Subprocessors

Last updated June 30, 2026

To run AIOS and deliver it on our customers' behalf, we use a small set of vetted vendors that process personal information for us. This page lists each one, what it does, and where it operates.

What this page is

AIOS is a service of NoManagement B.V., a company registered in the Netherlands. To run AIOS and to deliver it on our customers' behalf, we use a small set of vetted vendors that process personal information for us. These are our subprocessors. This page names each one, what it does, and where it operates. It supports the general authorization for subprocessors in our Data Processing Addendum and works alongside our Privacy Policy.

How to read this list

Some vendors run AIOS itself and handle information about our own customers, where we are the controller. Others help the AI agent work on a customer's behalf and handle that customer's lead and contact data, where we are the processor on the customer's documented instructions. We share data with each one only to provide the service, under contracts that require them to protect it and use it only for us.

Our subprocessors

The vendors that process personal data to run and deliver AIOS:

  • Supabase: database, file storage and authentication. United States / EU.
  • Vercel: website hosting and content delivery. United States (global edge).
  • Hostinger: server hosting for our self-hosted voice worker. EU.
  • LiveKit: real-time voice runtime that carries call audio. United States.
  • Telnyx: telephone carrier, call signaling and phone numbers. United States.
  • Deepgram: speech-to-text during calls. United States.
  • Cartesia: text-to-speech during calls. United States.
  • OpenRouter: the gateway that routes requests to language-model providers, including Groq and others selected per request. United States.
  • Meta Platforms: the WhatsApp, Messenger and Instagram messaging APIs that carry conversations on those channels when AIOS operates them on a customer's behalf (it processes the message content and the contact's phone or handle). United States / Ireland (EU).
  • Resend: transactional email such as reports, confirmations and account messages. United States.
  • A website-crawling provider: crawling websites you provide so we can build a live demo, ingest your site into your agent's knowledge, and let the agent research a page during a conversation. This may be a third-party service or our own self-hosted crawler, depending on configuration. United States or our own infrastructure.
  • PostHog: product analytics about how AIOS is used. United States.

Payments

When paid plans and billing are switched on, we use PayPro Global as our Merchant of Record to sell credits and subscriptions and to process payments. As Merchant of Record, PayPro Global is the seller of record and handles billing and tax; it receives the information needed to take a payment, such as billing details and payment method. We do not store full card numbers ourselves. United States. We will update this page and the date above before billing goes live.

What is not on this list

Two things people expect to see here, and why they are not:

  • The CRM and the channels you connect. These are your own systems. You choose the provider and you control the connection. When data flows to them, it flows to your systems on your instruction, not to a vendor we picked.
  • Marketing-analytics trackers on our website. These handle website-visitor data for our own marketing, not your lead or contact data. They are described in our Cookie Policy, not here.

International transfers

We operate from the Netherlands and several of the vendors above are in the United States, so personal information may be transferred internationally. Where it is, we rely on an appropriate transfer mechanism, such as the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses, together with additional safeguards. Our Privacy Policy explains this in full.

Changes and how we tell you

We keep this list current and update the date above whenever it changes. Before a new subprocessor begins processing personal data, we give at least 14 days' notice. If you have a Data Processing Addendum with us, you may object within that window on reasonable data-protection grounds, and if we cannot resolve your objection you may stop using the affected part of the service. We bind every subprocessor to data-protection obligations no less protective than our own, and we remain responsible for what they do for us. To be notified of changes, email [email protected].

Questions, or a privacy or data request? Email [email protected].

This page is a plain-language summary, not legal advice. Have counsel review before relying on it.