Legal

Sub Processors

TransferToAI Pty Ltd
Last Updated: November 3, 2025
Effective Date: November 3, 2025
Jurisdiction: Australia, Queensland

Introduction

TransferToAI Pty Ltd processes personal information in compliance with the Privacy Act 1988 and Australian Privacy Principles (APPs).

This document lists all sub-processors (vendors and third-party service providers) who handle patient data or clinic data on our behalf.

Key Commitment: 100% data residency in Australia (Sydney region). All personal information remains in Australian data centers.

Sub-Processors Table


VendorServiceData ProcessedData LocationDPA StatusTwilio Inc.Phone call routing & real-time media streamingInbound call audio, phone numbers, call metadata (duration, timestamp)Sydney endpoint (AU-1)View DPAContabo GmbHCore infrastructure (VPS, database, backups)Call recordings, transcriptions, metadata, logs (encrypted)Sydney, AustraliaView DPAGoogle Cloud (Vertex AI + Calendar API)AI responses (Gemini LLM) + Clinic calendar synchronizationReal-time AI processing (transcription, response generation); read-only access to clinic calendar (appointments, availability)AU-Southeast (Sydney PoP)View DPAMicrosoft AzureSpeech-to-text & text-to-speech conversionAudio transcription, text synthesis for AI responsesAU-East (Sydney region)View DPACellcast LimitedSMS delivery for appointment confirmationsPhone numbers, appointment details, confirmation messagesMelbourne, AustraliaPrivacy Policy

Data Residency Guarantee

100% Australian Data Residency

All personal information is processed and stored in Australian data centers (Sydney region). No data leaves Australia except for:

  • Google Cloud: Uses Australian PoP (Point of Presence) in Sydney; no data copied to Google's servers

  • Cellcast: Australian SMS provider (Melbourne-based)

How Sub-Processors Handle Your Data

Twilio (Voice API)

  • Role: Real-time call media streaming and phone number routing

  • Data: Inbound call audio, caller phone numbers, call duration, timestamp

  • Retention: Call recordings stored per your subscription tier (see Privacy Policy)

  • Security: TLS 1.3 encrypted in transit; no storage by Twilio

Contabo (Infrastructure)

  • Role: VPS hosting, PostgreSQL database, encrypted backups

  • Data: All call recordings, transcriptions, metadata, application logs

  • Retention: Daily backups encrypted with AES-256

  • Security: Encryption at rest (AES-256); SOC 2 Type II compliant

  • Location: Sydney data center

Google Cloud (Gemini + Calendar)

  • Role #1 (Gemini API): AI-powered response generation and transcription

    • Processes real-time call audio

    • Does NOT store call data

    • Generates AI responses in real-time

  • Role #2 (Calendar API): Clinic appointment availability synchronization

    • OAuth read-only access to clinic's Google Calendar

    • Reads: appointment slots, clinic hours, availability

    • Does NOT modify calendar; clinic owns all data

  • Retention: Data NOT stored by Google (real-time processing only)

  • Security: TLS 1.3; subject to Google Cloud DPA

Azure (Speech Services)

  • Role: Speech-to-text (audio → transcript) and text-to-speech (AI response → audio)

  • Data: Real-time audio processing; results returned immediately

  • Retention: Data NOT stored by Microsoft (real-time processing)

  • Security: TLS 1.3 encrypted in transit

Cellcast (SMS)

  • Role: SMS delivery for appointment confirmations

  • Data: Patient phone numbers, appointment details, confirmation message text

  • Retention: Per Cellcast privacy policy (typically 90 days)

  • Security: Australian provider; privacy policy available at cellcast.com.au

Data Processing Agreements (DPAs)

All sub-processors have executed Data Processing Agreements in compliance with APP 1 (collection and use of personal information) and APP 6 (data security).

To Request DPA Copies:
Contact: privacy@transfertoai.com.au

Consent & Control

Clinic Control: You control data shared with each sub-processor

  • You authorize Twilio integration for call handling

  • You authorize Google Calendar OAuth for appointment sync

  • You can disconnect any integration anytime

  • Upon disconnection, no new data processed; existing data retained per tier

Patient Consent: Recording consent collected via IVR script (English + Spanish)

  • Patients must consent to recording before calls processed

  • If no consent → no call recording or data processing

  • Consent logs maintained for audit trail

Subprocessor Changes

TransferToAI may add or replace sub-processors. We will notify customers 14 days before any change.

To object to a sub-processor change, contact: privacy@transfertoai.com.au

Certifications & Compliance

  • Contabo: SOC 2 Type II Certified

  • Google Cloud: ISO 27001 Certified

  • Microsoft Azure: ISO 27001 Certified

  • Twilio: SOC 2 Type II Certified

Contact

Questions about sub-processors?

Email: privacy@transfertoai.com.au

Last Updated: November 3, 2025

OAIC-compliant. Data always stays in Australia.

OAIC-compliant. Data always stays in Australia.