How our DPAs work
For most providers, the DPA is incorporated by reference into the vendor’s commercial terms — when we accept those terms to use the service, the DPA’s data-protection obligations (including GDPR Standard Contractual Clauses for international transfers, UK/Swiss equivalents, and CCPA/CPRA) apply automatically, with no separate signature required. Where a provider offers a separately executed DPA, we link it next to the service below. Separately, HIPAA protections require a signed Business Associate Agreement (BAA). Only providers with a signed BAA (currently Google Cloud) may process data for HIPAA-enabled (PHI) workspaces — every other provider is blocked server-side for those workspaces. See HIPAA compliance for what that allows and blocks.Infrastructure & hosting
| Service | Purpose | Data processed | Location |
|---|---|---|---|
| Google Cloud Platform | Infrastructure, database, file storage, async job processing | All user data, files, database records | US (us-central1) |
| Firebase Authentication | User authentication (email/password, Google OAuth) | Email addresses, authentication tokens | US |
| Cloudflare Turnstile | Bot protection during sign-up | IP addresses, browser fingerprint data | Global (edge) |
AI processing
When you use AI features (Bird chat, voice transcription, photo text extraction, document processing), your content is sent to one of these providers for inference. Your data is not used to train AI models.| Service | Purpose | Data processed | Location |
|---|---|---|---|
| Google AI (Gemini, Vertex AI) | AI chat (Bird), live voice/video mode, OCR/image text extraction, text embeddings, semantic memory | Text, images, audio, video streams | US |
| Google Cloud Speech-to-Text | Voice note transcription (primary) | Audio recordings | US |
| OpenAI (DPA) | Voice note transcription fallback — used only if Google Speech-to-Text is temporarily unavailable. Not used in Restricted mode. | Audio recordings, voice transcripts | US |
Integrations & identity
When you connect external services to Bower — either letting Bird search your other tools, or letting an external AI client read your Bower workspace — these providers process the OAuth tokens that broker that access. Bower never stores the underlying access tokens itself.| Service | Purpose | Data processed | Location |
|---|---|---|---|
| WorkOS (DPA) | OAuth Authorization Server for the MCP public server. Issues + rotates tokens when external AI clients (Claude.ai, ChatGPT, Cursor, Zed) connect to your workspace. | Email, display name, internal user ID, workspace ID, workspace role; OAuth client registrations | US |
| Composio | Managed OAuth gateway for outbound Connectors. Holds your OAuth tokens for Drive, Notion, Slack, GitHub and other tools so Bower never sees them. | OAuth tokens for connected providers; tool-invocation requests and responses during federated reads | US |
Payment processing
| Service | Purpose | Data processed | Location |
|---|---|---|---|
| Stripe Payments Australia Pty Ltd (DPA) | Subscription billing, payment processing, customer portal, tax calculation | Billing email, payment method tokens, transaction amounts, tax jurisdiction, subscription metadata | US (processed globally per the Stripe DPA) |
cus_…, sub_…) and transaction amounts. Stripe is PCI-DSS Level 1 certified; Bower’s integration is PCI SAQ-A (the lowest-scope form).
The Stripe Data Processing Agreement applies automatically to our use of the service under Australian, EU (GDPR), and UK (UK-GDPR) data-protection law — no manual signature required; acceptance is deemed by use of the Stripe platform.
Analytics & observability
| Service | Purpose | Data processed | Location |
|---|---|---|---|
| PostHog | Product analytics, feature flags (requires cookie consent) | Usage events, feature flag evaluations — no research content | US/EU |
| Langfuse | AI response quality monitoring | LLM request/response traces, token counts | EU/US |

