Overview.
This page lists the third-party providers, called subprocessors, that VYRA Data Inc. ("VYRA", "we", "us") uses to help run our services and process personal information on our behalf. It supports our Privacy Policy and our Data Processing Agreement, and it is written for the procurement and privacy teams who review who we rely on before they trust us with their data.
VYRA is based in Halifax, Nova Scotia, Canada. We build and run software, and we deliver professional services. For our own websites and SaaS products, Vyra Insights, Vyra Life, Vyra Code, and the VYN AI teammate, VYRA decides why and how information is used. When we operate a product, an ad account, or a CRM on behalf of a business client, that client usually makes those decisions and we act on their instructions. In both cases, the providers below are the ones we may use to do the work.
Every subprocessor is bound by a written agreement. Each one gets only the information it needs to do its job, is limited to our documented instructions, must keep the information confidential, must apply appropriate security, and may not use the information for its own purposes. We stay accountable for the information we hand to a provider, we review the security of the providers we rely on, and we require each provider to give the information comparable protection by contract.
The list on this page names categories and, where confirmed, specific vendors. Some entries show a placeholder while we confirm or change a vendor. We keep this page current and review it at least once a quarter.
How to get notified of changes.
Enterprise customers can subscribe to advance notice of subprocessor changes. To join the notification list, email privacy@vyradata.com and ask to be added to subprocessor change notices for your account. We will send changes to the address you give us before they take effect, on the timeline described in "Changes to this list" below.
The subprocessors we use.
Each subsection below sets out the purpose the provider serves, the categories of data it may process, where it is located, and the mechanism we rely on for any cross-border transfer. Where an entry names "[vendor to confirm]", we are confirming or changing the specific provider and will update this page when it is settled.
Cloud hosting.
- Vendor: [vendor to confirm], for example a major cloud infrastructure provider.
- Purpose: Hosting and running our applications, storage, and network infrastructure.
- Data categories: Any personal information stored or processed in the services, including account data, content you submit, and usage and log data.
- Location: United States, with other regions possible.
- Transfer mechanism: Standard Contractual Clauses, with the EU-US Data Privacy Framework as a supplement where the provider is certified. We keep Standard Contractual Clauses as a fallback.
Database services.
- Vendor: [vendor to confirm], for example a managed Postgres provider.
- Purpose: Storing and querying structured application data.
- Data categories: Account records, product data, and content you submit to the services.
- Location: United States, with other regions possible.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified.
Payment processing.
- Vendor: [vendor to confirm], for example Stripe.
- Purpose: Processing payments and managing subscriptions and invoices.
- Data categories: Name, email, billing details, and transaction records. Full payment card numbers go straight to the processor. We do not store full card numbers.
- Location: United States.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified.
Transactional email delivery.
- Vendor: [vendor to confirm], for example a transactional email provider.
- Purpose: Sending service messages such as receipts, security notices, password resets, and important account changes.
- Data categories: Email address, name, and the content of the message being sent.
- Location: United States.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified.
AI model access.
- Vendor: [vendor to confirm], for example a foundation model provider such as Anthropic, OpenAI, or Google.
- Purpose: Generating responses in VYN and other AI features, grounded in the relevant data.
- Data categories: The prompts and content you send to an AI feature, and the responses it returns.
- Location: United States.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified.
- Retention and training posture: Under the business and enterprise terms we use, these providers do not train their models on your content, and we operate on a no-training basis with a zero-retention or short-retention posture where the provider offers it. VYRA does not train its own models on your content without your written opt-in.
Website analytics.
- Vendor: Google Analytics 4 (Google).
- Purpose: Understanding how our sites are used so we can improve them, only when you have allowed analytics cookies.
- Data categories: Device and browser data, usage events, approximate location from IP address, and cookie identifiers, with IP anonymisation on and a 14-month retention window for event data.
- Location: United States.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified. For visitors in the EEA and the UK, we send Google Consent Mode v2 signals so the tags respect your choice. See our Cookie Policy.
Advertising measurement.
- Vendor: Meta (Facebook and Instagram), through the Meta pixel and the Conversions API.
- Purpose: Measuring and deduplicating conversions for advertising, only when you have allowed marketing cookies.
- Data categories: Usage events and, if you submit a form, your email, phone number, and first name, which are hashed with SHA-256 on our server before they reach Meta. They are never sent in the clear, and they are never sent unless marketing is on.
- Location: United States and Ireland.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified. For advertising measurement the business is the controller and Meta acts as its processor, and Meta may keep event data for up to two years. Where we run ads on a client's behalf, we do so as the client's agent under written authorisation. See our Cookie Policy.
Customer support.
- Vendor: [vendor to confirm], for example a customer support desk provider.
- Purpose: Managing support requests and conversations with you.
- Data categories: Name, email, the content of your support messages, and related account context.
- Location: United States.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified.
CRM platform.
- Vendor: [vendor to confirm], for example a CRM platform we use to manage relationships and, where you are our client, to run yours.
- Purpose: Managing contacts, leads, and customer relationships.
- Data categories: Contact and company details, communication history, and related records.
- Location: United States, with other regions possible.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified. When we implement or operate a CRM that holds a client's customer data, VYRA acts as a processor for that client.
Voice and telephony.
- Vendor: [vendor to confirm], for example a voice and telephony provider.
- Purpose: Handling calls and related voice communications where a service uses them.
- Data categories: Phone number, call metadata, and any recording or transcript where a feature creates one.
- Location: United States, with other regions possible.
- Transfer mechanism: Standard Contractual Clauses, with the Data Privacy Framework as a supplement where the provider is certified.
International data transfers.
Some of these providers are located in the United States or in other countries, which means personal information may be processed outside your home region. We keep it protected as follows.
- For EU and UK personal data, we use Standard Contractual Clauses. Where we rely on the EU-US Data Privacy Framework, we keep Standard Contractual Clauses as a fallback so your data stays protected even if the Framework changes.
- Before we transfer Quebec personal information outside Quebec, we run the assessment that Quebec's Law 25 requires.
- Under PIPEDA, we require every provider that processes personal information on our behalf to give it comparable protection by contract.
Changes to this list.
We add, remove, and change subprocessors as our services evolve. When we do, we update this page and the last-updated date at the top.
For enterprise customers who have subscribed to notification, we give at least 30 days advance notice before a new subprocessor starts processing your personal information. During that notice period you may object in writing to a new subprocessor on reasonable data-protection grounds. If you object, we will work with you in good faith to address the concern, for example by offering an alternative or a workaround. If we cannot resolve it within a reasonable time, you may terminate the affected subscription for the part of the service that depends on the subprocessor, without penalty for that part.
Some changes are urgent. If we must engage a new subprocessor quickly to keep the service secure or running, we will still notify you and give you the same objection right as soon as we reasonably can.
Contact.
For privacy and data-rights questions, and to subscribe to subprocessor change notices, email privacy@vyradata.com.
For security issues and vulnerability reports, email security@vyradata.com.
For general and legal questions, email contact@vyradata.com.
You can reach us at VYRA Data Inc., Halifax, Nova Scotia, Canada. For more on how we handle personal information, see our Privacy Policy and our Data Processing Agreement.