Privacy and Subprocessors
External processors used by Orbitali and the data categories they process.
Privacy and Subprocessor Disclosure
This document is the operating source of truth for external processors used by Orbitali. It supports customer privacy reviews, security questionnaires, and internal release checks when provider integrations change.
Orbitali is the controller for account, billing, and workspace administration data. For call content, prompts, knowledge documents, tool payloads, and telephony metadata processed on behalf of a customer, Orbitali generally acts as a processor. Customers remain responsible for the personal data they choose to send through agents, prompts, knowledge files, webhook tools, and calls.
Subprocessors
| Processor | When Used | Data Categories | Purpose | Residency and Region Assumptions | DPA, SCC, or Equivalent | Retention and Deletion Notes |
|---|---|---|---|---|---|---|
| Google Cloud Vertex AI / Gemini | Realtime voice, knowledge metadata suggestions, embeddings, and knowledge search. | Audio during calls, generated transcripts, prompts, tool names and schemas, knowledge document text/chunks, query text, usage metadata. | Speech understanding, reasoning, speech generation, metadata generation, embeddings, and retrieval. | Production uses Vertex AI with EU region data processing configured by GOOGLE_CLOUD_LOCATION, currently europe-west4. Non-EU Vertex AI locations and the Gemini Developer API are not supported in production. | Google Cloud Data Processing Addendum and applicable transfer safeguards, including SCCs where required. | Orbitali retains local transcripts, knowledge text, and embeddings until customer deletion or configured lifecycle deletion. Google request handling follows Google Cloud terms and configured data controls. |
| Telnyx | Telnyx telephony and customer-connected Telnyx numbers. | Phone numbers, call identifiers, direction/routing metadata, webhook payload metadata, call control IDs, media stream routing, call audio in transit. | PSTN connectivity, inbound routing, media streaming, call answer, hangup, and transfer. | Carrier processing depends on number geography, caller location, Telnyx routing, and configured webhook/media URLs. | Telnyx data processing terms or DPA and applicable transfer safeguards. Customers using BYO Telnyx accounts maintain their own Telnyx agreement. | Orbitali stores call metadata, transcript messages, and usage records separately from Telnyx. Carrier-side retention follows Telnyx terms and customer account settings. |
| Twilio | Twilio telephony and customer-connected Twilio numbers. | Phone numbers, Twilio account and phone number IDs, call identifiers, webhook payload metadata, media stream routing, call audio in transit. | PSTN connectivity, BYO number setup, inbound routing, and media streaming. | Carrier processing depends on number geography, caller location, Twilio routing, and configured webhook/media URLs. | Twilio data protection terms or DPA and applicable transfer safeguards. Customers using BYO Twilio accounts maintain their own Twilio agreement. | Orbitali stores call metadata, transcript messages, and usage records separately from Twilio. Carrier-side retention follows Twilio terms and customer account settings. |
| Clerk | Dashboard authentication, organizations, memberships, invitations, and waitlist webhooks when configured. | User IDs, email addresses, names, organization IDs/names/slugs, roles, memberships, invitation emails and state, waitlist IDs and status. | Identity, session authentication, organization access control, invitation management, and waitlist intake. | Clerk processing region and storage controls depend on the configured Clerk instance and plan. | Clerk data processing terms or DPA and applicable transfer safeguards. | A synchronized subset is stored in Orbitali for authorization and workspace operations. Remove users/invitations in Clerk or Orbitali and anonymize local records according to deletion procedures. |
| Stripe | Only when STRIPE_SECRET_KEY is configured. | Billing email, customer name, business tax ID or identifier, billing address collected by Checkout, organization ID, checkout session ID, payment metadata, invoice/payment status. | Hosted Checkout, customer creation, payments, invoices, tax collection, and webhook verification. | Stripe processing depends on the Stripe account configuration, payment method, customer geography, and Stripe regional infrastructure. | Stripe data processing terms or DPA and applicable transfer safeguards. | Orbitali stores Stripe customer/session identifiers, credit ledger entries, and payment status. Stripe retains payment and compliance records according to legal obligations. |
| Slack | Optional; only when SLACK_WEBHOOK_URL is configured. | Waitlist notification metadata and internal rollout notification details. | Internal operational notifications. | Slack processing depends on the configured Slack workspace and plan. | Slack data processing terms or DPA for the configured workspace. | Slack message retention follows workspace policy. Disable SLACK_WEBHOOK_URL to stop sending notifications. |
| OpenObserve | Optional; only when OpenObserve environment variables are configured for the agent service. | Logs, traces, metrics, service names, resource attributes, HTTP span metadata, errors, and operational IDs that may include call/session IDs. | Observability, debugging, reliability monitoring, and incident response. | Processing occurs in the configured OpenObserve deployment; self-hosted deployments are controlled by the operator. | OpenObserve or hosting-provider data processing terms where applicable. | OpenObserve processes exported observability telemetry. Retention is controlled by the OpenObserve organization or self-hosted policy. |
Environment-Dependent Processors
- Slack is disabled unless
SLACK_WEBHOOK_URLis set. - Stripe is disabled unless
STRIPE_SECRET_KEYis set. Development can use mock billing whenENABLE_MOCK_BILLING=true. - OpenObserve export is disabled unless all required OpenObserve variables are set.
- Telnyx and Twilio availability depends on provider-specific credentials and webhook URLs.
- Production knowledge metadata and embeddings use Vertex AI with
GEMINI_BACKEND=vertexand an explicitly configured EUGOOGLE_CLOUD_LOCATION.
Notes on OpenAI
OpenAI is not used by the current production knowledge ingestion or realtime voice paths. If OpenAI or another model provider is reintroduced, add it to the subprocessor table before enabling the integration.
Customer-Provided Webhooks and Tools
Customer Server URLs and webhook tools are controlled by the customer. Orbitali sends call metadata, tool names, tool arguments, and optional signatures to the configured Server URL. Customers are responsible for documenting their own downstream processors and for avoiding unnecessary personal data in prompts, tool payloads, and webhook responses.