Skip to main content
Compliance

Data subprocessors

List of the third-party providers AISA relies on to deliver the Service, pursuant to GDPR Art. 28.

Version: 1.1
Date: 16/06/2026

Preamble

This list supplements the Privacy Policy and the Data Processing Agreement (DPA) between Traction Group S.r.l. (“Processor”) and its Customers (“Controllers”). It indicates the third-party providers (subprocessors or independent controllers, as the case may be) that Traction Group relies on to deliver the AISA Service.

Data is hosted and stored in the European Union (Cloud.it servers, Italy). Transfers to providers outside the EEA are covered by the safeguards required under Chapter V GDPR — Standard Contractual Clauses (SCC) and/or adherence to the EU-US Data Privacy Framework — and each provider is bound by a data processing agreement (DPA).

Providers active for the base service

Providers that Traction Group relies on to deliver the standard features of the AISA Service.

ProviderPurpose / ServicePrivacy roleData categoriesLocationTransfer outside the EU
OpenAI APIProcessing of conversation content through AI models to generate the assistant's responsesSubprocessorConversation content (may include personal data entered by end users)USASCC. Data not used for training; limited retention (up to 30 days) for security/abuse purposes only, then deleted
Google Gemini APISupport for automatically generating the assistant's initial configuration during onboardingSubprocessorName, email, company, phone, websiteUSASCC and/or DPF. Paid plan: data not used for training
Google SheetsTemporary spreadsheet for onboarding/lead data (on a transitional basis)SubprocessorName, email, company, phone, websiteUSASCC and/or DPF
StripePayment and billing managementIndependent controller for part of the processingName, email, address, phone, VAT number/Tax Code, subscription dataUSASCC and/or DPF
Meta — Ads / Lead AdsAdvertising campaigns and lead acquisitionTo be qualified separately from WhatsApp messagingData provided by the user via form, campaign identifiers, advertising metadataUSASCC
ZapierAutomation/integration of lead-acquisition flows from campaignsSubprocessorName, email, company, phone, websiteUSASCC
InfobipSending emails and messages (e.g. notifications, communications) to CustomersSubprocessorEmail, phone number, communication contentEUNone (data in the EU)
MailerSendSending transactional emails and communicationsSubprocessorEmail, name, communication contentUS entity; data hosting in the EU (Belgium)EU-US Data Privacy Framework + DPA
Cloud.itInfrastructure hosting and storage of data at restSubprocessorAll processed data (at rest)EU (Italy)None (data in the EU)

Providers active only if the Customer enables optional features

Providers involved only when the Customer activates specific additional features.

ProviderPurpose / ServicePrivacy roleData categoriesLocationTransfer outside the EU
Meta — WhatsApp Business PlatformWhatsApp messaging channel, only if enabled by the CustomerTo be qualified according to the contractual and technical configurationPhone number, message content, technical conversation metadataUSASCC

Future / not-yet-active providers or channels

Channels and providers not yet active: they will be added to the list with the relevant safeguards before activation.

Provider / ChannelPurpose / ServicePrivacy roleStatus
Meta — Messenger / InstagramAdditional messaging channelsTo be qualified upon activationNot yet active
Telegram, Slack, Microsoft TeamsAdditional messaging channelsTo be qualified upon activationNot yet active

Components not considered subprocessors

The following software components are self-hosted within Traction Group's infrastructure (Cloud.it servers, EU), do not involve disclosing data to third parties and therefore do not constitute subprocessors: authentication (SuperTokens), search engine (Typesense), automation orchestrator (n8n), internal CRM (Autocust), database (PostgreSQL), cache (Redis) and the content crawler. Any communications to third parties take place solely through the providers listed in the table.

Changes and notification (GDPR Art. 28(2))

Traction Group may add or replace subprocessors for the needs of the Service. In that case, it will inform the Customers (Controllers) with reasonable notice, as a rule at least 15 days before activating the new subprocessor, via email to the account administrator and by updating this page with the updated date and version number. The Customer may object to a new subprocessor for reasonable and documented data-protection reasons, as provided for in the DPA.

Version history

  • 1.1 (16/06/2026) — Added “Privacy role” column; separation between active, optional and future providers; distinct rows for Meta WhatsApp and Meta Ads/Lead Ads; more precise service names; 15-day notice for new subprocessors.
  • 1.0 (16/06/2026) — First publication of the list.

For questions or to exercise your rights: [email protected] or via PEC (certified email) [email protected].

Want to see it on your site?

Start free: connect your sources and index up to 100 indexable contents (some can be products), with 100 conversations per month.

https://

By entering the domain, you authorize AISA to analyze publicly accessible content of the indicated site to generate an initial assistant configuration. Do not enter URLs containing restricted areas or data not intended for publication.

No credit card · Live on the web in 10 minutes · WhatsApp as an add-on