Sub-Processors
Third parties we use
Last updated: June 2026
ReputeFlows uses the third-party services listed below to deliver our platform. We require all sub-processors to maintain privacy and security standards equivalent to those required under India\'s Digital Personal Data Protection Act 2023 (DPDPA). This page is updated whenever we add or remove a sub-processor.
Note for hospitality clients: The processors marked below as handling “Review text” may receive content from your customer reviews — including reviewer name, rating, free-text feedback, and any photos a guest chose to submit with their review. ReputeFlows is a review-and-reputation platform only; we do not process payment-card data, identity documents, or any regulated record types beyond ordinary review content. Hospitality clients can request a Data Processing Agreement (DPA) via legal@reputeflows.com.
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI review reply suggestions, sentiment analysis, aspect extraction (Claude models) | United States |
| Google LLC — Generative Language API (Gemini) | Fallback AI review analysis when Anthropic is unavailable or rate-limited | United States and Google global infrastructure |
| Google LLC — Places API | Business location lookup during onboarding and Google Maps integration | United States and Google global infrastructure |
| Google LLC — Google Analytics 4 | Aggregate website traffic analytics on the public marketing pages | United States and Google global infrastructure |
| Meta Platforms, Inc. — WhatsApp Business Cloud API | Sending and receiving WhatsApp messages on behalf of Business clients | Meta global infrastructure (subject to Meta's data localisation policies for India) |
| Resend, Inc. | Transactional email (welcome emails, payment receipts, review notifications) | United States |
| Razorpay Software Pvt Ltd | Subscription billing and payment processing for paid plans | India (RBI-regulated) |
| MongoDB — (operated by Emergent infrastructure) | Primary database for storing all Business and customer data | Pending confirmation from Emergent infrastructure team |
| Emergent (Hosting / CDN / Deployment) | Application hosting, deployment infrastructure, content delivery, and TLS termination | Pending sub-processor disclosure from Emergent |
Detailed inventory
Anthropic, PBC
Privacy policy- Purpose:
- AI review reply suggestions, sentiment analysis, aspect extraction (Claude models)
- Data shared:
- Review text submitted by Business clients (may contain customer names, phone numbers, review content)
- Location:
- United States
Primary AI provider. Used for sentiment analysis on every review. No data retention by Anthropic per their API terms.
Google LLC — Generative Language API (Gemini)
Privacy policy- Purpose:
- Fallback AI review analysis when Anthropic is unavailable or rate-limited
- Data shared:
- Review text (same scope as Anthropic)
- Location:
- United States and Google global infrastructure
Consumer Gemini API tier (not Vertex AI). Used as a graceful fallback only.
Google LLC — Places API
Privacy policy- Purpose:
- Business location lookup during onboarding and Google Maps integration
- Data shared:
- Business name, address, and Google Place ID lookup queries
- Location:
- United States and Google global infrastructure
Optional integration; only triggered when a Business owner connects their Google Business Profile.
Google LLC — Google Analytics 4
Privacy policy- Purpose:
- Aggregate website traffic analytics on the public marketing pages
- Data shared:
- Anonymous page views, browser type, country (no review content, no Business data)
- Location:
- United States and Google global infrastructure
Used only on public marketing pages, not inside authenticated dashboard areas.
Meta Platforms, Inc. — WhatsApp Business Cloud API
Privacy policy- Purpose:
- Sending and receiving WhatsApp messages on behalf of Business clients
- Data shared:
- Customer phone numbers, message content (templates and freeform replies), opt-out status
- Location:
- Meta global infrastructure (subject to Meta's data localisation policies for India)
Used only when a Business client connects WhatsApp Business and sends/receives messages through ReputeFlows.
Resend, Inc.
Privacy policy- Purpose:
- Transactional email (welcome emails, payment receipts, review notifications)
- Data shared:
- Email address, recipient name, email body content
- Location:
- United States
Used for transactional emails only. No marketing emails.
Razorpay Software Pvt Ltd
Privacy policy- Purpose:
- Subscription billing and payment processing for paid plans
- Data shared:
- Business owner contact info, payment method tokens. Razorpay does NOT process customer review content.
- Location:
- India (RBI-regulated)
PCI-DSS compliant. Card and UPI details are tokenised by Razorpay; ReputeFlows never stores raw payment credentials.
MongoDB — (operated by Emergent infrastructure)
Privacy policy- Purpose:
- Primary database for storing all Business and customer data
- Data shared:
- All ReputeFlows data: businesses, reviews, customer contacts, conversations, billing records
- Location:
- Pending confirmation from Emergent infrastructure team
Region, encryption-at-rest configuration, and SOC 2 status pending verification with our hosting provider. Update due once confirmed.
Emergent (Hosting / CDN / Deployment)
Privacy policy- Purpose:
- Application hosting, deployment infrastructure, content delivery, and TLS termination
- Data shared:
- All HTTP traffic to ReputeFlows passes through Emergent's infrastructure
- Location:
- Pending sub-processor disclosure from Emergent
Verification of region, sub-processor inventory, and security certifications pending direct disclosure from Emergent.
Pending verifications: Items marked “pending” (MongoDB region/encryption, Emergent sub-processor disclosure) are being formally confirmed with the relevant providers. This page will be updated within 7 days of receiving authoritative responses. If you require these confirmations urgently for a vendor review, please contact legal@reputeflows.com.
Adding new sub-processors
We will update this page whenever we add or remove a sub-processor. For Business clients on annual contracts who have requested change notifications, we provide 30 days' advance notice via email before introducing a new sub-processor that materially changes how we process their data. Contact legal@reputeflows.com to request notifications.
Questions?
For questions about this list, sub-processor security, or to request a Data Processing Agreement, email legal@reputeflows.com.