Subprocessors | CharmIQ

Overview

CharmIQ, Inc. ("CharmIQ") uses certain third-party subprocessors to assist in providing its services. A subprocessor is a third-party data processor engaged by CharmIQ who has or potentially will have access to or process customer data. This page provides a list of the names, purposes, and locations of each subprocessor.

CharmIQ conducts due diligence on each subprocessor's security and data handling practices and enters into data processing agreements to ensure appropriate protections for customer data.

To be notified of updates to this list, please contact privacy@charmiq.ai.

Core Infrastructure

Subprocessor	Purpose	Data Processed	Entity Country	Processing Location
Google Cloud Platform (Firebase)	Backend infrastructure, hosting, Cloud Functions	All platform data	United States	United States
Google Cloud Firestore	Primary document database	User data, documents, configurations	United States	United States
Google Cloud Storage	File and asset storage, exports	Uploaded files, exports, generated media	United States	United States
Firebase Authentication	User authentication (email/password, federated)	Credentials, auth tokens, user profiles	United States	United States
Firebase Realtime Database	Real-time data sync	Collaboration state	United States	United States
Google Cloud Secret Manager	Credential storage	API keys, OAuth secrets	United States	United States
Google Cloud Logging	Structured logging	Application logs, audit trails	United States	United States
Google Cloud Tasks	Background job scheduling	Task payloads	United States	United States
Google BigQuery	Data warehousing, analytics	Firestore exports, usage data	United States	United States

AI / LLM Providers

Subprocessor	Purpose	Data Processed	Entity Country	Processing Location
OpenAI	LLM completions, embeddings, image generation (DALL·E), vector storage	User prompts, documents, embeddings, generated content	United States	United States
Anthropic	LLM completions (Claude), MCP support	User prompts, documents, generated content	United States	United States
Google Generative AI (Gemini)	LLM completions, image/music/video generation	User prompts, media inputs, generated content	United States	United States
Suno AI	Music generation	Prompts, generated audio	United States	United States
Runway	Video generation	Prompts, generated video	United States	United States

Payment & Billing

Subprocessor	Purpose	Data Processed	Entity Country	Processing Location
Stripe	Payment processing, subscriptions, usage metering	Payment methods, customer billing data, usage records	United States	United States

Email & Communications

Subprocessor	Purpose	Data Processed	Entity Country	Processing Location
SendGrid	Transactional email delivery	Email addresses, email content, notification data	United States	United States
Twilio	SMS and communication services	Phone numbers, SMS messages	United States	United States
Mailchimp	Email marketing, contact management	Email lists, contacts, subscriber data	United States	United States

Document & File Processing

Subprocessor	Purpose	Data Processed	Entity Country	Processing Location
ConvertAPI	Document format conversion (PDF, Office)	Uploaded documents, converted files	Lithuania	United States
Mathpix	Math equation and formula recognition	Document content with formulas	United States	United States

Analytics & Tracking

Subprocessor	Purpose	Data Processed	Entity Country	Processing Location
Google Analytics	Web analytics, user behavior tracking	Page views, user interactions, device/browser data, IP addresses	United States	United States
Trackdesk	Affiliate tracking, revenue attribution	Affiliate data, conversion tracking	Cyprus	United States

Network Services

Subprocessor	Purpose	Data Processed	Entity Country	Processing Location
corsproxy.io	CORS proxy for cross-origin resource fetching	Image URLs, iframe content	Germany	United States

Security Notes

Firebase / Google Cloud Encryption

Encryption at rest: All Firebase services (Firestore, Realtime Database, Cloud Storage, Authentication, Cloud Functions, etc.) automatically encrypt data at rest. Firestore uses Google-managed encryption keys with AES-256 by default; no configuration required. CMEK (customer-managed encryption keys) is also supported for Firestore.
Encryption in transit: All Firebase services encrypt data in transit using HTTPS/TLS.
Certifications: All Firebase services have completed ISO 27001, SOC 1, SOC 2, and SOC 3 evaluations. Some have also completed ISO 27017 and ISO 27018 certification.
Access controls: Google restricts employee access to systems containing personal data to those with a business need, with mandatory Google Sign-In and 2FA.

Additional Safeguards

Payment data: PCI compliance handled by Stripe — no direct card storage.
OAuth tokens: Encrypted at rest (AES-256-GCM, per-user derived keys).
API keys: Stored in Google Secret Manager.
MCP servers: Organizations can configure their own MCP servers, which may route data to additional third-party services outside this list.

Changes to This List

CharmIQ may update this list from time to time as we add or remove subprocessors. We will update the "Last Updated" date at the top of this page when changes are made. If you would like to be notified of changes to this subprocessor list, please email privacy@charmiq.ai with the subject line "Subprocessor Updates" to subscribe to notifications.

If you have any questions about our subprocessors, please contact us at privacy@charmiq.ai.