Subprocessors

Subprocessors act on behalf of Suvvy and may process Customer Data solely as necessary to provide the Services.

All subprocessors are contractually obligated to implement appropriate technical and organizational measures to protect Customer Data and comply with applicable data protection laws.

AI Providers

The following AI Providers may process Customer Data to generate AI responses:

• OpenAI — United States • Anthropic — United States • Google — United States / European Union • X.AI — United States / European Union • Perplexity — United States • DeepSeek — China • Alibaba (Qwen) — China • Moonshot AI (Kimi) — China • Zhipu AI (GLM) — China (if applicable)

These providers act as subprocessors to Suvvy.

Infrastructure Providers

The following infrastructure providers may process Customer Data to host and operate the Services:

• Cloudflare — United States / European Union • DigitalOcean — United States • Google Cloud — United States / European Union (if applicable) • Other infrastructure providers as required, subject to contractual data protection obligations

Scope of Processing

Subprocessors may process the following categories of Customer Data:

• chat messages and conversation content • identifiers such as names, email addresses, and phone numbers • usage and technical data necessary to provide the Services

Subprocessors process Customer Data solely on behalf of Suvvy and only as necessary to provide the Services.

Data Processing Agreements and Compliance with Subprocessors

Suvvy engages third-party subprocessors to provide AI processing, infrastructure, and related services. Each subprocessor processes personal data strictly in accordance with their respective Data Processing Addendum (DPA), Privacy Policy, and applicable data protection laws.

Suvvy ensures that all subprocessors are contractually bound to implement appropriate technical and organizational safeguards to protect personal data and to process such data solely for the purpose of providing the services requested by Suvvy and its customers.

In particular, Suvvy relies on the following subprocessors and their respective data protection agreements:

• OpenAI OpCo, LLC Data Processing Addendum: https://openai.com/policies/data-processing-addendum/ Privacy Policy: https://openai.com/policies/privacy-policy/

• Google LLC (Google Cloud, Vertex AI, Gemini) Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

• Anthropic PBC Privacy Policy and Data Protection Terms: https://www.anthropic.com/legal/privacy

• xAI Corp. Data Processing Addendum: https://x.ai/legal/data-processing-addendum

• Cloudflare, Inc. Data Processing Addendum: https://www.cloudflare.com/cloudflare-customer-dpa/

• DigitalOcean LLC Data Processing Addendum: https://www.digitalocean.com/legal/data-processing-agreement

• Alibaba Cloud (Alibaba Group) Privacy Policy: https://www.alibabacloud.com/help/en/legal/latest/alibaba-cloud-international-website-privacy-policy

Where applicable, these subprocessors implement standard contractual clauses (SCCs) or equivalent contractual safeguards for international data transfers.

Suvvy contractually requires subprocessors to comply with applicable data protection laws, including UAE Federal Decree-Law No. 45 of 2021, GDPR (where applicable), and other relevant privacy frameworks.

Suvvy remains responsible for ensuring that subprocessors provide adequate protection for personal data and implement appropriate security measures.