> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bowerlabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Sub-processors

> Third-party services that process data on behalf of Bower.

Bower uses the following third-party services ("sub-processors") to operate the platform. Each processes data on our behalf under a Data Processing Agreement (DPA).

We will update this page whenever we add or remove a sub-processor.

## How our DPAs work

For most providers, the DPA is **incorporated by reference** into the vendor's commercial terms — when we accept those terms to use the service, the DPA's data-protection obligations (including GDPR Standard Contractual Clauses for international transfers, UK/Swiss equivalents, and CCPA/CPRA) apply automatically, with no separate signature required. Where a provider offers a separately executed DPA, we link it next to the service below.

Separately, **HIPAA** protections require a signed Business Associate Agreement (BAA). Only providers with a signed BAA (currently Google Cloud) may process data for **HIPAA-enabled (PHI) workspaces** — every other provider is blocked server-side for those workspaces. See [HIPAA compliance](/trust-centre/hipaa-compliance) for what that allows and blocks.

## Infrastructure & hosting

| Service                                                                      | Purpose                                                      | Data processed                         | Location         |
| ---------------------------------------------------------------------------- | ------------------------------------------------------------ | -------------------------------------- | ---------------- |
| [Google Cloud Platform](https://cloud.google.com/terms/cloud-privacy-notice) | Infrastructure, database, file storage, async job processing | All user data, files, database records | US (us-central1) |
| [Firebase Authentication](https://firebase.google.com/support/privacy)       | User authentication (email/password, Google OAuth)           | Email addresses, authentication tokens | US               |
| [Cloudflare Turnstile](https://www.cloudflare.com/privacypolicy/)            | Bot protection during sign-up                                | IP addresses, browser fingerprint data | Global (edge)    |

## AI processing

When you use AI features (Bird chat, voice transcription, photo text extraction, document processing), your content is sent to one of these providers for inference. **Your data is not used to train AI models.**

| Service                                                                                                             | Purpose                                                                                                                             | Data processed                      | Location |
| ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -------- |
| [Google AI (Gemini, Vertex AI)](https://cloud.google.com/terms/cloud-privacy-notice)                                | AI chat (Bird), live voice/video mode, OCR/image text extraction, text embeddings, semantic memory                                  | Text, images, audio, video streams  | US       |
| [Google Cloud Speech-to-Text](https://cloud.google.com/terms/cloud-privacy-notice)                                  | Voice note transcription (primary)                                                                                                  | Audio recordings                    | US       |
| [OpenAI](https://openai.com/policies/privacy-policy) ([DPA](https://openai.com/policies/data-processing-addendum/)) | Voice note transcription **fallback** — used only if Google Speech-to-Text is temporarily unavailable. Not used in Restricted mode. | Audio recordings, voice transcripts | US       |

Voice transcription uses **Google Cloud Speech-to-Text** by default. If it's temporarily unavailable, workspaces not in [Restricted mode](/trust-centre/hipaa-compliance) fall back to **OpenAI** so transcription keeps working. **Restricted-mode workspaces never use the OpenAI fallback** — they stay on Google only, enforced server-side. OpenAI does not train on data submitted via its API; its [Data Processing Addendum](https://openai.com/policies/data-processing-addendum/) is incorporated by reference into the OpenAI Services Agreement (effective 1 January 2026) — no separate signature required, acceptance is deemed by use of the API.

## Integrations & identity

When you connect external services to Bower — either letting Bird search your other tools, or letting an external AI client read your Bower workspace — these providers process the OAuth tokens that broker that access. Bower never stores the underlying access tokens itself.

| Service                                                                                         | Purpose                                                                                                                                                                       | Data processed                                                                                      | Location |
| ----------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | -------- |
| [WorkOS](https://workos.com/privacy) ([DPA](https://workos.com/legal/data-processing-addendum)) | OAuth Authorization Server for the MCP public server. Issues + rotates tokens when external AI clients (Claude.ai, ChatGPT, Cursor, Zed) connect to your workspace.           | Email, display name, internal user ID, workspace ID, workspace role; OAuth client registrations     | US       |
| [Composio](https://composio.dev/privacy)                                                        | Managed OAuth gateway for outbound [Connectors](/integrations/connectors). Holds your OAuth tokens for Drive, Notion, Slack, GitHub and other tools so Bower never sees them. | OAuth tokens for connected providers; tool-invocation requests and responses during federated reads | US       |

Connectors and external AI access are **not yet available in [Restricted-mode](/trust-centre/hipaa-compliance) workspaces** — neither provider's BAA is signed yet. Both surfaces are blocked server-side for Restricted-mode workspaces until that's in place.

## Payment processing

| Service                                                                                                  | Purpose                                                                    | Data processed                                                                                     | Location                                   |
| -------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------ |
| [Stripe Payments Australia Pty Ltd](https://stripe.com/privacy) ([DPA](https://stripe.com/au/legal/dpa)) | Subscription billing, payment processing, customer portal, tax calculation | Billing email, payment method tokens, transaction amounts, tax jurisdiction, subscription metadata | US (processed globally per the Stripe DPA) |

Bower uses Stripe for all payment processing. Card numbers, CVCs, and full payment details are handled entirely by Stripe's hosted Checkout and Customer Portal surfaces — they never touch Bower servers. Bower's systems only see opaque Stripe IDs (`cus_…`, `sub_…`) and transaction amounts. Stripe is PCI-DSS Level 1 certified; Bower's integration is PCI SAQ-A (the lowest-scope form).

The [Stripe Data Processing Agreement](https://stripe.com/au/legal/dpa) applies automatically to our use of the service under Australian, EU (GDPR), and UK (UK-GDPR) data-protection law — no manual signature required; acceptance is deemed by use of the Stripe platform.

## Analytics & observability

| Service                                  | Purpose                                                                             | Data processed                                               | Location |
| ---------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------- |
| [PostHog](https://posthog.com/privacy)   | Product analytics, feature flags (requires [cookie consent](/trust-centre/cookies)) | Usage events, feature flag evaluations — no research content | US/EU    |
| [Langfuse](https://langfuse.com/privacy) | AI response quality monitoring                                                      | LLM request/response traces, token counts                    | EU/US    |

## Data residency

All primary data (database, files, backups) is stored in Google Cloud's **us-central1** region (Iowa, USA). AI processing may occur in the provider's default region as listed above.

## Changes to this list

We review our sub-processor list quarterly. If we add a new sub-processor that processes personal data, we will update this page. Material changes will be communicated via email to workspace owners.

**Last reviewed:** 19 June 2026

## Questions

Contact our Data Protection Officer at [privacy@bowerlabs.ai](mailto:privacy@bowerlabs.ai).
