Sub-Processor List
Last updated: March 22, 2026
Effective: March 22, 2026 · Last Updated: March 22, 2026
Bestia Technologies Inc. ("Bestia", "we") uses the following third-party sub-processors to provide WhatsDone. Each sub-processor has been evaluated for data protection compliance and is bound by contractual obligations requiring equivalent privacy and security standards.
Current Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google LLC | Authentication (OAuth 2.0), Gmail API, Calendar API, People API | Account credentials (via OAuth), email content, calendar events, contacts | United States |
| Anthropic PBC | AI processing (Claude API) for email classification, action extraction, and brief generation | Email content (subject, body, metadata) sent via API for processing. Not retained after processing. | United States |
| Railway Corp | Application hosting, database hosting, infrastructure | All application data (stored in encrypted databases on Railway infrastructure) | United States |
| Resend Inc. | Transactional email delivery (invitations, OTP codes, notifications) | Recipient email addresses, email subject lines, email body content for transactional messages only | United States |
| GoDaddy Inc. | Domain registration and DNS management for bestia.ai and whatsdone.ai | No customer personal data. Domain configuration only. | United States |
Key Commitments
Data retention by sub-processors
- Google: Retains data according to your Google account settings and Google's data retention policies. We access data via API in real-time and do not maintain a persistent copy of your full Gmail inbox.
- Anthropic: Under their commercial API terms, Anthropic does not retain input data after processing and does not use customer inputs or outputs to train their models.
- Railway: Retains data as long as our application stores it. Upon account deletion, data is removed per our retention policy (30 days for primary data, 90 days for backups).
- Resend: Retains delivery logs for 30 days for debugging and compliance purposes.
- GoDaddy: Does not process customer personal data.
Contractual protections
- Each sub-processor is bound by a Data Processing Agreement (DPA) or equivalent contractual provisions requiring them to process personal data only on our instructions and to implement appropriate technical and organisational security measures.
- Sub-processors are prohibited from using your data for their own purposes (except as required by law).
- We regularly review sub-processor compliance and security practices.
International transfers
All current sub-processors are located in the United States. For transfers from the UK/EEA, we rely on the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), supplemented by technical measures (encryption) and Transfer Impact Assessments.
Changes to Sub-Processors
We will provide at least 30 days' advance notice before adding a new sub-processor or materially changing how an existing sub-processor processes your data. Notice will be provided via:
- Email to the address associated with your account
- An update to this page
If you object to a new sub-processor, you may terminate your account before the change takes effect. We will assist with data export upon request.
Contact
- Privacy enquiries: privacy@bestia.ai
- Sub-processor questions: legal@bestia.ai
- Postal: Bestia Technologies Inc., 1600 Rosecrans Ave, Bldg 7, Manhattan Beach, CA 90266