DIDHub sub-processors
DIDHub uses a small number of carefully vetted sub-processors to deliver the service. This list discloses every third party that may process customer data, what they do, what data they touch, and the regions where they operate. It is updated whenever the list materially changes.
Last updated: 2026-04-25.
1. Infrastructure
| Sub-processor | Purpose | Data accessed | Region |
|---|---|---|---|
| Cloudflare, Inc. United States; EU operating subsidiary |
Edge layer (CDN, WAF, DDoS mitigation, DNS, TLS termination, bot management, zero-trust access via Cloudflare Access) and application hosting: the public marketing site (didhub.io), the REST/GraphQL API, and the customer-facing dashboard UI run on Cloudflare Workers and Cloudflare Pages. | Inbound web/API traffic, IP addresses, request and response metadata, dashboard session traffic, API payloads in transit. Persistent customer data (account records, CDRs, message bodies, recordings) does not live on Cloudflare — it is stored in the IaaS providers below. | Global anycast edge; the nearest PoP serves the request. Application code runs at the edge in the customer’s region. |
| Amazon Web Services (AWS) Google Cloud Platform (GCP) Oracle Cloud Infrastructure (OCI) United States, with regional operating subsidiaries |
Primary IaaS providers for the production data plane: managed databases, compute nodes, object storage, message queues, and backup retention. Customer data at rest lives in one or more of these clouds depending on customer region. DIDHub uses managed services (RDS / Cloud SQL / Autonomous DB, S3 / GCS / Object Storage, EKS / GKE / OKE) under each provider’s enterprise-tier agreement. | Account data, call detail records (CDRs), message detail records, optional call recordings, dashboard data, application backups. | Pinned to the customer’s billing region: EU customers → EU regions (Frankfurt, Amsterdam, Dublin); US/Canada → US regions; APAC → APAC regions (Singapore, Tokyo); MENA → MENA / EU regions. |
| Regional Colocation Facilities (Voice Plane) Multiple licensed carrier-neutral data centers |
In-country and in-region carrier-neutral colocations where DIDHub operates session border controllers (SBCs), STUN/TURN media servers, and PSTN interconnect equipment. Used solely for the realtime voice media path and signaling — never for data at rest. | RTP / SRTP voice streams in real time (not persisted at the colocation), SIP signaling, STUN/TURN session metadata. No account data, no CDRs, no message bodies, no recordings, no billing data. | In-region / in-country (e.g. UK voice traffic transits a UK colocation; Germany via a German colocation). |
Provider trust documentation: cloudflare.com/trust-hub · aws.amazon.com/compliance · cloud.google.com/security/compliance · oracle.com/cloud/compliance.
2. Voice & SMS connectivity
To deliver voice and SMS in 130+ countries, DIDHub interconnects with multiple licensed wholesale and regional carriers. Carrier identities are confidential under our commercial agreements; the categories below describe the role and data handling. The carriers carry call/SMS metadata necessary to route the traffic — they do not store or have access to your DIDHub dashboard, account credentials, billing details, or recording media (where applicable).
| Sub-processor category | Purpose | Data accessed | Region |
|---|---|---|---|
| Tier-1 Wholesale Voice Carriers Multiple licensed wholesale operators |
International voice termination and origination across the 130+ countries DIDHub serves; toll-free origination; primary and secondary outbound routes. | Call signaling metadata (from / to E.164, timestamps, codecs, duration, status). RTP media transits the carrier in real time and is not stored by the carrier. | In-region per call: EU calls land on EU carrier interconnects, US on NOAM, etc. |
| Licensed Regional Voice Carriers In-country licensed operators |
In-country DID assignment and interconnect where the local regulator requires a domestic licensee, or where domestic peering produces materially better quality. | Same metadata as Tier-1 carriers, plus the country-specific KYC documents required by the local regulator (e.g. business registration, address proof) when DIDHub-provided KYC is shared with the regional carrier per regulator rule. | In-country (e.g. Germany DIDs interconnect via a German-licensed carrier; UAE DIDs via a TDRA-licensed UAE operator). |
| SMS Aggregator Partners A2P / P2P SMS aggregators |
SMS termination and origination, including A2P 10DLC (US), India DLT registration, EU sender-ID, and toll-free messaging. | Message metadata (from / to, timestamps, status). Message bodies transit the aggregator. DIDHub stores message bodies in customer-region storage; aggregators may retain them per their own retention policies, typically 7 days. | In-region per message destination. |
3. Billing & payments
| Sub-processor | Purpose | Data accessed | Region |
|---|---|---|---|
| Stripe, Inc. United States; EU and UK subsidiaries |
Subscription billing, payment processing, invoicing, tax. PCI-DSS Level 1 certified; DIDHub never sees raw cardholder data. | Customer name, billing address, billing email, payment method tokens, invoice line items. | US (with EU billing entity for EU customers). |
Stripe's compliance documentation: stripe.com/legal/privacy-center.
4. Communications & operations
| Sub-processor | Purpose | Data accessed | Region |
|---|---|---|---|
| Amazon Web Services — Simple Email Service (AWS SES) Amazon Web Services, Inc. — United States, with regional operating subsidiaries |
Outbound transactional email delivery: signup confirmation, billing receipts, port-in updates, dashboard alerts, password resets, security notifications. | Recipient email, sender, subject, and body of system-generated messages. No marketing-list data shared. | Sent from the AWS region matching the customer’s billing region (EU customers → eu-west-1 / eu-central-1; US → us-east-1). |
| Cloudflare — Email Routing Cloudflare, Inc. — United States; EU operating subsidiary |
Inbound email routing for didhub.io addresses (e.g. support@, sales@, trust@). Forwards inbound mail to the support / sales platforms listed below. |
Inbound email metadata and content addressed to didhub.io. Cloudflare does not retain message content beyond delivery; messages are forwarded and not stored at the routing layer. | Global anycast edge. |
| Customer Support Platform | Helpdesk ticketing, customer support chat, knowledge base. | Email, name, company, support ticket content. Tickets you submit may include screenshots or call IDs you share. | US / EU. |
| CRM & Sales Engagement | Sales pipeline, contact management for prospects and account-management. | Business contact info: name, email, phone, company, role, account history. | US / EU. |
5. Observability & security operations
| Sub-processor | Purpose | Data accessed | Region |
|---|---|---|---|
| Error & Performance Monitoring | Application error tracking, performance telemetry, release-health metrics. | Stack traces, anonymized request IDs, environment metadata. PII scrubbing applied on ingest. | US / EU. |
| Product Analytics | Aggregate, IP-anonymized usage analytics for the dashboard (which features are used, navigation paths). No call content, no message content. | Anonymized session IDs, page paths, user-agent. PII not transmitted. | US / EU. |
| Status & Incident Communications | Public status page (status.didhub.io) and incident notifications. | Subscriber email if you opt in to incident notifications. Not shared further. | US. |
6. What we mean by "customer data"
For the purpose of this list, "customer data" means data DIDHub processes on your behalf as a processor under GDPR, CCPA, and equivalent laws. Specifically:
- Account & billing data — your account metadata, billing entity, contacts, payment method.
- Communications metadata — call detail records (CDRs): from / to E.164, timestamps, duration, status; message detail records.
- Communications content — call recordings (only when you enable recording), SMS message bodies. Stored in your billing region; retained per your account settings.
- End-user data — Caller IDs (E.164 numbers) of your end users when they call your DIDHub-routed numbers, and any data you choose to attach via API.
Data DIDHub holds about you as a controller (your name, business email, login credentials, support correspondence with us) is governed by our Privacy Policy, not the DPA.
7. A note on regions
DIDHub pins customer data to the region of your billing entity. EU billing entities → EU data plane; US → NOAM; APAC → APAC; MENA → MENA. Sub-processors may operate global control planes (e.g. Cloudflare's anycast edge), but customer data at rest is stored in the customer's region. Cross-region transfers (e.g. for support escalations) happen only with appropriate transfer mechanisms — Standard Contractual Clauses or equivalent — and are limited to what's necessary.
Single-tenant deployments with stricter residency (Germany-only, France-only, India-only, etc.) are available on Enterprise plans. Talk to [email protected] if your regulatory profile requires it.
Change log
| Date | Change |
|---|---|
| 2026-04-25 | Initial publication of public sub-processor list. |
Ready to get a number?
Pick a DID in 130+ countries from $1.99/month. Activates instantly on most numbers.