Sub-processors

Last updated: 20 May 2026 Version: 1.0 Permanent link to this version: bespokely.io/legal/sub-processors/v1.0

This page lists the third-party services we engage as sub-processors to deliver the products operated by Bespokely Inc. ("Bespokely") — websites, client portals, AI assistants, and the Bespokely AI hospitality platform.

How this page is organised

We separate sub-processors by the product context in which they are used. A customer of one product does not "inherit" sub-processors used in another product or on our marketing website.

§1 Bespokely Website
§2 Bespokely Client Portal
§3 Bespokely AI Assistant
§4 Bespokely AI (Hospitality)
§5 Marketing website (bespokely.io)
§6 Notification of changes and right to object
§7 How to read the transfer-mechanism column
§8 Version history

§1 Bespokely Website

Sub-processors engaged when we host a customer's website on the Bespokely Website product.

Entity	Role	Headquarters	Data processing location	Transfer mechanism	Documents
Vercel Inc.	Hosting, deployment, CDN	USA	Frankfurt, Germany (eu-central-1)	DPF + SCCs (Module 2)	Privacy · DPA
Supabase Inc.	Database, authentication, storage	USA	Frankfurt, Germany (AWS eu-central-1)	SCCs (Module 2) + TIA	Privacy · DPA
Resend Inc.	Transactional email	USA	USA	DPF + SCCs (Module 2)	Privacy · DPA
Functional Software, Inc. (Sentry)	Application error tracking	USA	EU region available; USA otherwise	DPF + SCCs (Module 2)	Privacy · DPA

Analytics for Bespokely Website tenant sites is native to Bespokely — no third-party analytics processor is involved. Image and asset CDN is delivered by Vercel as part of hosting.

§2 Bespokely Client Portal

Sub-processors engaged when we operate a customer's branded client portal (document exchange, e-signatures, secure messaging, audit logs).

Entity	Role	Headquarters	Data processing location	Transfer mechanism	Documents
Vercel Inc.	Hosting, deployment, CDN	USA	Frankfurt, Germany	DPF + SCCs (Module 2)	Privacy · DPA
Supabase Inc.	Database, authentication, document storage	USA	Frankfurt, Germany	SCCs (Module 2) + TIA	Privacy · DPA
Resend Inc.	Transactional email (notifications)	USA	USA	DPF + SCCs (Module 2)	Privacy · DPA
Functional Software, Inc. (Sentry)	Application error tracking	USA	EU region available; USA otherwise	DPF + SCCs (Module 2)	Privacy · DPA

E-signatures are native to the portal — no external e-signature service (DocuSign, Dropbox Sign, Adobe Sign, etc.) is involved.

§3 Bespokely AI Assistant

Sub-processors engaged when we operate a customer's AI assistant across WhatsApp, voice, web chat, and email.

Entity	Role	Headquarters	Data processing location	Transfer mechanism	Documents
Vercel Inc.	Hosting, deployment	USA	Frankfurt, Germany	DPF + SCCs (Module 2)	Privacy · DPA
Supabase Inc.	Database, authentication, conversation history	USA	Frankfurt, Germany	SCCs (Module 2) + TIA	Privacy · DPA
OpenAI, L.L.C.	LLM inference	USA	USA	DPF + SCCs (Module 2)	Privacy · DPA
Anthropic, PBC	LLM inference	USA	USA	SCCs (Module 2) + TIA	Privacy · DPA
Meta Platforms Ireland Ltd.	WhatsApp Business API	Ireland (EU)	EU + USA (per Meta routing)	DPF (for US transfers) + SCCs	Privacy · DPA
Twilio Inc.	Voice and SMS	USA	EU region available; USA otherwise	DPF + SCCs (Module 2)	Privacy · DPA
Resend Inc.	Transactional email (notifications)	USA	USA	DPF + SCCs (Module 2)	Privacy · DPA
Functional Software, Inc. (Sentry)	Application error tracking	USA	EU region available; USA otherwise	DPF + SCCs (Module 2)	Privacy · DPA

LLM provider used for any specific customer deployment is selected based on the use case and disclosed to the customer in the order confirmation. Customer content is not used to train any third-party LLM, in line with the opt-out commitments of OpenAI and Anthropic.

§4 Bespokely AI (Hospitality)

Sub-processors engaged when we operate a hotel or hospitality customer's AI concierge and guest service tools.

Entity	Role	Headquarters	Data processing location	Transfer mechanism	Documents
Vercel Inc.	Hosting, deployment	USA	Frankfurt, Germany	DPF + SCCs (Module 2)	Privacy · DPA
Supabase Inc.	Database, authentication, conversation history	USA	Frankfurt, Germany	SCCs (Module 2) + TIA	Privacy · DPA
OpenAI, L.L.C.	LLM inference	USA	USA	DPF + SCCs (Module 2)	Privacy · DPA
Anthropic, PBC	LLM inference	USA	USA	SCCs (Module 2) + TIA	Privacy · DPA
Meta Platforms Ireland Ltd.	WhatsApp Business API	Ireland (EU)	EU + USA	DPF (for US transfers) + SCCs	Privacy · DPA
Twilio Inc.	Voice and SMS	USA	EU region available; USA otherwise	DPF + SCCs (Module 2)	Privacy · DPA
Resend Inc.	Transactional email	USA	USA	DPF + SCCs (Module 2)	Privacy · DPA
Functional Software, Inc. (Sentry)	Application error tracking	USA	EU region available; USA otherwise	DPF + SCCs (Module 2)	Privacy · DPA

§5 Marketing website (bespokely.io)

These sub-processors are used only on our own marketing website for visitor analytics and engagement. They are not engaged on customer-facing Bespokely products. Customers of our products do not inherit these processors.

Entity	Role	Headquarters	Data processing location	Transfer mechanism	Documents
Vercel Inc.	Hosting of marketing site	USA	Frankfurt, Germany	DPF + SCCs (Module 2)	Privacy · DPA
Google LLC	Google Analytics 4 (consent-gated)	USA	USA	DPF + SCCs (Module 2)	Privacy · DPA
Hotjar Ltd	UX analytics (consent-gated)	Malta (EU)	EU + USA via parent (Contentsquare)	Intra-EU primary; SCCs for any US sub-processing	Privacy · DPA
ipgeolocation.io	Visitor geolocation API	USA	USA	SCCs (Module 2)	Privacy

§6 Notification of changes and right to object

We update this page whenever we add a sub-processor, remove a sub-processor, or change a material attribute (data location, transfer mechanism).

Notification: Active customers receive an email at least 30 days before a new sub-processor is engaged or a material change takes effect.
Right to object: Customers may object to a new sub-processor within 30 days of notification by emailing privacy@bespokely.io with the subject line "Sub-processor objection — [Customer name]".
Resolution: If we cannot accommodate the objection (e.g., the new sub-processor replaces critical functionality), the customer may terminate the affected product with no early-termination penalty. Pre-paid fees for unused months will be refunded pro-rata.

§7 How to read the transfer-mechanism column

Term	Meaning
DPF	Recipient is certified under the EU-US Data Privacy Framework (an adequacy decision under Art. 45 GDPR). Verify current certification at dataprivacyframework.gov.
SCCs (Module 2)	Standard Contractual Clauses, controller-to-processor module, adopted by Commission Implementing Decision (EU) 2021/914. Used as either the primary mechanism or as a fallback to DPF.
TIA	Transfer Impact Assessment per the EDPB Recommendations 01/2020. Maintained on file for any transfer where the recipient is not DPF-certified.
Intra-EU	Recipient is established and processes data inside the EU/EEA; no Chapter V transfer safeguards required.

DPF certifications are renewed annually and can lapse or be revoked. We verify the status of each DPF-certified sub-processor against the public DPF list at least quarterly.

§8 Version history

Version	Effective from	Summary of changes
1.0	2026-05-20	Initial publication. Establishes the per-product structure (Bespokely Website, Client Portal, AI Assistant; Bespokely AI Hospitality; Marketing site). Adds Sentry as a sub-processor across all customer-facing products.

Previous versions are preserved at bespokely.io/legal/sub-processors/v[VERSION] for evidentiary reference.

Contact for sub-processor questions or objections: Bespokely Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA · privacy@bespokely.io · +1 (512) 348-6588