# Third-party Subprocessors

Taloflow uses a minimal number of third-party subprocessors. All are assessed for privacy compliance, and Data Processing Agreements (DPAs) are in place with each before any personal data is shared.

## Subprocessor List

| Processor | Parent Company      | Data Shared                                 | Purpose                             | Compliance               | DPA in Place | Location |
| --------- | ------------------- | ------------------------------------------- | ----------------------------------- | ------------------------ | ------------ | -------- |
| Auth0     | Okta, Inc.          | Email, name, password hash                  | Identity management, authentication | SOC 2 Type II, ISO 27001 | Yes          | USA      |
| Linode    | Akamai Technologies | All data (infrastructure host)              | Cloud infrastructure and hosting    | SOC 2 Type II, ISO 27001 | Yes          | USA      |
| Stripe    | Stripe, Inc.        | Subscription references only (no card data) | Payment processing                  | PCI DSS Level 1          | Yes          | USA      |

## What Taloflow Does Not Share

* Payment card numbers are not shared with Taloflow or any processor other than Stripe. Card data is collected client-side via Stripe.js and never transits Taloflow infrastructure.
* Evaluation content — product assessments, requirements, and scoring — is not shared with any third party.
* Auth0 receives only the identity fields strictly necessary for authentication. It does not receive evaluation data, organizational content, or usage analytics.

{% hint style="info" %}
The use of Stripe.js means Taloflow operates outside PCI DSS scope for card data. No card numbers, CVCs, or expiry dates are ever present on Taloflow servers.
{% endhint %}

## Subprocessor Detail

### Auth0 (Okta, Inc.)

Taloflow delegates credential storage entirely to Auth0. Passwords never reach Taloflow servers in any form. In addition to credential storage, Auth0 provides:

| Feature                           | Description                                                     |
| --------------------------------- | --------------------------------------------------------------- |
| Multi-factor authentication (MFA) | TOTP and push-based second factors                              |
| Brute force protection            | Automatic lockout after repeated failed logins                  |
| Password breach detection         | Integration with haveibeenpwned to flag compromised credentials |
| Anomaly detection                 | Impossible travel and suspicious login detection                |

Auth0 is SOC 2 Type II and ISO 27001 certified.

### Linode (Akamai Technologies)

All Taloflow infrastructure runs on Linode, now part of Akamai Connected Cloud. Physical data center security controls include:

| Control            | Detail                                                 |
| ------------------ | ------------------------------------------------------ |
| Perimeter security | Fencing and controlled entry points                    |
| Access control     | Multi-factor authentication and biometric verification |
| Monitoring         | 24/7 on-site monitoring                                |
| Visitor management | Logged visitor access with escort requirements         |

Akamai is SOC 2 Type II and ISO 27001 certified.

{% hint style="info" %}
Taloflow retains full key sovereignty over data stored on Linode. Encryption keys are managed by Taloflow and are not accessible to Akamai.
{% endhint %}

### Stripe (Stripe, Inc.)

Payment card data is collected directly by Stripe.js in the user's browser and never touches Taloflow servers. Taloflow receives only:

* A Stripe subscription ID
* Plan status (via webhook)

No card number, CVV, or expiry date is ever transmitted to or stored on Taloflow infrastructure. Stripe is PCI DSS Level 1 certified.

## Updates

This page is updated when subprocessors are added or removed. Organizations requiring advance notice of subprocessor changes should review the DPA terms or contact <privacy@taloflow.ai>.

**Last reviewed:** April 2026


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.taloflow.ai/security/data-privacy/third-party-subprocessors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.