Sub-Processor List
Third-party services engaged by GT1 Partners LLC, dba Dimora AI to process personal data on behalf of Clients
About This List
GT1 Partners LLC, a California limited liability company, doing business as Dimora AI engages the following sub-processors to deliver its services. As the Controller of guest personal data, Clients provide general written authorization for these sub-processors by entering into the Service Agreement.
Dimora AI will notify Clients at least 30 days before engaging a new sub-processor or making a material change to an existing one. Clients may object to a new sub-processor within that period.
All sub-processors are bound by data protection obligations no less protective than those in the Data Processing Addendum. EU-to-US transfers are governed by the Standard Contractual Clauses (Module 2) incorporated in the DPA.
DPF = EU-US Data Privacy Framework certified. DPA → links to the sub-processor's own data processing terms.
Guest Data Processors
Sub-processors that may access or process personal data of property guests
| Sub-Processor | Purpose | Data Accessed | Location |
|---|---|---|---|
VAPI | Voice AI platform for guest calls | Call audio, transcripts, phone numbers, duration | United States (GCP) |
OpenAI DPFDPA → | LLM inference for Voice AI (Maggie) | Live call transcript content | United States |
OpenRouter | LLM routing for Inbox AI sub-workflows | Guest message content for AI drafting | United States |
Deepgram DPFDPA → | Real-time speech-to-text transcription | Voice audio stream | United States |
ElevenLabs | Voice synthesis for AI responses (via VAPI) | AI-generated response text | United States |
Google (Gemini + Workspace) DPFDPA → | Inbox AI classification + call summary emails + VAPI post-call analysis | Guest messages, call transcripts, call summaries | United States |
Guesty | Property management system (PMS) integration | Guest names, reservations, messages, lock codes — read-only via API on Customer's Guesty tenant | United States / European Union (depending on Customer's tenant region) |
Supabase DPFDPA → | Database for operational data storage | Guest names, phone, email, call metadata, AI drafts, transcripts | United States (AWS us-east-1) |
Client (Customer) Data Processors
Sub-processors that access Client business or billing data
Infrastructure Processors
Sub-processors providing platform infrastructure — data is transient, not persistently stored
| Sub-Processor | Purpose | Data Accessed | Location |
|---|---|---|---|
Railway | Infrastructure hosting for workflow platform (n8n) | Infrastructure logs, workflow execution data (transient) | United States |
Data Flow Overview
The following describes how guest and customer data flows through Dimora AI's platform and its sub-processors:
Voice AI (Inbound Guest Calls)
Guest dials the property phone number
Call is received and managed by VAPI (telephony + voice AI orchestration)
Audio is transcribed in real-time by Deepgram (speech-to-text)
Transcript is sent to OpenAI GPT for response generation
AI response text is synthesized to audio by ElevenLabs (via VAPI)
Call metadata and transcript are stored in Supabase (AWS us-east-1)
Post-call summary is generated by Google Gemini and emailed to the property manager
Inbox AI (Guest Message Drafting)
Guest sends a message via Airbnb, VRBO, email, or other channel
Message is received via Customer's Guesty tenant (read-only API access)
Message content is routed through n8n on Railway for orchestration
AI sub-agents (OpenRouter / Google Gemini) generate a draft reply
Draft is stored in Supabase for the property manager's review
Property manager approves, edits, or discards the draft in the Dimora AI dashboard
Approved reply is sent back to the guest via Guesty's messaging API
Reservation & Property Data Sync
Customer's Guesty account sends reservation webhooks to Dimora AI (n8n on Railway)
Reservation data (guest name, dates, property) is normalized and stored in Supabase
Revenue Engine reads reservation data to identify early check-in / late checkout / gap night opportunities
Upsell offers are sent to guests via Guesty messaging API
Customer Billing & Onboarding
Customer enters billing details; payment is processed by Stripe
Service Agreement and DPA are executed electronically via DocuSign
Customer credentials and subscription data are stored in Supabase
Sub-Processor Selection Criteria
Dimora AI evaluates sub-processors against the following criteria before engagement:
GDPR-compliant Data Processing Addendum (DPA)
All sub-processors must offer a GDPR-compliant DPA that is signed before data processing begins. Sub-processors without an available DPA are not engaged for services involving personal data.
EU-US Data Privacy Framework (DPF) certification — preferred
DPF certification is preferred for US-based sub-processors as it simplifies EU-to-US transfer compliance. Where DPF is not available, Standard Contractual Clauses (Module 2) are required.
SOC 2 Type II or equivalent security certification — preferred
SOC 2 Type II reports demonstrate third-party verified security controls. Equivalent certifications (ISO 27001, ISO 27701) are also acceptable. Sub-processors without any third-party certification undergo enhanced due diligence.
Data residency compatible with EU transfer requirements
Sub-processors must be able to process EU personal data in jurisdictions with appropriate safeguards (SCCs, DPF, adequacy decision, or equivalent). Sub-processors in countries without any recognized safeguard are not engaged for EU data.
Demonstrated security track record
Dimora AI reviews sub-processors' publicly disclosed security incident history. Sub-processors with recent material breaches involving customer data are not engaged without satisfactory explanation of remediation measures taken.
Reasonable breach notification SLAs
Sub-processors must commit to notifying Dimora AI of security incidents involving Dimora AI customer data within 72 hours (or less) of discovery, consistent with GDPR Article 33 notification timelines.
Audit Rights
Dimora AI audits sub-processors annually through vendor security questionnaires and review of published compliance documentation (SOC 2 reports, certifications, DPF status). Where Dimora AI has access to a sub-processor's SOC 2 Type II report or equivalent, it is available to Clients upon written request to privacy@dimora.ai, subject to any confidentiality restrictions imposed by the sub-processor.
Changes & Objection Rights
30-Day Advance Notice
Dimora AI will notify Clients at least 30 days before adding a new sub-processor or making a material change to an existing one. Notifications are sent via email to the Client's designated contact on record and published on this page with a version increment.
Subscribe to Change Notifications
To receive advance notice of sub-processor changes, email privacy@dimora.ai with the subject line "Sub-processor notification subscription" and include your company name and the email address to notify. You will be added to the sub-processor change notification list and will receive at least 30 days' advance notice of any additions or material changes.
To unsubscribe, reply to any notification email with "unsubscribe" in the subject line.
Right to Object
Clients may object to a new sub-processor within the 30-day notice period by notifying Dimora AI in writing at legal@dimora.ai. Dimora AI will use commercially reasonable efforts to provide an acceptable alternative. If the parties cannot reach a reasonable resolution, the Client may terminate the affected services for cause without penalty and will receive a pro-rata refund for any prepaid subscription fees covering the unused period after the termination effective date.
Questions
For questions about sub-processors or data protection, contact privacy@dimora.ai.
Version History
| Version | Date | Changes |
|---|---|---|
| 1.0 | April 20, 2026 | Initial publication. 11 sub-processors listed across Guest Data, Client Data, and Infrastructure categories. |
Future versions will be logged here. Each version increment represents the addition of a new sub-processor, removal of a sub-processor, or material change to an existing sub-processor's scope or data access.