FollowUP CRM - Sub-Processor List
Effective Date: 10 May 2026 Last Updated: 10 May 2026 Notification Subscription: Customers may subscribe to change notifications by emailing info@followup.agency with subject line "Subscribe to Sub-Processor Updates."
📋 Quick Summary (TL;DR)
- What this is. A complete list of the third-party companies (Sub-processors) that may access, process, or store data we hold on your behalf.
- Why this exists. We are required by the GDPR (Article 28), the UK GDPR, the Georgian Law on Personal Data Protection, and best practices to disclose Sub-processors and notify Customers of changes.
- Live document. This page is updated when we add, replace, or remove Sub-processors.
- Notice period. Customers receive at least 14 days' notice before a new Sub-processor begins processing personal data, except where shorter notice is needed for urgent security reasons.
- Right to object. Customers may object to a new Sub-processor on reasonable data protection grounds - see DPA Section 9.4.
1. About This List
1.1 What Is a Sub-Processor
A Sub-processor is any third-party company that processes personal data on behalf of FollowUP CRM (Sales Consulting Group LLC, Georgia). Sub-processors include both:
(a) Direct Sub-processors - third parties we engage directly; and (b) Sub-Sub-Processors - third parties engaged by our direct Sub-processors (such as cloud infrastructure providers used by HighLevel).
1.2 How Changes Are Communicated
When we add, replace, or remove a Sub-processor:
- this page is updated with the change date;
- where Customers have subscribed to notifications, an email is sent at least 14 days before the new Sub-processor begins processing data;
- in urgent security situations, notice may be shorter, but we will explain the reason.
1.3 Right to Object
Customers may object to a new Sub-processor on reasonable data protection grounds by emailing info@followup.agency within 14 days of notice. If not resolved within 30 days, the Customer may terminate the affected portion of the MSA.
2. Categories of Sub-Processors
2.1 Underlying SaaS Platform (Primary Sub-Processor)
| Sub-Processor | Role | Location | Data Accessed | Transfer Mechanism |
|---|---|---|---|---|
| HighLevel Inc. (operating as GoHighLevel, LeadConnector, SaasPreneur) | Primary platform infrastructure - the FollowUP CRM Platform is operated as a white-labelled instance of HighLevel | Headquartered in Dallas, Texas, USA. Data stored on Google Cloud Platform US regions (and EU regions where customer/feature requires) | All Customer Data and personal data uploaded to or generated within the Platform | EU-U.S. Data Privacy Framework (DPF) certification + EU SCCs as fallback. UK Extension to the DPF and UK Addendum. Swiss Data Privacy Framework. |
HighLevel maintains: ISO/IEC 27001:2022, SOC 2 Type II, and EU-U.S. DPF certification.
2.2 Cloud Infrastructure
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | Underlying cloud hosting, compute, storage, networking for HighLevel | USA (with EU/other regions for region-specific data, where supported) | EU-U.S. DPF (Google certified) + EU SCCs |
| Cloudflare, Inc. | DNS, CDN, DDoS mitigation, Web Application Firewall, edge caching | USA (with global edge locations) | EU-U.S. DPF (Cloudflare certified) + EU SCCs |
2.3 Communications Infrastructure
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| Twilio Inc. | SMS, MMS, voice, RCS messaging infrastructure | USA | EU-U.S. DPF (Twilio certified) + EU SCCs |
| LeadConnector (operated by HighLevel) | HighLevel's branded layer over Twilio for SMS, voice, A2P 10DLC registration | USA | Via HighLevel - DPF + SCCs |
| Mailgun Technologies Inc. | Transactional and marketing email delivery | USA | EU-U.S. DPF (Mailgun certified) + EU SCCs |
| SendGrid (Twilio SendGrid) | Alternative email delivery infrastructure | USA | Via Twilio - DPF + SCCs |
| Amazon Web Services / Amazon SES | Backup / additional email and infrastructure services | USA / EU | EU-U.S. DPF (AWS certified) + EU SCCs |
2.4 Payment Processing
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| JSC TBC Bank / Flitt | Primary payment processor for Customers contracting with the Georgian entity | Georgia | Domestic - Georgian data protection law applies |
| Stripe Inc. / Stripe Payments Europe Ltd. | Payment processor for international Customers and Customers contracting with the future U.S. affiliate | USA / Ireland | EU-U.S. DPF (Stripe certified) + EU SCCs |
2.5 Customer Support Tools
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| HighLevel-native chat widget (LeadConnector) | Live chat widget on followup.agency for visitor inquiries; in-platform messaging for Customer support | USA, via HighLevel infrastructure | Via HighLevel - DPF + SCCs |
| info@followup.agency mailbox (Google Workspace) | Customer support email handling, billing inquiries, privacy requests, abuse reports, all customer communications | USA / EU | EU-U.S. DPF (Google certified) + EU SCCs |
2.6 Analytics and Product Insights
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| Google LLC (Google Analytics 4) | Web analytics on the followup.agency marketing site (with Customer consent) | USA | EU-U.S. DPF (Google certified) + EU SCCs |
| HighLevel native product analytics | In-product usage telemetry within the Platform | USA, via HighLevel | Via HighLevel - DPF + SCCs |
2.7 AI Service Providers
These are activated when Customers use AI Features.
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| OpenAI, L.L.C. | GPT-class language model APIs for Conversation AI, Content AI, Workflow AI | USA | EU-U.S. DPF (OpenAI certified) + EU SCCs. API tier: inputs not used to train models. |
| Anthropic PBC | Claude-class language model APIs for AI Features | USA | EU-U.S. DPF (Anthropic certified) + EU SCCs. API tier: inputs not used to train models without opt-in (we do not opt in). |
| Google LLC (Gemini API) | Gemini-class language model APIs where used | USA | EU-U.S. DPF + EU SCCs |
| ElevenLabs Inc. | Voice synthesis for AI voice agents | USA | EU SCCs |
| Meta Platforms (where used for Llama AI services) | Llama-class models | USA | EU-U.S. DPF + EU SCCs |
| HighLevel-native AI services | AI features built directly into HighLevel's platform | USA, via HighLevel | Via HighLevel - DPF + SCCs |
2.8 Domain & DNS Services
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| Cloudflare Registrar | Domain registration (where Customers buy domains through the Platform) | USA | EU-U.S. DPF + EU SCCs |
2.9 Security & Monitoring
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| Vulnerability scanning tools (via HighLevel) | Continuous vulnerability scanning of the Platform infrastructure | USA / EU | Via HighLevel |
| Penetration testing partners (via HighLevel, annually) | Third-party annual penetration testing | USA / EU | Via HighLevel |
| SIEM / log aggregation (via HighLevel) | Security event monitoring | USA | Via HighLevel |
2.10 Marketing Tools (FollowUP CRM's Own Marketing)
These tools process website visitor and prospect data, not Customer Personal Data within the Platform itself.
| Sub-Processor | Role | Location |
|---|---|---|
| Meta Platforms (Facebook/Instagram) | Marketing pixel, ad targeting, Conversion API | USA |
| Google LLC (Google Ads, Google Analytics) | Marketing pixel, conversion tracking | USA |
| LinkedIn Corporation | LinkedIn Insight Tag, B2B ad targeting | USA |
| TikTok / Bytedance Ltd. | TikTok Pixel for ad targeting and conversion tracking | USA / Singapore |
For full details, see our Cookie Policy.
2.11 Internal Operations Tools
For completeness, we use internal tools (Slack, Notion, Google Workspace, etc.) for our own operations. These do not, in the normal course, process Customer Personal Data.
| Tool | Use | Location |
|---|---|---|
| Google Workspace (Gmail, Drive, Calendar, Meet) | Internal email, document storage, calendar, meetings | USA / EU |
| Slack / Salesforce | Internal team messaging | USA |
| Notion / Confluence | Internal documentation | USA |
| HR / payroll tools | Employee management | Georgia / USA |
| Accounting / financial tools | Bookkeeping | Georgia |
3. International Data Transfer Mechanisms
3.1 EU-U.S. Data Privacy Framework (DPF)
For U.S.-based Sub-processors certified under the DPF, this provides a lawful transfer mechanism under GDPR Article 45 (adequacy decision). DPF certifications are verifiable at dataprivacyframework.gov.
DPF-certified Sub-processors as of the Effective Date include: HighLevel, Google, Cloudflare, Twilio, Mailgun, Stripe, OpenAI, Anthropic.
3.2 EU Standard Contractual Clauses (SCCs)
For all Restricted Transfers not exclusively covered by the DPF, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
3.3 UK Addendum and UK IDTA
For Restricted Transfers from the UK, we rely on the UK Addendum to the EU SCCs or the UK IDTA as appropriate.
3.4 Swiss Adaptations
For Restricted Transfers from Switzerland, we rely on the Swiss-U.S. Data Privacy Framework for Swiss-DPF-certified U.S. Sub-processors, and the Swiss-adapted SCCs otherwise.
3.5 Georgian Restricted Transfers
For Restricted Transfers from Georgia, we rely on adequate level of protection decisions, appropriate safeguards equivalent to EU SCCs, or explicit data subject consent.
3.6 Transfer Impact Assessments
For Restricted Transfers to the U.S. and other third countries without an adequacy decision, we have conducted Transfer Impact Assessments (TIAs) post-Schrems II. Customers may request a redacted copy by emailing info@followup.agency.
4. Sub-Processor Engagement and Oversight
4.1 How We Select Sub-Processors
Before engaging a Sub-processor, we evaluate: security and compliance certifications; data protection terms; track record; fit for purpose; financial stability.
4.2 Contractual Safeguards
Each Sub-processor is bound by a written agreement containing: data protection terms substantially equivalent to those in our DPA; confidentiality obligations; security measures; breach notification (typically within 24-72 hours); sub-sub-processing controls; audit rights; deletion or return of personal data on termination.
4.3 Ongoing Oversight
We maintain ongoing oversight through: annual review of compliance documentation; monitoring of public security incident disclosures; periodic re-assessment of data protection terms; incident response coordination.
5. Customer Notification Subscription
To receive email notifications when this Sub-Processor List is updated, email info@followup.agency with the subject "Subscribe to Sub-Processor Updates." You will receive notification at least 14 days before any new Sub-processor begins processing personal data.
6. Change Log
| Date | Change |
|---|---|
| 10 May 2026 | Initial publication of the Sub-Processor List v2.0. |
7. Contact
- Privacy / data protection inquiries: info@followup.agency
- Subscribe to change notifications: info@followup.agency
- Object to a new Sub-processor: info@followup.agency within 14 days of notice
Sales Consulting Group LLC (operating as FollowUP CRM) Bakhtrioni 11, Tbilisi, Georgia Company ID: 405727254
End of Sub-Processor List v2.0
