Overview of all third-party service providers Gobi Stories AS uses to operate its services and business. Prior to engaging any sub-processor, we conduct a thorough assessment encompassing detailed analysis of security and legal aspects, in accordance with GDPR Article 28 and Chapter V.
1 About this list
The list below covers two categories of providers, both shown in the same table for transparency:
- Processor role — providers used to process Customer personal data on behalf of the Customer. These are in scope of our Data Processing Agreement (DPA).
- Controller role — providers used in Gobi's own business operations (CRM, commercial communications, invoicing). Gobi is the controller for this processing; these providers are not sub-processors under the DPA but are listed here for completeness.
2 Definitions
- End Users — individuals who view content delivered through Gobi Player on websites that have embedded the player.
- Customers — organizations that have a subscription with Gobi.
3 Providers
| Service | Purpose | Gobi's role | Data processed | Location | Transfer basis |
|---|---|---|---|---|---|
| Chatlio | In-product chat support inside Gobi Studio | Processor | Chat messages, connection information | US | Data Privacy Framework Documentation |
| Cloudinary | Video transcoding and delivery for Gobi Player | Processor | Videos, images, End User IP addresses | EU + US | Data Privacy Framework Documentation |
| Google Cloud | Hosting, storage and compute for Gobi Studio and Gobi Player | Processor | Customer-uploaded content, account and organization data, story metadata, analytics | EU | Not necessary |
| Resend | Transactional email delivery for Gobi Autopilot (invitations, confirmations) | Processor | Recipient email address, message content | US | Data Privacy Framework Documentation |
| Sentry | Error and crash reporting for Gobi Studio | Processor | User and organization identifiers, error logs | US | Data Privacy Framework Documentation |
| Slack | Internal notifications to the Gobi team about Autopilot submissions | Processor | Submitter name, Customer identifier | US | Data Privacy Framework Documentation |
| Supabase | Database and video storage for Gobi Autopilot | Processor | Recordings, submitter name and email, consent metadata | EU | Not necessary |
| Twilio Segment | Usage analytics for product improvement in Gobi Studio | Processor | User and organization identifiers, usage events | US | Data Privacy Framework Documentation |
| Vercel | Application hosting for Gobi Autopilot | Processor | Connection information | EU | Not necessary |
| Customer.io | Email delivery for service updates and opt-in subscribers | Controller | Contact name, email, engagement data | EU | Not necessary |
| HubSpot | CRM for leads, prospects and commercial contacts | Controller | Contact name, email, company information | EU | Not necessary |
| Tripletex | Invoicing and bookkeeping | Controller | Company name, organization number, billing email, invoice history | EU | Not necessary |
4 About Data Privacy Framework
Transfer is covered by the EU–U.S. Data Privacy Framework — the adequacy decision adopted by the European Commission on 10 July 2023, effective 10 October 2023. Each provider marked with “Data Privacy Framework” in the table is an active participant in the EU–U.S. DPF (and, where applicable, the UK Extension and Swiss–U.S. DPF), supplemented by appropriate technical and organizational measures such as encryption in transit and at rest and logical separation of customer data.
All providers listed have signed a Data Processing Agreement with Gobi Stories AS. Technical and organizational measures applied across all providers are described in our DPA.