SmartAlex Subprocessor List

Version 1.1 · Effective June 1, 2026 · THERCSGROUP PTE. LTD. (trading as SmartAlex, Singapore Reg. No. 202543608D)

1. Purpose and scope

This Subprocessor List sets out the third parties (each, a Subprocessor) that THERCSGROUP PTE. LTD., trading as SmartAlex (SmartAlex, we, us or our), engages to process Personal Data on behalf of our Customers in providing the SmartAlex platform, websites, applications and APIs (together, the Services). It exists so that a Customer and its data-protection function can see, at any time, the full chain of processors that may handle Personal Data passing through the Services, assess each onward transfer, and exercise the objection rights described below.

This List forms part of, and is incorporated into, our Data Processing Addendum and supplements our Privacy Policy. It is published in satisfaction of the transparency requirement in Article 28(2) and Article 28(3)(d) of the General Data Protection Regulation, which require a processor to identify its subprocessors and to flow down equivalent data-protection obligations to them. Where this List and the Data Processing Addendum differ, the Data Processing Addendum prevails.

Each Subprocessor listed below has entered into a written contract with us that imposes data-protection obligations no less protective than those we owe Customers under our Data Processing Addendum, including, where the Subprocessor processes Personal Data, the data-protection terms required by Article 28(3) of the General Data Protection Regulation. We remain fully liable to the Customer for the performance of each Subprocessor's data-protection obligations.

2. Defined terms

The terms Customer, Customer Data, Personal Data, Controller, Processor and Subprocessor have the meanings given in our Data Processing Addendum. For ease of reference, the following terms are used throughout this List:

• Customer means the business that contracts for the Services.
• End User means an individual the Customer interacts with through the Services, for example the recipient of a call placed by a Customer's voice agent.
• Customer Data means data the Customer or its End Users provide, or that is generated through the Customer's use of the Services, including call audio, recordings, transcripts, contacts, messages, knowledge bases and agent configuration.
• Personal Data means information relating to an identified or identifiable individual.
• Subprocessor means a third party engaged by SmartAlex to process Personal Data on the Customer's behalf in connection with the Services.
• Core Subprocessor means a Subprocessor engaged for every Customer, listed in the section titled "Core subprocessors".
• Optional Subprocessor means a Subprocessor engaged only when the Customer enables a specific feature, listed in the section titled "Optional subprocessors".

For Customer Data, the Customer is the Controller and SmartAlex is the Processor. The Subprocessors below act on our documented instructions, which in turn reflect the Customer's instructions. SmartAlex is an independent Controller only for limited data it processes in its own right (account, billing, security and product-analytics data); the third parties that support those activities, where they process Personal Data about a Customer's own website visitors rather than Customer Data, are addressed in the sections titled "Website analytics" and "Customer-elected integrations" rather than in the core tables.

3. Notification of changes, and your right to object

We may add or remove a Subprocessor from time to time as the Services evolve, as we onboard a more capable or more privacy-protective provider, or as a provider is decommissioned. Before a new Subprocessor begins processing Customer Data, or as soon as reasonably practicable, we will update this List and record the change in the change log in the section titled "Version, review and change log" below. For material additions that affect Customer Data, we will also notify the primary administrative contact on the Customer account by email.

To make the objection right operable, each entry in the change log records the date a Subprocessor was added or removed, so that a Customer can identify which Subprocessors are new and when the notice period for any objection began. Customers who wish to receive advance notice of material changes by a dedicated channel, rather than by checking this List, may subscribe by writing to privacy@getsmartalex.com.

If you object to a new Subprocessor on reasonable, documented data-protection grounds, you may exercise the objection and termination right set out in the Subprocessor objection clause of our Data Processing Addendum. On receiving an objection we will work with you in good faith to address it, for example by describing the additional safeguards in place, by offering a configuration that does not route your Customer Data to the objected-to Subprocessor where one is available, or by proposing an alternative. If we cannot resolve the objection within a reasonable time, you may terminate the affected Services as provided in that addendum, and we will refund any prepaid fees for the terminated Services covering the period after termination.

4. Obligations we flow down to every Subprocessor

Before any Subprocessor in this List is engaged to process Customer Data, we put in place a written contract that binds it to data-protection obligations materially equivalent to those we owe the Customer. In particular, each such Subprocessor is required to:

1. process Personal Data only on documented instructions, which reflect the Customer's instructions passed through us, and not for the Subprocessor's own purposes;
2. impose a duty of confidentiality on personnel authorised to process the Personal Data;
3. implement appropriate technical and organisational security measures, including encryption of Personal Data in transit and, where the Subprocessor stores Personal Data, at rest;
4. engage further subprocessors only under equivalent written terms and subject to authorisation, and remain liable for them;
5. assist us, taking into account the nature of the processing, in responding to data-subject rights requests and in meeting our security, breach-notification, data-protection-impact-assessment and prior-consultation obligations;
6. notify us without undue delay of a personal-data breach affecting Customer Data;
7. delete or return Personal Data at the end of the provision of the relevant service, except where retention is required by law;
8. make available the information necessary to demonstrate compliance and submit to audits or inspections, directly or through independent third-party reports; and
9. where Personal Data is transferred outside the European Economic Area, the United Kingdom or Switzerland, rely on a valid transfer mechanism as set out in the section titled "International transfers".

We assess each prospective Subprocessor's security and data-protection posture before engagement and periodically thereafter, taking into account the nature, scope and sensitivity of the Personal Data it will handle. Subprocessors that handle call audio, recordings or transcripts, which can contain special-category Personal Data, are held to the most stringent of these requirements.

5. Core subprocessors

The Subprocessors in this section are engaged for every Customer of the Services. The table states, for each one, the legal entity, the purpose of processing, the categories of Personal Data involved, the primary processing region, and the transfer safeguard relied on for transfers outside the European Economic Area, the United Kingdom and Switzerland. Fuller detail on the most sensitive Subprocessors, including their role in the call lifecycle and the sub-processing terms we rely on, follows the table.

Where Customer Data is sent to a language-model or speech provider in the table above, we contract for terms under which that Customer Data is not used to train the provider's models, wherever the provider offers such terms, and we configure zero-retention or short-retention processing where it is available.

5.1 Infrastructure and platform Subprocessors

Supabase, Inc. provides the managed database, authentication, file storage and serverless functions that form the primary backend for the Services. Because almost all Customer Data is stored in or passes through this backend, Supabase is the most data-exhaustive Subprocessor in this List. Customer Data at rest in the backend is encrypted, access is restricted to authorised personnel and service identities, and tenant isolation is enforced so that one Customer cannot access another Customer's data.

Amazon Web Services, Inc. hosts the SmartAlex web application and runs the serverless compute functions that handle parts of the processing pipeline. Cloudflare, Inc. provides DNS, the content delivery network in front of our web properties, server-side rendering of exported documents such as PDFs, and object storage for those documents. Each of these providers maintains its own independently audited security programme, including SOC 2 and ISO 27001 attestations; SmartAlex relies on those attestations rather than holding an equivalent attestation of its own.

5.2 Telephony and real-time voice Subprocessors

Twilio Inc. provides the public-switched-telephone-network connectivity that originates and terminates calls, provisions phone numbers, and carries SMS. It necessarily receives caller and called phone numbers, call and message metadata, call signalling, and the content of any SMS. LiveKit, Inc. provides the real-time media infrastructure over which live call audio flows between the End User and the voice agent. LiveKit processes call audio in transit to enable the live conversation; where a call is recorded, the persistent recording is stored within our own backend rather than retained by LiveKit. Because these Subprocessors handle voice, the special-category considerations in the section titled "Special-category and biometric data" apply.

5.3 Speech and language AI Subprocessors

During a live call, audio and transcript content is processed by a large-language model (Google LLC, through the Gemini API) to drive the agent's responses, by a speech-to-text provider (Deepgram, Inc.) to transcribe speech, and by a text-to-speech provider (ElevenLabs Inc.) to synthesise the agent's voice. After a call, transcripts and related contact data may be processed by language-model providers (OpenAI, L.L.C. and Anthropic, PBC) for transcript analysis, summarisation, enrichment and the generation of embeddings, and OpenAI may provide fallback transcription. For each of these providers we contract on application-programming-interface terms under which Customer Data submitted through the interface is not used to train the provider's foundation models, and we enable zero-retention or short-retention processing where the provider supports it. These providers receive only the Customer Data necessary for the requested operation, and they do not receive the Customer's billing data, credentials or account-administration data.

5.4 Payment, email and abuse-prevention Subprocessors

Stripe, Inc. (and Stripe Payments Europe, Ltd. for Customers in the EU) processes payments and manages billing and subscriptions. The full primary account number of a payment card is tokenised by Stripe and is never stored by SmartAlex; Stripe is certified to PCI DSS Level 1. Resend, Inc. delivers transactional email such as invitations, password resets, receipts and operational notifications, and therefore receives recipient email addresses and the content of those emails. Fingerprint, Inc. supports signup fraud and abuse prevention by generating a device fingerprint from device and browser characteristics and the IP address presented at signup; it does not receive call content, contacts or transcripts.

6. Optional subprocessors

The Subprocessors in this section are engaged only if the Customer enables the specific feature named for each one. If you do not use the feature, the Subprocessor does not process your Customer Data, and no Customer Data is sent to it. The transfer safeguard for each is the EU Standard Contractual Clauses and the provider's data-processing agreement, applied where Personal Data is transferred outside the European Economic Area, the United Kingdom and Switzerland.

The availability of an Optional Subprocessor in this List does not mean the corresponding feature is enabled on your account. A feature is engaged, and its Subprocessor receives Customer Data, only when you or an administrator of your account turns it on. Some Optional Subprocessors support a feature that is available in selected configurations only; if you are unsure whether a feature, and therefore a Subprocessor, is active on your account, contact privacy@getsmartalex.com.

7. International transfers

Several Subprocessors above process Personal Data outside the European Economic Area, the United Kingdom and Switzerland, principally in the United States. For those transfers we rely on the following safeguards, as set out in our Data Processing Addendum:

1. the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914), in the controller-to-processor module (Module Two) and, for onward transfers between Subprocessors, the processor-to-processor module (Module Three);
2. the United Kingdom International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner under section 119A of the Data Protection Act 2018;
3. the Swiss addendum to the EU Standard Contractual Clauses recognised by the Swiss Federal Data Protection and Information Commissioner.

These transfer mechanisms are supported by supplementary technical and organisational measures, including encryption of Personal Data in transit and at rest, strict access controls, and a policy of challenging any unlawful or overbroad government access request. For Customers and End Users outside the European Economic Area, the United Kingdom and Switzerland, equivalent contractual protections are applied where required by the law of the relevant jurisdiction, including South Africa's Protection of Personal Information Act in respect of cross-border transfers. A copy of the relevant safeguards, with commercially sensitive terms redacted, is available on request from privacy@getsmartalex.com.

8. Special-category and biometric data

Call audio, recordings and transcripts processed by the telephony, real-time voice and AI Subprocessors above can contain special-category Personal Data within the meaning of Article 9 of the General Data Protection Regulation, for example where an End User mentions their health, and a voice may constitute biometric data where it is used for the purpose of uniquely identifying an individual. The Services are not designed to identify individuals from their voice; SmartAlex processes voice data to provide the conversational, transcription and analytics functions the Customer has configured, on the Customer's documented instructions, and not to perform biometric identification on its own account.

Because this data can be sensitive, the Customer, as Controller, is responsible for establishing a lawful basis and, where required, a condition under Article 9(2) of the General Data Protection Regulation (typically the End User's explicit consent), or the equivalent condition under sections 26 and 27 of South Africa's Protection of Personal Information Act, and for giving End Users the notices required by applicable law before such data is captured. Our Telephony and Call Recording Notice and Acceptable Use Policy describe the Customer's call-consent and disclosure responsibilities in more detail.

9. Website analytics

Cookie-based website analytics and advertising partners are not Subprocessors of Customer Data. They process data about visitors to our own websites, where SmartAlex acts as the Controller rather than as a Processor for any Customer, and they are set only with consent where consent is required. Those partners, the cookies they use, and the choices available to website visitors are described in our Cookie Policy. They are listed separately from the core and optional tables above precisely so that a Customer's data-protection function is not misled into thinking that End User data flows to them; it does not.

10. Customer-elected integrations

This List does not include third-party services that a Customer connects to its SmartAlex tenant on its own initiative, for example the Customer's own customer-relationship-management system, calendar, or telephony carrier connected through a "bring your own trunk" or "bring your own telephony" feature. Where a Customer enables such an integration:

1. the Customer is the Controller for the data flowing to that third party, and that third party is the Customer's own processor or an independent controller, not a Subprocessor of SmartAlex;
2. the Customer is responsible for putting in place its own data-processing terms and transfer safeguards with that third party, and for ensuring the third party meets the Customer's legal obligations; and
3. SmartAlex's role is limited to transmitting the data to the integration the Customer has chosen, in accordance with the Customer's instructions.

If a Customer would like us to enter into a data-processing arrangement in respect of a particular integration, or to confirm how data flows for a specific connector, it should contact privacy@getsmartalex.com.

11. Version, review and change log

We review this List at least annually and whenever we add or remove a Subprocessor. The effective date below reflects the most recent revision, and the change log records each material change with the date it took effect so that the notice and objection periods in the section titled "Notification of changes, and your right to object" are unambiguous.

Change log:

• 1 June 2026: republished as version 1.1, with expanded definitions, the flow-down obligations applied to every Subprocessor, fuller per-vendor detail for the infrastructure, telephony, voice and AI Subprocessors, and the international-transfer and special-category sections.
• 31 May 2026: retired the previous voice-orchestration providers; consolidated the live voice agent on our current real-time voice, speech and language stack; restructured the List into core and optional subprocessor tables.
• 7 May 2026: first publication of this List.

For questions about Subprocessors, to request advance notice of material changes, or to request a copy of the transfer safeguards we rely on, contact privacy@getsmartalex.com.

This List is published by THERCSGROUP PTE. LTD. (UEN 202543608D), 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, trading as SmartAlex, and is governed by the law of Singapore.

This Subprocessor List is version 1.1 and is effective from 1 June 2026.