Subprocessors
Last updated: June 29, 2026
HelmIQ uses the third-party providers below to deliver the service. We update this list within 30 days of any change. Customers on a Data Processing Agreement may object to a new subprocessor on data-protection grounds; see the DPA for how that works.
List version v2026.06
| Subprocessor | Purpose | Region | Data classes |
|---|---|---|---|
| Neon | Managed Postgres: primary application database | AWS us-east (default) | restricted, confidential, internal |
| Vercel | Application hosting: compute, edge, build | Global edge; primary US | restricted, confidential, internal, public |
| Concentrate | AI gateway: single entry point for all model inference; routes to downstream providers under enforced Zero Data Retention; native web search | US | restricted, confidential |
| Anthropic | AI inference: Claude models, accessed via the Concentrate gateway under ZDR (not Anthropic-direct) | US | restricted, confidential |
| OpenAI | AI inference: gpt-4o-mini via the Concentrate gateway under ZDR; plus Whisper audio transcription (no-retention endpoint, OpenAI-direct) | US | restricted, confidential |
| Twilio | Voice + SMS: call recording, dial-out, transcription pipeline trigger | US | restricted |
| Google Workspace (Gmail + Calendar OAuth) | Customer-authorized OAuth grants; we read on behalf of customer; we do not host customer Gmail data | Customer's Google region | restricted, confidential |
| Microsoft 365 (Outlook + Calendar + OneDrive/Teams OAuth) | Customer-authorized OAuth grants; we read and act on behalf of the customer; we do not host customer mailbox data | Customer's Microsoft region | restricted, confidential |
| Zoom | Video meeting provider used to create user-authorized meeting links for scheduled meetings and calendar invites; identifies the authorized Zoom user. No access to recordings, transcripts, or chat. | Customer's Zoom region | confidential |
| Resend | Transactional + platform email delivery (system notifications, booking and reminder fallback) when a firm has no own mailbox connected | US | confidential, internal |
| Cloudflare R2 | Object storage for uploaded documents and call recordings (encrypted at rest), when configured | US / auto (Cloudflare) | restricted, confidential |
| Stripe | Billing: payment processing for Helm subscription | US | internal |
Notifications and questions
To be notified of changes to this list, or to request our full vendor diligence bundle (including subprocessor DPA and SOC 2 status), contact jack@helmiq.net. The full security posture, including framework mappings, is on our Security & Trust Center.