Sub-processors
- Last updated
- Effective
- Entity
Kairo Labs LLC ("Kairo") discloses the third-party providers below as required by GDPR Article 28 and applicable US state privacy law. Each is bound by a written data-processing agreement that requires them to handle your personal information with at least the same level of care we do, and to use it only to provide the service Kairo has contracted them for. All current sub-processors store data in the United States.
The categories below describe the role each sub-processor performs. Specific vendor identities for due-diligence purposes — including certifications (SOC 2, ISO 27001), HIPAA / FedRAMP posture where applicable, and DPA signature copies — are available to business customers under NDA on request. Email privacy@heykairo.io.
Current sub-processors
- Cloud database provider · Core infrastructure
Purpose: Managed Postgres database, authentication, and object storage.
Data: Account identifiers, authentication credentials, customer content
Country: United States. - Application hosting provider · Core infrastructure
Purpose: Application hosting, edge network, request logging.
Data: Request metadata (IP, user-agent, path), application logs
Country: United States. - Payment processor · Billing
Purpose: Subscription billing and payment card processing (PCI DSS Level 1).
Data: Name, billing email, billing address, card brand and last four. Full PAN never reaches Kairo.
Country: United States. - Transactional email provider · Communications
Purpose: Sign-in links, receipts, and security alerts.
Data: Email address and the message content of transactional emails only
Country: United States. - AI inference provider (primary) · AI
Purpose: Model inference for capture parsing, summaries, and Copilot under zero data retention where available.
Data: Prompt content for the specific AI feature triggered. No training on customer data.
Country: United States. - AI inference provider (fallback) · AI
Purpose: Secondary model inference under the same zero-data-retention terms.
Data: Prompt content for the specific AI feature triggered. No training on customer data.
Country: United States. - Google LLC · Optional integrations · engaged only when you connect this integration
Purpose: Google sign-in (when chosen) and Calendar / Drive / Maps integration (when connected).
Data: OAuth tokens, the scopes you grant, and addresses you submit for routing
Country: United States. - Microsoft Corporation · Optional integrations · engaged only when you connect this integration
Purpose: Microsoft sign-in (when chosen) and Outlook / Microsoft 365 Graph integration (when connected).
Data: OAuth tokens and the scopes you grant
Country: United States.
Affiliated entities
Kairo Labs LLC currently has no affiliates that process Customer personal information. If that changes, we will add them to this list before the change takes effect.
Change notifications
We notify business customers at least 30 days in advance before adding or replacing a sub-processor. To subscribe to change notices, email privacy@heykairo.iowith the subject "Sub-processor notifications" and the email address tied to your account.
Categories of personal information shared
Consistent with CCPA/CPRA disclosure obligations: we disclose identifiers (email, account ID), content you create (events, tasks, notes, files), and limited usage and security metadata to the sub-processors above for the specific business purposes described next to each. We do not share personal information for cross-context behavioral advertising — see Do not sell or share.