Skip to content
    FollowUP Logo

    Sub-Processors

    The third parties (Sub-processors) that may access or process data on our behalf.

    FollowUP CRM - Sub-Processor List

    Effective Date: 10 May 2026 Last Updated: 10 May 2026 Notification Subscription: Customers may subscribe to change notifications by emailing info@followup.agency with subject line "Subscribe to Sub-Processor Updates."


    📋 Quick Summary (TL;DR)

    • What this is. A complete list of the third-party companies (Sub-processors) that may access, process, or store data we hold on your behalf.
    • Why this exists. We are required by the GDPR (Article 28), the UK GDPR, the Georgian Law on Personal Data Protection, and best practices to disclose Sub-processors and notify Customers of changes.
    • Live document. This page is updated when we add, replace, or remove Sub-processors.
    • Notice period. Customers receive at least 14 days' notice before a new Sub-processor begins processing personal data, except where shorter notice is needed for urgent security reasons.
    • Right to object. Customers may object to a new Sub-processor on reasonable data protection grounds - see DPA Section 9.4.

    1. About This List

    1.1 What Is a Sub-Processor

    A Sub-processor is any third-party company that processes personal data on behalf of FollowUP CRM (Sales Consulting Group LLC, Georgia). Sub-processors include both:

    (a) Direct Sub-processors - third parties we engage directly; and (b) Sub-Sub-Processors - third parties engaged by our direct Sub-processors (such as cloud infrastructure providers used by HighLevel).

    1.2 How Changes Are Communicated

    When we add, replace, or remove a Sub-processor:

    • this page is updated with the change date;
    • where Customers have subscribed to notifications, an email is sent at least 14 days before the new Sub-processor begins processing data;
    • in urgent security situations, notice may be shorter, but we will explain the reason.

    1.3 Right to Object

    Customers may object to a new Sub-processor on reasonable data protection grounds by emailing info@followup.agency within 14 days of notice. If not resolved within 30 days, the Customer may terminate the affected portion of the MSA.


    2. Categories of Sub-Processors

    2.1 Underlying SaaS Platform (Primary Sub-Processor)

    Sub-ProcessorRoleLocationData AccessedTransfer Mechanism
    HighLevel Inc. (operating as GoHighLevel, LeadConnector, SaasPreneur)Primary platform infrastructure - the FollowUP CRM Platform is operated as a white-labelled instance of HighLevelHeadquartered in Dallas, Texas, USA. Data stored on Google Cloud Platform US regions (and EU regions where customer/feature requires)All Customer Data and personal data uploaded to or generated within the PlatformEU-U.S. Data Privacy Framework (DPF) certification + EU SCCs as fallback. UK Extension to the DPF and UK Addendum. Swiss Data Privacy Framework.

    HighLevel maintains: ISO/IEC 27001:2022, SOC 2 Type II, and EU-U.S. DPF certification.

    2.2 Cloud Infrastructure

    Sub-ProcessorRoleLocationTransfer Mechanism
    Google Cloud Platform (Google LLC)Underlying cloud hosting, compute, storage, networking for HighLevelUSA (with EU/other regions for region-specific data, where supported)EU-U.S. DPF (Google certified) + EU SCCs
    Cloudflare, Inc.DNS, CDN, DDoS mitigation, Web Application Firewall, edge cachingUSA (with global edge locations)EU-U.S. DPF (Cloudflare certified) + EU SCCs

    2.3 Communications Infrastructure

    Sub-ProcessorRoleLocationTransfer Mechanism
    Twilio Inc.SMS, MMS, voice, RCS messaging infrastructureUSAEU-U.S. DPF (Twilio certified) + EU SCCs
    LeadConnector (operated by HighLevel)HighLevel's branded layer over Twilio for SMS, voice, A2P 10DLC registrationUSAVia HighLevel - DPF + SCCs
    Mailgun Technologies Inc.Transactional and marketing email deliveryUSAEU-U.S. DPF (Mailgun certified) + EU SCCs
    SendGrid (Twilio SendGrid)Alternative email delivery infrastructureUSAVia Twilio - DPF + SCCs
    Amazon Web Services / Amazon SESBackup / additional email and infrastructure servicesUSA / EUEU-U.S. DPF (AWS certified) + EU SCCs

    2.4 Payment Processing

    Sub-ProcessorRoleLocationTransfer Mechanism
    JSC TBC Bank / FlittPrimary payment processor for Customers contracting with the Georgian entityGeorgiaDomestic - Georgian data protection law applies
    Stripe Inc. / Stripe Payments Europe Ltd.Payment processor for international Customers and Customers contracting with the future U.S. affiliateUSA / IrelandEU-U.S. DPF (Stripe certified) + EU SCCs

    2.5 Customer Support Tools

    Sub-ProcessorRoleLocationTransfer Mechanism
    HighLevel-native chat widget (LeadConnector)Live chat widget on followup.agency for visitor inquiries; in-platform messaging for Customer supportUSA, via HighLevel infrastructureVia HighLevel - DPF + SCCs
    info@followup.agency mailbox (Google Workspace)Customer support email handling, billing inquiries, privacy requests, abuse reports, all customer communicationsUSA / EUEU-U.S. DPF (Google certified) + EU SCCs

    2.6 Analytics and Product Insights

    Sub-ProcessorRoleLocationTransfer Mechanism
    Google LLC (Google Analytics 4)Web analytics on the followup.agency marketing site (with Customer consent)USAEU-U.S. DPF (Google certified) + EU SCCs
    HighLevel native product analyticsIn-product usage telemetry within the PlatformUSA, via HighLevelVia HighLevel - DPF + SCCs

    2.7 AI Service Providers

    These are activated when Customers use AI Features.

    Sub-ProcessorRoleLocationTransfer Mechanism
    OpenAI, L.L.C.GPT-class language model APIs for Conversation AI, Content AI, Workflow AIUSAEU-U.S. DPF (OpenAI certified) + EU SCCs. API tier: inputs not used to train models.
    Anthropic PBCClaude-class language model APIs for AI FeaturesUSAEU-U.S. DPF (Anthropic certified) + EU SCCs. API tier: inputs not used to train models without opt-in (we do not opt in).
    Google LLC (Gemini API)Gemini-class language model APIs where usedUSAEU-U.S. DPF + EU SCCs
    ElevenLabs Inc.Voice synthesis for AI voice agentsUSAEU SCCs
    Meta Platforms (where used for Llama AI services)Llama-class modelsUSAEU-U.S. DPF + EU SCCs
    HighLevel-native AI servicesAI features built directly into HighLevel's platformUSA, via HighLevelVia HighLevel - DPF + SCCs

    2.8 Domain & DNS Services

    Sub-ProcessorRoleLocationTransfer Mechanism
    Cloudflare RegistrarDomain registration (where Customers buy domains through the Platform)USAEU-U.S. DPF + EU SCCs

    2.9 Security & Monitoring

    Sub-ProcessorRoleLocationTransfer Mechanism
    Vulnerability scanning tools (via HighLevel)Continuous vulnerability scanning of the Platform infrastructureUSA / EUVia HighLevel
    Penetration testing partners (via HighLevel, annually)Third-party annual penetration testingUSA / EUVia HighLevel
    SIEM / log aggregation (via HighLevel)Security event monitoringUSAVia HighLevel

    2.10 Marketing Tools (FollowUP CRM's Own Marketing)

    These tools process website visitor and prospect data, not Customer Personal Data within the Platform itself.

    Sub-ProcessorRoleLocation
    Meta Platforms (Facebook/Instagram)Marketing pixel, ad targeting, Conversion APIUSA
    Google LLC (Google Ads, Google Analytics)Marketing pixel, conversion trackingUSA
    LinkedIn CorporationLinkedIn Insight Tag, B2B ad targetingUSA
    TikTok / Bytedance Ltd.TikTok Pixel for ad targeting and conversion trackingUSA / Singapore

    For full details, see our Cookie Policy.

    2.11 Internal Operations Tools

    For completeness, we use internal tools (Slack, Notion, Google Workspace, etc.) for our own operations. These do not, in the normal course, process Customer Personal Data.

    ToolUseLocation
    Google Workspace (Gmail, Drive, Calendar, Meet)Internal email, document storage, calendar, meetingsUSA / EU
    Slack / SalesforceInternal team messagingUSA
    Notion / ConfluenceInternal documentationUSA
    HR / payroll toolsEmployee managementGeorgia / USA
    Accounting / financial toolsBookkeepingGeorgia

    3. International Data Transfer Mechanisms

    3.1 EU-U.S. Data Privacy Framework (DPF)

    For U.S.-based Sub-processors certified under the DPF, this provides a lawful transfer mechanism under GDPR Article 45 (adequacy decision). DPF certifications are verifiable at dataprivacyframework.gov.

    DPF-certified Sub-processors as of the Effective Date include: HighLevel, Google, Cloudflare, Twilio, Mailgun, Stripe, OpenAI, Anthropic.

    3.2 EU Standard Contractual Clauses (SCCs)

    For all Restricted Transfers not exclusively covered by the DPF, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

    3.3 UK Addendum and UK IDTA

    For Restricted Transfers from the UK, we rely on the UK Addendum to the EU SCCs or the UK IDTA as appropriate.

    3.4 Swiss Adaptations

    For Restricted Transfers from Switzerland, we rely on the Swiss-U.S. Data Privacy Framework for Swiss-DPF-certified U.S. Sub-processors, and the Swiss-adapted SCCs otherwise.

    3.5 Georgian Restricted Transfers

    For Restricted Transfers from Georgia, we rely on adequate level of protection decisions, appropriate safeguards equivalent to EU SCCs, or explicit data subject consent.

    3.6 Transfer Impact Assessments

    For Restricted Transfers to the U.S. and other third countries without an adequacy decision, we have conducted Transfer Impact Assessments (TIAs) post-Schrems II. Customers may request a redacted copy by emailing info@followup.agency.


    4. Sub-Processor Engagement and Oversight

    4.1 How We Select Sub-Processors

    Before engaging a Sub-processor, we evaluate: security and compliance certifications; data protection terms; track record; fit for purpose; financial stability.

    4.2 Contractual Safeguards

    Each Sub-processor is bound by a written agreement containing: data protection terms substantially equivalent to those in our DPA; confidentiality obligations; security measures; breach notification (typically within 24-72 hours); sub-sub-processing controls; audit rights; deletion or return of personal data on termination.

    4.3 Ongoing Oversight

    We maintain ongoing oversight through: annual review of compliance documentation; monitoring of public security incident disclosures; periodic re-assessment of data protection terms; incident response coordination.


    5. Customer Notification Subscription

    To receive email notifications when this Sub-Processor List is updated, email info@followup.agency with the subject "Subscribe to Sub-Processor Updates." You will receive notification at least 14 days before any new Sub-processor begins processing personal data.


    6. Change Log

    DateChange
    10 May 2026Initial publication of the Sub-Processor List v2.0.

    7. Contact

    Sales Consulting Group LLC (operating as FollowUP CRM) Bakhtrioni 11, Tbilisi, Georgia Company ID: 405727254


    End of Sub-Processor List v2.0