Subprocessors
Harmonity is built for teams handling sensitive contract work. To operate the Service, we may use carefully selected third-party service providers (“Subprocessors”) that process Customer Personal Data on our behalf (as a Processor), under written agreements and security requirements consistent with our Data Processing Addendum (DPA).
- ●Product / Service subprocessors (used to deliver Harmonity to customers)
- ●Website / marketing third parties (used on harmonity.ai and related pages), where applicable
1. Definitions (quick)
2. Product / Service Subprocessors
The table below lists subprocessors involved in providing the Harmonity Service (e.g., hosting, support tooling, security monitoring). Some vendors may process only limited metadata rather than full contract documents.
| Subprocessor | Purpose | Typical data processed | Processing region |
|---|---|---|---|
| Cloud Infrastructure / Hosting Provider | Core hosting and compute for the Service | Customer Data stored/processed in the Service (including documents and metadata) | TR / EU / US |
| Object Storage / Backup Provider | Secure storage and backups | Encrypted backups; stored Customer Data | TR / EU / US |
| Email Delivery Provider | Service emails (invites, notifications, security alerts) | User email addresses, notification metadata | TR / EU / US |
| Customer Support / Ticketing Tool | Customer support operations | Support requests, contact info, attachments submitted to support | TR / EU / US |
| Error Monitoring / Logging Tool | Reliability and incident diagnosis | Technical logs/telemetry; may include user IDs and limited metadata | TR / EU / US |
| Analytics (Product) Vendor | Product usage analytics (in-app) | Usage events, device/browser data; typically pseudonymous identifiers | TR / EU / US |
| AI Model / AI Infrastructure Provider | AI-enabled features initiated by Customer (Harmony AI) | Inputs/outputs to generate requested AI results (as configured) | TR / EU / US |
Important boundaries (as committed in the DPA):
- Subprocessors may only process Customer Personal Data to provide the Service under our instructions.
- No training on Customer Data for general-purpose models unless Customer explicitly opts in in writing.
3. Website / Marketing Third Parties
This section is for transparency about third parties used on our website (e.g., embedded video, chat widgets, analytics, ad pixels). These providers may set cookies or collect data as described in our Cookie Statement and Cookie Preferences controls.
| Provider category | Example use | Data involved | Notes |
|---|---|---|---|
| Embedded video | YouTube / Vimeo embeds | IP address, device/browser data, page interactions | Controlled via cookie categories where applicable |
| Chat widget | Intercom / HubSpot / similar | Chat content, contact details you submit, device/browser data | You can choose what you share |
| Website analytics | Analytics vendor(s) | Page views, events, device/browser data | Consent-based (Analytics category) |
| Advertising pixels | Meta / LinkedIn / Google | Ad attribution and measurement data | Consent-based (Marketing category) |
If a vendor acts as an independent controller for its own purposes (common for some ad platforms), that will be described in our Cookie/Privacy documentation.
4. How we add or change subprocessors
We update this page as subprocessors change.
Notice approach
- We will post updates to this page promptly.
- Where commercially reasonable, we aim to provide advance notice for material subprocessor changes via reasonable channels (e.g., email or in-product notice).
Customer objections
- ●If you have a reasonable data protection objection to a new subprocessor, contact support@harmonity.ai with details.
- ●We will work in good faith to address objections (e.g., provide information, suggest a workaround, or consider alternatives where feasible).
- ●If we cannot resolve the objection, applicable remedies (including termination of the affected Service component) follow the Agreement and DPA.
5. How we evaluate subprocessors
Before engaging a subprocessor, we apply risk-based due diligence and contractual safeguards, including:
- Written data processing obligations (confidentiality, security, breach notification)
- Scope-limitation (least-privilege access and purpose limitation)
- Security review appropriate to the risk (architecture controls, access controls, incident practices)
- Ongoing vendor management aligned with operational needs
6. International transfers
Depending on vendor location and Customer configuration, data may be processed outside Türkiye and/or outside the EU/EEA/UK.
Where GDPR/UK GDPR applies, we support appropriate transfer mechanisms where required (e.g., Standard Contractual Clauses / UK addendum). Where KVKK applies and specific safeguards are required for cross-border transfers, we will cooperate in good faith to implement the required mechanism as applicable.
See the Data Processing Addendum (DPA) for full details on international transfer mechanisms.
7. Change log
| Date | Change |
|---|---|
| February 1, 2026 | Initial publication |