Sub-processors
Effective date: May 13, 2026 · Last updated: May 13, 2026
To provide the Tailio service, we rely on a small number of trusted third-party providers ("sub-processors") who may process Personal Information on our behalf. We publish this list to comply with Quebec's Law 25 cross-border-transfer transparency requirements and as a matter of good practice for our PIPEDA-regulated Subscribers.
Each sub-processor is contractually bound to confidentiality, security, and purpose-limitation obligations, and each is selected and reviewed under our vendor-assessment process. Information about authorized cross-border transfers is included below.
Current sub-processors
| Provider | Purpose | Data categories | Hosting region |
|---|---|---|---|
| Stripe Payments Canada Ltd. | Subscription billing, Stripe Connect payouts, payment-method storage | Billing contact details, tokenized card data, transaction history | Canada / United States |
| Twilio Inc. | Outbound and inbound SMS, dedicated business phone numbers | Phone numbers, message content, delivery metadata | United States (Canadian long-code numbers) |
| Cloudflare, Inc. (R2 storage) | Object storage for pet photos, receipts, and document uploads | File contents, file metadata, access logs | North America (multi-region) |
| Railway Corp. | Application hosting and managed PostgreSQL database | All Customer Data at rest in the primary database | Canada (preferred) / United States |
| Upstash, Inc. | Managed Redis for queues, caching, and rate-limit state | Job payloads (no Customer Data persisted long-term) | United States / EU |
| OpenAI OpCo, LLC | AI-generated English narratives and text | Prompt content and model outputs (not used to train foundation models) | United States |
| Mistral AI SAS | AI-generated French narratives and text | Prompt content and model outputs (not used to train foundation models) | European Union |
| Resend, Inc. | Transactional and marketing email delivery | Recipient email, message content, engagement metrics | United States |
| Sentry (Functional Software, Inc.) | Application error monitoring and performance tracing | Stack traces, request metadata, sanitized user identifiers | United States |
| Google LLC (Google Workspace, optional Google Calendar integration) | Operational email and, where you enable it, calendar sync | Email content, calendar events (scoped to your authorization) | United States |
How we manage sub-processors
- Vendor due diligence. Before engaging a sub-processor, we review its security posture, data residency, certifications (SOC 2, ISO 27001 where available), and applicable data-protection terms.
- Contracts. Every sub-processor is bound by written terms imposing confidentiality, security, and purpose-limitation obligations consistent with PIPEDA and, where applicable, Law 25.
- Cross-border assessments. Before transferring Personal Information outside Quebec or Canada, we conduct a privacy-impact assessment as required by Law 25 s.17 and rely on contractual safeguards.
- Monitoring. We review sub-processors at least annually and respond to incidents on a priority basis.
Notification of changes
We may add or replace sub-processors from time to time. When we add a new sub-processor that processes Customer Data, we will update this page at least thirty (30) days before the change takes effect, except in cases of urgent security or business continuity. Subscribers who wish to receive direct notification of changes can email contact@tailio.ca with the subject line "Subscribe to sub-processor updates".
Questions
For questions about a specific sub-processor, contracts, or to request additional information about a cross-border transfer, contact our Privacy Officer at contact@tailio.ca.