Torru Subprocessors
Last updated: October 20, 2025
We use third-party subprocessors to help us provide our services. This page lists all subprocessors we currently use, what they do, and where they're located.
In accordance with UK GDPR and data protection requirements, we ensure all subprocessors:
- Have appropriate data protection agreements in place
- Maintain adequate security measures
- Process data only as instructed
- Are located in jurisdictions with adequate data protection (UK, EU, or with appropriate safeguards for international transfers)
Infrastructure & Hosting
Hetzner Online GmbH
Purpose: Cloud infrastructure and server hosting Data location: Germany (EU) Data processed: All customer data and service infrastructure Website: hetzner.com Privacy policy: hetzner.com/legal/privacy-policy
AI & Voice Processing
ElevenLabs
Purpose: Voice AI generation and text-to-speech services Data location: United States Data processed: Voice content, audio recordings, text for voice synthesis Transfer mechanism: Standard Contractual Clauses (SCCs) Website: elevenlabs.io Privacy policy: elevenlabs.io/privacy
OpenAI, L.L.C.
Purpose: AI processing, transcription, and natural language understanding Data location: United States Data processed: Voice transcripts, conversation data, API requests Transfer mechanism: Standard Contractual Clauses (SCCs) Website: openai.com Privacy policy: openai.com/privacy
Anthropic PBC
Purpose: AI processing and natural language understanding Data location: United States Data processed: Conversation data, API requests, transcripts Transfer mechanism: Standard Contractual Clauses (SCCs) Website: anthropic.com Privacy policy: anthropic.com/privacy
Cartesia AI
Purpose: AI voice processing and real-time audio generation Data location: United States Data processed: Voice content, audio data, API requests Transfer mechanism: Standard Contractual Clauses (SCCs) Website: cartesia.ai Privacy policy: cartesia.ai/privacy
Google LLC (Gemini API)
Purpose: AI processing and natural language understanding Data location: United States (with EU data centers available) Data processed: API requests, conversation data Transfer mechanism: Standard Contractual Clauses (SCCs) Website: google.com Privacy policy: policies.google.com/privacy
Retell AI Inc.
Purpose: Voice AI agent platform and conversation orchestration Data location: United States (California) Data processed: Voice calls, audio recordings, call transcripts, call metadata, interaction logs Transfer mechanism: Standard Contractual Clauses (SCCs) Website: retellai.com Privacy policy: retellai.com/legal/privacy-policy
Telephony & Communications
Telnyx LLC
Purpose: SIP telephony provider, phone number provisioning, and call routing Data location: United States (with EU infrastructure in Paris for GDPR compliance) Data processed: Call data, phone numbers, call routing information, call metadata Transfer mechanism: Standard Contractual Clauses (SCCs), with EU data processing options Website: telnyx.com Privacy policy: telnyx.com/privacy-policy
Brevo (formerly Sendinblue)
Purpose: Transactional email delivery and communications Data location: European Union (France) Data processed: Email addresses, transactional email content, delivery data Website: brevo.com Privacy policy: brevo.com/legal/privacypolicy
Payment Processing
Access Suite Limited
Purpose: Payment processing and billing Data location: United Kingdom Data processed: Payment information, billing details, transaction data Website: accesssuite.co.uk Privacy policy: Contact for details
Communications
Brevo (formerly Sendinblue)
Purpose: Transactional email delivery and communications Data location: European Union (France) Data processed: Email addresses, transactional email content, delivery data Website: brevo.com Privacy policy: brevo.com/legal/privacypolicy
Domain & Security
Cloudflare, Inc.
Purpose: Domain routing, CDN, and security services Data location: Global network with EU data processing compliance Data processed: DNS queries, website traffic data, IP addresses, security logs Transfer mechanism: Standard Contractual Clauses (SCCs), EU Data Processing Addendum Website: cloudflare.com Privacy policy: cloudflare.com/privacypolicy
International Data Transfers
Where we use subprocessors located outside the UK and EU (such as US-based AI providers), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use the UK and EU-approved Standard Contractual Clauses for transfers to third countries
- Data Processing Agreements: All subprocessors sign comprehensive data processing agreements
- Security measures: Additional technical and organizational measures to protect data during transfer and processing
- Limited processing: US-based AI services process only the data necessary for providing voice AI functionality
Updates to This List
We may update our subprocessors from time to time. When we add a new subprocessor who will process customer data, we will:
- Update this page with the new subprocessor details
- Notify customers via email at least 30 days before the new subprocessor processes any data
- Provide customers the opportunity to object to the use of the new subprocessor
If you object to a new subprocessor, please contact us at [email protected] within 30 days of notification. We will work with you to find a solution, which may include:
- Not using the new subprocessor for your account
- Helping you transition to an alternative service
- Terminating the agreement if no alternative is available
Questions?
If you have questions about our subprocessors or data processing practices, please contact us at [email protected].
Audit Rights
Under our Data Processing Agreement, customers have the right to audit our subprocessor compliance. For audit requests or to receive copies of our Data Processing Agreements with subprocessors, please contact [email protected].