Lucid AI Labs (Fabian Ilg, hereinafter "we" or "Processor") uses the sub-processors listed below for the provision of its AI chatbot and agent services. The involvement of these third parties takes place on the basis of a written agreement that complies with the requirements of Art. 28 para. 4 in conjunction with Art. 28 para. 3 GDPR.
To our customers (controllers) we hereby grant, pursuant to our DPA, a general authorisation for the involvement of these sub-processors. Customers are informed of planned changes (addition or replacement of sub-processors) at least 30 days in advance by an update of this list as well as, insofar as subscribed, by email notification. In the case of a legitimate objection, the procedure regulated in the DPA is decisive.
Note on the Art. 27 GDPR representation: Providers without an EU/EEA establishment are obliged to designate a representative in the EU (Art. 27 GDPR), insofar as they regularly process data of EU data subjects and no exception (Art. 27 para. 2) applies. The following information on the EU representation is based on the status of the respective stated due-diligence review and is verified upon DPA updates.
Hetzner Online GmbH
- Address
- Industriestr. 25, 91710 Gunzenhausen, DE
- Country of seat
- DE (EU)
- Role
- Hosting of the application database, transcripts, clinic-dashboard DB
- Data processed
- Appointment records, transcripts, clinic configuration, technical logs
- Third-country transfer basis
- EU, no third-country transfer. Data residency: Falkenstein, Nuremberg, Helsinki
- EU representative (Art. 27 GDPR)
- Hetzner is EU-based, no EU representative required
- Data processing agreement (DPA)
- https://www.hetzner.com/AV
- Notes
- Auto-acceptance of the DPA on conclusion of contract; Hetzner is certified according to ISO 27001.
Vercel Inc.
- Address
- 340 S Lemon Ave #4133, Walnut, CA 91789, USA
- Country of seat
- US
- Role
- Hosting of the marketing website lucid-ai.app as well as the clinic-dashboard frontends
- Data processed
- Server logs, technical metadata, IP addresses (truncated), build artefacts
- Third-country transfer basis
- SCC (EU 2021/914) + EU-U.S. DPF. Primary processing in the USA
- EU representative (Art. 27 GDPR)
- Via [email protected]. No separate Art. 27 representative publicly named; due-diligence inquiry to confirm the Art. 27 strategy documented (2026-04-29)
- Data processing agreement (DPA)
- https://vercel.com/legal/data-processing-addendum
- Notes
- Sub-processor list: https://security.vercel.com
Telnyx LLC
- Address
- 311 W Superior Street, Suite 504, Chicago, IL 60654, USA
- Country of seat
- US
- Role
- Telephony infrastructure (SIP trunk, call answering, routing, German geo telephone numbers)
- Data processed
- Telephone number (caller + clinic), call duration, call timestamp, audio stream (transient, see DPA § 10.3)
- Third-country transfer basis
- SCC (EU 2021/914), Module 2 + EU-U.S. Data Privacy Framework (DPF status: to be verified against dataprivacyframework.gov/list at each DPA review)
- EU representative (Art. 27 GDPR)
- Telnyx Ireland Limited (Dublin, Ireland), contact: [email protected]
- Data processing agreement (DPA)
- https://telnyx.com/legal/data-processing-addendum
- Notes
- Replaces the former telephony provider Twilio as of spring 2026. German telephone number provisioning via Telnyx carrier partnerships; EU data-residency options for SIP routing active according to availability. Sub-processor list: https://telnyx.com/legal/sub-processors.
Deepgram Inc.
- Address
- 1438 Webster St STE 100, Oakland, CA 94612, USA
- Country of seat
- US
- Role
- Speech-to-text (STT), real-time transcription of the caller audio
- Data processed
- Audio stream (transient), generated transcript
- Third-country transfer basis
- SCC (EU 2021/914), Module 2
- EU representative (Art. 27 GDPR)
- Via [email protected]. No separate Art. 27 representative publicly named; due-diligence inquiry documented (2026-04-29)
- Data processing agreement (DPA)
- https://deepgram.com/legal
- Notes
- Voice data is not used for training purposes pursuant to the Deepgram API agreement, provided that an API plan without consent to data use is chosen.
Anthropic PBC
- Address
- 548 Market St PMB 90375, San Francisco, CA 94104, USA
- Country of seat
- US
- Role
- LLM (Claude) for conversation logic and appointment understanding
- Data processed
- Transcript snippets, clinic-context prompt, generated response
- Third-country transfer basis
- SCC + EU-U.S. DPF
- EU representative (Art. 27 GDPR)
- Via [email protected]. No separate Art. 27 representative publicly named; due-diligence inquiry documented (2026-04-29)
- Data processing agreement (DPA)
- https://www.anthropic.com/legal/commercial-terms
- Notes
- Commercial API mode: Anthropic does not use input data for training purposes (Commercial Terms, status 2026).
ElevenLabs Inc.
- Address
- 228 Park Ave S PMB 30661, New York, NY 10003, USA
- Country of seat
- US
- Role
- Speech synthesis (TTS), generation of the AI voice
- Data processed
- Response text of the AI, generated audio
- Third-country transfer basis
- SCC (EU 2021/914), Module 2; DPF status: verify against the official DPF list (dataprivacyframework.gov) at each DPA update
- EU representative (Art. 27 GDPR)
- Via [email protected]. ElevenLabs has Eleven Labs sp. z o.o. (Warsaw, Poland) as a European subsidiary, which addresses the Art. 27 requirement via an EU establishment; confirmation documented as part of the ongoing due diligence (2026-04-29)
- Data processing agreement (DPA)
- https://elevenlabs.io/dpa
- Notes
- Sub-processor list and TOM: https://compliance.elevenlabs.io
Resend Inc.
- Address
- San Francisco, CA, USA
- Country of seat
- US
- Role
- Transactional email delivery (appointment confirmations, contact form replies)
- Data processed
- Email address, content of the respective mail, delivery status
- Third-country transfer basis
- SCC + EU-U.S. DPF
- EU representative (Art. 27 GDPR)
- Via [email protected]. No separate Art. 27 representative publicly named; due-diligence inquiry documented (2026-04-29)
- Data processing agreement (DPA)
- https://resend.com/legal/dpa
- Notes
- Sub-processor list: https://resend.com/legal/subprocessors
Microsoft Corporation (Clarity)
- Address
- One Microsoft Way, Redmond, WA 98052, USA
- Country of seat
- US
- Role
- Anonymous web analytics (heatmaps, click patterns), only after consent
- Data processed
- Click position, mouse/scroll movement, browser type, screen resolution, truncated IP
- Third-country transfer basis
- SCC + EU-U.S. DPF (Microsoft DPF-certified)
- EU representative (Art. 27 GDPR)
- Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland)
- Data processing agreement (DPA)
- https://learn.microsoft.com/en-us/clarity/data-privacy-data-protection
- Notes
- Storage duration 13 months. Before consent, Clarity is initialised with clarity('consent', false); no cookie is set.
Changes
This list is updated upon every change of the sub-processor deployment. The date of the last update is stated in the page header. Customers who wish to receive a notification of changes can contact us at [email protected].