcription uses Google Cloud Speech-to-Text by default. If it’s temporarily unavailable, workspaces not in Restricted mode fall back to OpenAI so transcription keeps working. Restricted-mode workspaces never use the OpenAI fallback — they stay on Google only, enforced server-side. OpenAI does not train on data submitted via its API; its Data Processing Addendum is incorporated by reference into the OpenAI Services Agreement (effective 1 January 2026) — no separate signature required, acceptance is deemed by use of the API.

Integrations & identity

When you connect external services to Bower — either letting Bird search your other tools, or letting an external AI client read your Bower workspace — these providers process the OAuth tokens that broker that access. Bower never stores the underlying access tokens itself.
ServicePurposeData processedLocation
WorkOS (DPA)OAuth Authorization Server for the MCP public server. Issues + rotates tokens when external AI clients (Claude.ai, ChatGPT, Cursor, Zed) connect to your workspace.Email, display name, internal user ID, workspace ID, workspace role; OAuth client registrationsUS
ComposioManaged OAuth gateway for outbound Connectors. Holds your OAuth tokens for Drive, Notion, Slack, GitHub and other tools so Bower never sees them.OAuth tokens for connected providers; tool-invocation requests and responses during federated readsUS
Connectors and external AI access are not yet available in Restricted-mode workspaces — neither provider’s BAA is signed yet. Both surfaces are blocked server-side for Restricted-mode workspaces until that’s in place.

Payment processing

ServicePurposeData processedLocation
Stripe Payments Australia Pty Ltd (DPA)Subscription billing, payment processing, customer portal, tax calculationBilling email, payment method tokens, transaction amounts, tax jurisdiction, subscription metadataUS (processed globally per the Stripe DPA)
Bower uses Stripe for all payment processing. Card numbers, CVCs, and full payment details are handled entirely by Stripe’s hosted Checkout and Customer Portal surfaces — they never touch Bower servers. Bower’s systems only see opaque Stripe IDs (cus_…, sub_…) and transaction amounts. Stripe is PCI-DSS Level 1 certified; Bower’s integration is PCI SAQ-A (the lowest-scope form). The Stripe Data Processing Agreement applies automatically to our use of the service under Australian, EU (GDPR), and UK (UK-GDPR) data-protection law — no manual signature required; acceptance is deemed by use of the Stripe platform.

Analytics & observability

ServicePurposeData processedLocation
PostHogProduct analytics, feature flags (requires cookie consent)Usage events, feature flag evaluations — no research contentUS/EU
LangfuseAI response quality monitoringLLM request/response traces, token countsEU/US

Data residency

All primary data (database, files, backups) is stored in Google Cloud’s us-central1 region (Iowa, USA). AI processing may occur in the provider’s default region as listed above.

Changes to this list

We review our sub-processor list quarterly. If we add a new sub-processor that processes personal data, we will update this page. Material changes will be communicated via email to workspace owners. Last reviewed: 19 June 2026

Questions

Contact our Data Protection Officer at privacy@bowerlabs.ai.