Trust Center › Legal
Sub-processors
Authorised under DPA §8 · Last updated 2026-05-18
Below is the complete list of third-party services Toran uses to deliver the service. Each one has a single, deliberate job — none of them get all the data. The Toran engineering principle is that any vendor we add to this list either makes the product measurably better for customers, or measurably more reliable for operations. There are no marketing / analytics / advertising sub-processors on this list. There won't be.
We give at least 30 days' advance notice before adding or replacing any sub-processor. To subscribe to change notifications, email trust@toranhq.com with subject "subprocessor watch". Changes are also reflected in the changelog at the bottom of this page.
Toran is a service operated by Erez Avital, an individual conducting business
in Israel as a registered sole proprietor (עוסק מורשה) under the
trade name 'Toran'. Each sub-processor below is engaged by Erez Avital
personally under the contractual terms of the relevant vendor agreement.
| Sub-processor | Purpose | Data accessed | Region | Transfer mechanism |
|---|---|---|---|---|
| Supabase Inc.
Verified 2026-05-18 | Primary database (PostgreSQL 17), authentication, edge functions, object storage |
| EU-West (France)
Entity: United States (company), EU (data storage) | EU SCCs (Module 2) |
| Cloudflare, Inc.
Verified 2026-05-18 | CDN, web hosting (Pages), edge compute (Workers), object storage (R2), bot protection (Turnstile) |
| Global (anycast)
Entity: United States | EU SCCs (Module 2) + EU-US Data Privacy Framework |
| Resend Inc.
Verified 2026-05-18 | Transactional email delivery (lead notifications, account emails, WhatsApp Forwarder) |
| Global
Entity: United States | EU SCCs (Module 2) |
| Google LLC (Gemini API)
Verified 2026-05-18 | AI lead scoring & conversation summarization |
| Global
Entity: United States | EU SCCs (Module 2) + EU-US Data Privacy Framework |
| Paddle.com Market Limited
Verified 2026-05-18 | Subscription billing, payment processing, tax compliance, refund handling |
| Global (Paddle acts as Merchant of Record)
Entity: United Kingdom | UK IDTA (UK-incorporated processor) |
| Functional Software, Inc. (Sentry)
Verified 2026-05-18 | Error monitoring & performance observability |
| United States
Entity: United States | EU SCCs (Module 2) |
| IPinfo.io, Inc.
Verified 2026-05-18 | IP-to-geolocation enrichment for lead context (country, region, city) |
| Global
Entity: United States | EU SCCs (Module 2) |
| Telegram FZ-LLC
Verified 2026-05-18 | Notification delivery via Telegram Bot API (operator-side notifications only) |
| Global
Entity: United Arab Emirates | Customer-elected channel — operator opts in by providing chat_id |
Changelog
- 2026-05-18. Initial public publication. Pre-launch baseline — all current sub-processors documented. Notification obligation under DPA §8 begins from this date for any future additions.
Categories we deliberately don't use
For transparency about the negative space: Toran has chosen not to engage these categories of sub-processor in its current architecture:
- Web analytics / behavior-tracking platforms on the dashboard side (no Google Analytics, no Mixpanel, no Segment). We use a self-hosted minimal measurement only.
- Customer Data Platforms (CDPs) — your leads are not piped to a third-party CDP behind your back.
- Programmatic advertising / retargeting pixels on the dashboard or the embedded widget — visitors aren't profiled for downstream advertising.
- Session-replay tools (FullStory, LogRocket, etc.) — chat content isn't recorded for replay by a third party.
How to object to a sub-processor change
DPA §8 grants Customer the right to object on reasonable data-protection grounds within 14 days of any change notice. To object, reply to the change notification (or email trust@toranhq.com) with your specific concern. We will work in good faith to address it; if the objection cannot be reasonably resolved, Customer may terminate the affected portion of the Services for breach.