Document ID: LCR-POL-SUB-v1.2 - Effective Date: 29 June 2026
This page lists categories of subprocessors Havio may use to provide its website, sales, support, hosting, telephony, AI receptionist, transcription, routing, integration, analytics, and security services.
The exact providers used for a customer deployment can depend on region, plan, integrations, and signed agreement.
Core Service Categories
| Category | Purpose | Data potentially processed |
|---|---|---|
| Hosting and infrastructure | Website, application hosting, storage, deployment, logs | Account data, usage metadata, support data, service logs |
| Telephony and messaging | Phone numbers, call routing, transfers, SMS or notification delivery | Caller phone numbers, call metadata, call audio where configured |
| AI model and transcription providers | Speech-to-text, response generation, summaries, classification | Call audio, transcripts, approved knowledge, call context |
| Email and support tools | Demo requests, support requests, customer notices | Contact details, support messages, account context |
| Analytics and monitoring | Website analytics, error reporting, reliability monitoring | Device/browser metadata, usage events, error logs |
| Integration providers | Calendar, CRM, ticketing, messaging, spreadsheets, webhooks | Call summaries, booking fields, caller details, workflow payloads |
Current Common Providers
For standard public website, demo, support, and hosted AI receptionist workflows, Havio expects the current common provider set to include Vercel, Supabase, Resend, PostHog, Sentry, Google services, Microsoft services, telephony/routing carriers, AI model or speech providers, and customer-selected integration platforms such as CRM, calendar, ticketing, chat, spreadsheet, automation, or webhook destinations.
Replacement providers may be used when the service evolves, a customer requires a different deployment model, or a connected customer system determines the processing path. Replacement or additional providers should be documented during onboarding or in the signed customer agreement when they materially affect the customer workflow.
Named Provider Review Table
The table below gives a public vendor-review starting point for standard Havio website and AI receptionist workflows. Customer-specific agreements, regions, and integrations can change the final list.
| Current named provider or provider category | Purpose | Data categories | Required or optional | Region / transfer note | Contract and buyer check |
|---|---|---|---|---|---|
| Vercel | Public site, application hosting, edge delivery, deployment logs | Website data, app logs, error metadata | Required for hosted public/app surfaces | Provider regions depend on deployment and edge routing | Confirm hosting restrictions, log retention, and DPA/SCC needs |
| Supabase | Application database, authentication, storage, service logs | Account data, configuration, workflow metadata, user access data | Required where Havio workspace storage is used | Project region depends on configured workspace | Confirm database region, backup expectations, access controls, and DPA path |
| Resend | Transactional email, demo replies, support notifications | Contact data, email content, message metadata | Required for email workflows | Email routing may cross provider regions | Confirm email recipients and avoid sending secrets or sensitive caller data |
| PostHog | Product/site analytics and conversion measurement | Device/browser data, usage events, page events | Optional or configurable depending on workspace and cookie settings | Provider region depends on analytics setup | Confirm cookie consent, event scope, and exclusion of caller-sensitive content |
| Sentry | Error reporting, application diagnostics, reliability review | Error logs, stack traces, request metadata | Required for reliability monitoring where enabled | Provider region depends on monitoring setup | Confirm scrubbing rules and avoid sending secrets or caller-sensitive payloads |
| Telephony carriers and routing providers | Phone numbers, call routing, transfers, caller ID, optional recording path | Caller number, call metadata, routing events, audio where enabled | Required for voice workflows | Routing can depend on caller, number, carrier, and destination | Confirm number ownership, porting, caller ID behavior, recording, and pass-through costs |
| AI model, speech, and transcription providers | Speech recognition, response generation, classification, summaries | Audio where enabled, transcripts, approved knowledge, call context | Required for AI receptionist workflows | Processing region depends on selected provider/model | Confirm whether audio, transcripts, or summaries leave the selected region or provider stack |
| Google / Microsoft services | Calendar, email, workspace, identity, or customer-selected integrations | Calendar availability, booking details, contact data, email metadata | Optional / customer-selected | Controlled by customer tenant and provider settings | Customer should confirm tenant settings, permissions, retention, and admin ownership |
| CRM, ticketing, chat, spreadsheet, and webhook destinations | HubSpot, Salesforce, Zendesk, Slack, Teams, sheets, automation, custom APIs | Call summaries, extracted fields, caller details, tasks, tickets, alerts | Optional / customer-selected | Controlled primarily by customer provider account | Confirm field mapping, permissions, downstream retention, export, and deletion process |
Provider Detail Buyers Should Review
| Provider or category | Typical role | Typical data location notes | Buyer check before launch |
|---|---|---|---|
| Vercel or equivalent hosting | Website and application delivery | Region depends on deployment and provider configuration | Confirm whether the buyer has region, logging, or procurement restrictions |
| Supabase or equivalent database/auth/storage | Application data, authentication, storage, logs | Project region depends on configured workspace and provider availability | Confirm where workspace data, logs, and backups are expected to live |
| Telephony carriers and routing providers | Phone numbers, call routing, transfer, call metadata, optional audio | Call routing may cross carrier regions depending on caller, number, and provider | Confirm number ownership, porting, caller ID, recording, and pass-through cost treatment |
| AI model and speech providers | Speech recognition, response generation, summaries, classification | Processing location depends on selected provider and model configuration | Confirm whether the workflow may process audio, transcripts, approved knowledge, or summaries |
| Email and notification providers | Demo replies, support messages, system notices, transactional email | Provider region and routing vary by service | Confirm what notices are sent and which contacts receive support or security messages |
| Analytics and monitoring providers | Website analytics, error reporting, operational monitoring | Logs and events may be processed in provider regions | Confirm whether analytics are needed for the workspace and whether sensitive caller data is excluded |
| Customer-selected integrations | CRM, calendar, ticketing, chat, spreadsheet, automation, webhook destinations | Controlled primarily by the customer's provider account and settings | Confirm field mapping, permissions, retention, and downstream deletion/export requirements |
Do not configure Havio to send caller secrets, passwords, payment card numbers, medical diagnosis details, legal advice requests, or other unnecessary sensitive data into connected systems unless the customer has approved the workflow, legal basis, access model, and retention rules.
Customer-Specific Constraints
Before a workflow goes live, buyers should tell Havio if they require:
- a specific hosting or storage region;
- a provider exclusion or procurement approval;
- a no-recording or short-retention setup;
- a restriction on which CRM, calendar, ticketing, or chat fields can receive caller data;
- a requirement that certain caller data never be sent to AI, analytics, or notification tools;
- a signed DPA, security questionnaire, or subprocessor notice process.
Customer-Selected Integrations
When a customer connects tools such as HubSpot, Salesforce, Google Calendar, Zendesk, Slack, Microsoft Teams, Zapier, webhooks, spreadsheets, or phone systems, those tools process data under the customer's relationship with that provider.
Customers should review their own vendor agreements and privacy settings before connecting tools to Havio.
Changes
Havio may add, replace, or remove subprocessors as the service evolves. Material subprocessor change notice and objection processes are governed by the signed customer agreement.
Questions
Questions about subprocessors, data residency, or customer-specific vendor constraints can be sent to support or raised during onboarding before a workflow goes live.
Policy Changelog
| Version | Date | Summary |
|---|---|---|
| v1.2 | 2026-06-30 | Separated current named providers from replaceable provider categories |
| v1.1 | 2026-06-30 | Added named provider review table for vendor assessment |
| v1.0 | 2026-06-29 | Initial public subprocessor page |