Sub-processor List

Document: Sub-processor List Effective Date: 1 March 2026 Version: 1.0

Table of Contents

1. Introduction
2. What Is a Sub-processor?
3. Current Sub-processor List
4. Sub-processor Details
5. International Transfers
6. Changes to This List
7. Previous Changes
8. Contact

1. Introduction

This page lists the third-party sub-processors that TheraScripts (company number 16196583, registered in England & Wales) uses to provide the TheraScript platform.

We publish this list so that practitioners using TheraScript can see exactly which companies process data on their behalf, what data each company handles, and where that data is stored. This supports the transparency commitments in our Privacy Policy and the sub-processor provisions in our Data Processing Agreement (DPA), Section 8 and Annex A.

Under the DPA, we are required to notify practitioners at least 30 days before adding or replacing a sub-processor. This page is one way we provide that transparency. See Section 6 for full details on how changes are communicated.

2. What Is a Sub-processor?

A sub-processor is a third-party company that processes personal data on our behalf as part of delivering the TheraScript service to you.

When you use TheraScript, you are the data controller for your client data — you decide what data to enter and why. We are the data processor — we handle it according to your instructions and our DPA. Our sub-processors help us deliver specific parts of the service (hosting, authentication, AI generation, audio generation, billing) and are bound by contracts requiring them to protect your data to standards consistent with UK GDPR.

We remain fully responsible to you for the actions of our sub-processors regarding your data.

3. Current Sub-processor List

4. Sub-processor Details

4.1 Convex

What they do: Convex provides the database and backend logic layer for TheraScript. All application data — including practitioner accounts, client profiles, survey responses, generated scripts, plan snapshots, and audio file metadata — is stored in Convex.

What data they process: All application data entered into or generated by TheraScript.

Where data is stored: United States.

Security: SOC 2 Type II certified. All data is encrypted at rest. There is no direct database access — all data is accessed exclusively through Convex's query and mutation API, which enforces access controls at the application level.

Data retention: Data is stored for the duration of the practitioner's account. On account termination, data is deleted after the post-termination export window as described in the DPA, Section 14. Convex's automatic backup system may retain encrypted copies for a limited period as part of its standard backup rotation.

Website: convex.dev

4.2 Clerk

What they do: Clerk handles practitioner authentication — sign-in, sign-up, session management, and account security. Clerk does not process client data; it manages practitioner identity only.

What data they process: Practitioner email address, name, profile picture, and session tokens.

Where data is stored: United States.

Security: SOC 2 Type II certified. Supports multi-factor authentication (MFA) and secure session management with automatic expiry. Clerk does not share authentication data with third parties.

Data retention: Authentication data is retained for the duration of the practitioner's account and deleted when the account is closed.

Website: clerk.com

4.3 Google Cloud (Text-to-Speech)

What they do: Google Cloud Text-to-Speech converts script text into spoken audio files (MP3). When a practitioner generates audio for a script, the text is sent to Google Cloud TTS for processing.

What data they process: The full text of the generated script, which may include phonetic spellings of the client's name (if the practitioner has chosen to personalise the audio) and therapeutic content.

Where data is stored: United States and EU.

Security: SOC 2 and ISO 27001 certified. Google Cloud maintains comprehensive security controls across its infrastructure.

Data retention: Data is processed transiently. Script text is used for audio generation and is not retained by Google Cloud after the request completes. No client data is stored persistently by this sub-processor.

Website: cloud.google.com

4.4 OpenAI

What they do: OpenAI provides two services to TheraScript: (1) the AI language model used to generate therapeutic session script text, and (2) text-to-speech audio generation (gpt-4o-mini-tts) to convert scripts into spoken MP3 audio files. When a practitioner requests script generation, TheraScript sends a prompt to OpenAI containing the practitioner's configuration and anonymised client profile signals. When audio is generated, the script text (including phonetic client names if personalised) is sent to OpenAI's TTS API.

What data they process: Script generation prompts (containing anonymised client profile signals, therapeutic module content, and the client's name when the practitioner has chosen to personalise the script); script text for audio synthesis (including phonetic spellings of client names when audio is personalised).

Where data is stored: United States.

Security: OpenAI operates under a zero-retention API agreement with TheraScript. This means:

• Prompts and outputs are not stored by OpenAI beyond fulfilling the immediate API request
• Your data and your clients' data is not used by OpenAI to train or improve its models
• No client data is retained persistently by this sub-processor

Data retention: Zero retention. No deletion action is required because no data is stored.

Website: openai.com

4.5 Polar

What they do: Polar handles subscription billing and payment processing for TheraScript. When a practitioner subscribes or makes a payment, Polar manages the transaction, invoicing, and subscription lifecycle.

What data they process: Practitioner email address, billing details, and subscription status. Polar does not process client data.

Where data is stored: EU (Norway).

Security: PCI DSS compliant for payment processing. TheraScript does not receive or store full payment card details — card data is handled entirely by Polar's payment infrastructure.

Data retention: Billing records are retained by Polar in accordance with their own data retention policies and applicable financial record-keeping requirements.

Website: polar.sh

4.6 Vercel

What they do: Vercel hosts the TheraScript web application and serves it globally via its edge network. Vercel handles incoming web requests, serves the application frontend, and runs server-side rendering functions.

What data they process: Request metadata (IP addresses, browser information, request URLs) and session cookies needed for authentication.

Where data is stored: Global edge network (requests are served from the nearest edge location to the practitioner).

Security: SOC 2 Type II certified. Includes DDoS protection and automatic scaling. Vercel does not persistently store application data — it serves the application and routes requests to the backend (Convex).

Data retention: Server logs are retained for a limited period for security and operational monitoring. No client data is stored persistently by Vercel.

Website: vercel.com

5. International Transfers

Most of our sub-processors are based in the United States, which means personal data is transferred outside the United Kingdom when you use TheraScript.

We protect all international transfers using approved safeguards required by UK GDPR:

• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses (SCCs) — standard contracts approved by the ICO that require the receiving party to protect data to UK standards. Used for transfers to sub-processors in the United States.
• UK adequacy decisions — where the UK government has determined that a country provides adequate data protection. The EU/EEA has a UK adequacy decision, which covers transfers to Polar (Norway) and Google Cloud's EU processing.

In addition to these contractual mechanisms, we apply supplementary measures including encryption in transit and at rest, access controls, and (for OpenAI) zero-retention processing.

Full details of the transfer mechanisms and supplementary measures are set out in Annex C of the Data Processing Agreement.

6. Changes to This List

We will notify you before making changes to our sub-processors:

• At least 30 days notice before adding a new sub-processor or replacing an existing one
• Notification by email to the address associated with your TheraScript account
• This page will be updated to reflect the change, including the date and details of what changed

If you have concerns about a new or replacement sub-processor, you may object on reasonable data protection grounds within the 30-day notice period. We will discuss your concerns in good faith and work towards a resolution. If we cannot reach agreement, you may terminate your account without penalty. The full objection process is described in Section 8.3 of the Data Processing Agreement.

7. Previous Changes

No changes since initial publication on 1 March 2026.

8. Contact

If you have questions about our sub-processors or how your data is processed, please contact us:

TheraScripts 167-169 Great Portland Street London, England, W1W 5PF

Contact form: therascript.com/contact (select "Privacy & Data Rights")

This Sub-processor List was last updated on 1 March 2026.