Sub-processors

Last Updated: May 26, 2026 · Version 2026-05-26

Transparency commitment. This page lists every third-party service we use to deliver the Gid platform. Each vendor is bound by a written agreement (a data processing addendum or equivalent) that requires confidentiality, security, and limited use of any personal data we entrust to them. We notify customers at least 30 days before adding, removing, or replacing a sub-processor that processes personal data.

How to subscribe to changes

To be notified by email when this list changes, send a request from your account email to privacy@gidai.ca with the subject line "Subscribe to sub-processor updates". You will receive a confirmation reply.

Core infrastructure

These vendors host or process the bulk of Customer Content and Personal Data.

Vendor	Purpose	Data categories	Processing location	Certifications
Google Cloud Platform (incl. Firebase) cloud.google.com / firebase.google.com	Application hosting, Cloud Run, Cloud Functions, Firestore database, Firebase Authentication, Cloud Storage, Cloud Scheduler, Cloud Logging, error reporting, push notifications (FCM)	All Customer Content, Personal Data, authentication data, application logs, device identifiers	us-central1, northamerica-northeast1 (Montreal); europe-west3 available on request for Enterprise customers	SOC 2 Type II ISO 27001 ISO 27017 ISO 27018 PCI DSS L1
Stripe, Inc. stripe.com	Payment processing, subscription billing, invoicing, tax calculation	Billing name, billing email, payment method (card brand, last 4 digits, expiry — full PAN never reaches Gid systems), invoices	United States	PCI DSS Level 1 SOC 1 Type II SOC 2 Type II

Artificial intelligence vendors

We use these third-party AI providers strictly to generate responses for you. Inputs are not used to train foundation models without explicit consent, and we use zero-retention API contracts where available.

Vendor	Purpose	Data categories	Processing location	Certifications & contract terms
OpenAI, L.L.C. openai.com	LLM inference for AI coaching, voice agents, training capsule generation, schedule and analytics suggestions, document understanding	Prompt content (which may include user-submitted text, conversation context, redacted operational data), system instructions	United States (API)	SOC 2 Type II Zero-retention API contract No training on customer data
Anthropic, PBC anthropic.com	LLM inference for specific reasoning and review tasks within selected features (where Anthropic models outperform alternatives)	Prompt content, conversation context, system instructions	United States (API)	SOC 2 Type II No training on customer data
Google LLC (Vertex AI / Gemini API) cloud.google.com/vertex-ai · ai.google.dev	LLM inference for specific reasoning, multimodal understanding, and review tasks within selected features (where Gemini models outperform alternatives). Already a sub-processor through Firebase / Google Cloud Platform for hosting; AI usage covered by the same overarching Google Cloud Data Processing Addendum.	Prompt content, conversation context, system instructions	United States (API); other regions available through Vertex AI on Enterprise request	SOC 2 Type II ISO 27001 ISO 27018 No training on customer data (Vertex AI / Gemini API enterprise terms)

Communications & messaging

Vendor	Purpose	Data categories	Processing location	Certifications
Twilio Inc. twilio.com	SMS notifications, voice calls (when enabled), WhatsApp messaging (where applicable)	Phone numbers, message body content, call metadata, opt-in records	United States (with regional carrier routing as required)	SOC 2 Type II ISO 27001 HIPAA-eligible
SendGrid (Twilio) sendgrid.com	Transactional email (account, billing, reset, account-deletion confirmations)	Email addresses, email metadata, email body	United States	SOC 2 Type II ISO 27001

Observability & analytics

Vendor	Purpose	Data categories	Processing location	Certifications
Google Cloud Logging & Error Reporting cloud.google.com/logging	Application logs, error stack traces, audit logs, performance metrics	Anonymized error stacks, device metadata, request identifiers; no Customer Content is sent intentionally, sensitive fields are redacted	us-central1, northamerica-northeast1	Inherits GCP certifications (see Core Infrastructure)
Firebase Analytics & Crashlytics firebase.google.com/products/analytics	Mobile app crash reports, anonymized usage analytics, performance monitoring	Anonymized device identifiers, crash stack traces, app interactions; no personal identifiers; IP truncated at ingest	us-central1	Inherits GCP certifications

Operational integrations (active per Customer)

These integrations are activated only when the Customer explicitly connects them. Each integration shares only the data needed for that integration. The Customer's master account holder can review and revoke any integration at any time from Account Settings.

Integration partner	Purpose	Data exchanged	Processing location
Square, Inc.	POS & Labor sync (G10000, G32)	Sales summaries, timesheets, employee identifiers	United States
Intuit (QuickBooks Time & QuickBooks Online)	Time tracking sync (G32), accounting sync (G38)	Employee timesheets, daily-summary sales receipts	United States
Gusto, Inc.	Payroll sync (G32)	Employee identifiers, timesheets, labor-cost data	United States
Wagepoint Inc.	Payroll sync (G32, Canada)	Employee identifiers, timesheets	Canada
ADP, LLC	Payroll sync (G32, US enterprise)	Employee identifiers, timesheets	United States (with mTLS-secured exchange)
Google Business Profile	Restaurant reputation insights (when enabled)	Public Google business profile data; OAuth-scoped reviews access	United States

Additional POS, PMS, payroll, and accounting integrations may become available. We will update this table within 30 days of any new integration that processes Customer Content or Personal Data.

Developer tools & internal vendors (no Customer Content)

For completeness, the following vendors support our development and operations but do not have access to Customer Content or Personal Data:

GitHub, Inc. — source-code hosting and CI/CD workflows. Configuration only; no production data.
Apple Inc. (App Store Connect) — iOS app distribution. Aggregate download metrics only.
Google LLC (Play Console) — Android app distribution. Aggregate download metrics only.
Cloudflare, Inc. — DNS for gidai.ca. No application traffic proxied by default.

International data transfers

Many sub-processors operate from the United States. Where Personal Data of European Union, United Kingdom, Swiss, or Indian residents is transferred to the U.S. or another jurisdiction without an adequacy decision, we rely on:

EU Standard Contractual Clauses (Module 2 — Controller to Processor; Module 3 — Processor to Sub-processor) as approved by the European Commission;
The UK Addendum to the EU SCCs, issued by the UK Information Commissioner's Office;
The Swiss Federal Data Protection and Information Commissioner's recognition of the EU SCCs;
The standard contractual clauses notified under Section 17 of India's Digital Personal Data Protection Act, 2023, when issued by the Data Protection Board;
EU-U.S. Data Privacy Framework certification, where the receiving vendor is certified.

Our standard Data Processing Agreement incorporates these transfer mechanisms.

Notice of changes

We will update this page when we add, remove, or materially change a sub-processor. For sub-processors that handle Personal Data, we will provide at least 30 days' advance notice (by email to subscribed customers and by in-product banner). Customers may object to a new sub-processor on reasonable data-protection grounds; in that case we will work with the Customer to find an alternative or, failing that, the Customer may terminate the affected portion of the Service for material breach with a pro-rated refund.

Contact

Gid Solutions, Inc. (operating as Gid AI)
390 Henri-Bourassa, Papineauville, Quebec, Canada, J0V 1R0

Privacy: privacy@gidai.ca
Legal: legal@gidai.ca