Legal Information

Torru Subprocessors

Last updated: October 20, 2025

We use third-party subprocessors to help us provide our services. This page lists all subprocessors we currently use, what they do, and where they're located.

In accordance with UK GDPR and data protection requirements, we ensure all subprocessors:

  • Have appropriate data protection agreements in place
  • Maintain adequate security measures
  • Process data only as instructed
  • Are located in jurisdictions with adequate data protection (UK, EU, or with appropriate safeguards for international transfers)

Infrastructure & Hosting

Hetzner Online GmbH

Purpose: Cloud infrastructure and server hosting Data location: Germany (EU) Data processed: All customer data and service infrastructure Website: hetzner.com Privacy policy: hetzner.com/legal/privacy-policy

AI & Voice Processing

ElevenLabs

Purpose: Voice AI generation and text-to-speech services Data location: United States Data processed: Voice content, audio recordings, text for voice synthesis Transfer mechanism: Standard Contractual Clauses (SCCs) Website: elevenlabs.io Privacy policy: elevenlabs.io/privacy

OpenAI, L.L.C.

Purpose: AI processing, transcription, and natural language understanding Data location: United States Data processed: Voice transcripts, conversation data, API requests Transfer mechanism: Standard Contractual Clauses (SCCs) Website: openai.com Privacy policy: openai.com/privacy

Anthropic PBC

Purpose: AI processing and natural language understanding Data location: United States Data processed: Conversation data, API requests, transcripts Transfer mechanism: Standard Contractual Clauses (SCCs) Website: anthropic.com Privacy policy: anthropic.com/privacy

Cartesia AI

Purpose: AI voice processing and real-time audio generation Data location: United States Data processed: Voice content, audio data, API requests Transfer mechanism: Standard Contractual Clauses (SCCs) Website: cartesia.ai Privacy policy: cartesia.ai/privacy

Google LLC (Gemini API)

Purpose: AI processing and natural language understanding Data location: United States (with EU data centers available) Data processed: API requests, conversation data Transfer mechanism: Standard Contractual Clauses (SCCs) Website: google.com Privacy policy: policies.google.com/privacy

Retell AI Inc.

Purpose: Voice AI agent platform and conversation orchestration Data location: United States (California) Data processed: Voice calls, audio recordings, call transcripts, call metadata, interaction logs Transfer mechanism: Standard Contractual Clauses (SCCs) Website: retellai.com Privacy policy: retellai.com/legal/privacy-policy

Telephony & Communications

Twilio LLC

Purpose: SIP telephony provider, phone number provisioning, and call routing Data location: United States (with EU infrastructure for GDPR compliance) Data processed: Call data, phone numbers, call routing information, call metadata Transfer mechanism: Standard Contractual Clauses (SCCs), with EU data processing options Website: twilio.com Privacy policy: twilio.com/en-us/legal/privacy

Brevo (formerly Sendinblue)

Purpose: Transactional email delivery and communications Data location: European Union (France) Data processed: Email addresses, transactional email content, delivery data Website: brevo.com Privacy policy: brevo.com/legal/privacypolicy

Payment Processing

Access Suite Limited

Purpose: Payment processing and billing Data location: United Kingdom Data processed: Payment information, billing details, transaction data Website: accesssuite.co.uk Privacy policy: Contact for details

Communications

Brevo (formerly Sendinblue)

Purpose: Transactional email delivery and communications Data location: European Union (France) Data processed: Email addresses, transactional email content, delivery data Website: brevo.com Privacy policy: brevo.com/legal/privacypolicy

Domain & Security

Cloudflare, Inc.

Purpose: Domain routing, CDN, and security services Data location: Global network with EU data processing compliance Data processed: DNS queries, website traffic data, IP addresses, security logs Transfer mechanism: Standard Contractual Clauses (SCCs), EU Data Processing Addendum Website: cloudflare.com Privacy policy: cloudflare.com/privacypolicy

International Data Transfers

Some of our subprocessors are located outside the UK and EU. Where data is transferred internationally, we ensure appropriate safeguards are in place, which may include:

  • Standard Contractual Clauses (SCCs) approved by the UK and EU
  • Data Processing Agreements with all subprocessors
  • Technical and organisational security measures to protect data during transfer and processing

For details on the location of each subprocessor, see the listings above.

Customer-Configured Communication Channels

You may configure third-party channels (e.g. messaging, CRM or email platforms) which Torru will use to carry out business related workflows (e.g. booking meetings, issuing invoices/refunds) and communicate with your end users. These are activated only at your request and you maintain full control over which channels are enabled.

Updates to This List

We may update our subprocessors from time to time. When we add a new subprocessor who will process customer data, we will update this page with the new subprocessor details.

If you object to a new subprocessor, please contact us at [email protected]. We will work with you to find a solution, which may include:

  • Not using the new subprocessor for your account
  • Helping you transition to an alternative service
  • Terminating the agreement if no alternative is available

Questions?

If you have questions about our subprocessors or data processing practices, please contact us at [email protected].

Audit Rights

Under our Data Processing Agreement, customers have the right to audit our subprocessor compliance. For audit requests or to receive copies of our Data Processing Agreements with subprocessors, please contact [email protected].