Sub-processors

Last updated: 5 June 2026

Fluora Ltd provides an AI telephone receptionist ("Sarah") and missed-call text-back to UK dental practices. Under UK data protection law, the dental practice is the data controller and Fluora is a data processor acting on the practice's documented instructions. To deliver the service we engage the third-party sub-processors set out below. We will give customers at least 30 days' notice before adding, removing or replacing a sub-processor on this list, so they can object.

What can see patient call data. When a patient calls, the call audio and transcript can contain health information the caller volunteers (special category data under UK GDPR Article 9). We list every provider that can see this data — including the AI language models that run inside our voice provider. The three providers that process the content of calls are ElevenLabs (voice) and, through ElevenLabs, OpenAI (the live conversation model) and Google (the post-call analysis model).

1. Sub-processors that may process patient call data

Sub-processor	What it does	Where data is processed	Safeguard for transfers outside the UK
ElevenLabs Inc. (Eleven Labs Inc.)	Real-time voice — speech-to-text, text-to-speech, and the conversational-AI runtime that handles the call. Holds the call audio and conversation record.	United States	EU-US Data Privacy Framework & UK Extension (certified); and the UK Addendum to the EU Standard Contractual Clauses
OpenAI (via ElevenLabs)	The live conversation language model (GPT-4o) that powers Sarah's understanding and replies during the call.	United States	UK Addendum to the EU Standard Contractual Clauses (OpenAI is not DPF-certified); engaged through ElevenLabs
Google (Google LLC) (via ElevenLabs)	The post-call analysis model (Gemini) that reviews the finished transcript for quality and safety checks.	United States	EU-US Data Privacy Framework & UK Extension (certified); engaged through ElevenLabs
Twilio Inc.	Inbound telephony (carrying the call) and outbound SMS (booking confirmations).	United States (UK phone numbers provisioned)	EU-US Data Privacy Framework & UK Extension (certified); and Standard Contractual Clauses
Supabase Inc.	The primary database and authentication — stores call records, transcripts, bookings and consent logs.	United Kingdom — London (AWS `eu-west-2`)	None required — data stays in the UK
Render Services, Inc.	Hosting for the voice-server that orchestrates calls and writes to the database.	EEA — Frankfurt, Germany	UK-to-EEA adequacy — no separate safeguard required
Vercel Inc.	Hosting for the practice portal (web app and its API routes).	United States (global edge network)	EU-US Data Privacy Framework & UK Extension (certified); and the UK Addendum to the EU Standard Contractual Clauses
Elestio (Elestio S.à r.l.)	Infrastructure hosting our self-managed automation, which runs post-call workflows (confirmation SMS, callbacks, notifications).	EEA — Nuremberg, Germany	UK-to-EEA adequacy — no separate safeguard required

2. Sub-processors that do not process patient call data

Sub-processor	What it does	Where data is processed	Safeguard for transfers outside the UK
Resend, Inc.	Operational email to practice staff only (onboarding, account and summary emails). Does not carry patient call content.	United States	UK Addendum to the EU Standard Contractual Clauses
Functional Software, Inc. (Sentry)	Error and performance monitoring, with personal-data redaction applied before events are sent.	EEA — Germany region	UK-to-EEA adequacy — no separate safeguard required
GoCardless Ltd	Direct Debit collection of the practice's subscription fee. Processes the practice's own business billing details — no patient data.	United Kingdom	None required — data stays in the UK

3. International transfers

Some providers that help us run the service process data in the United States: the AI providers that process the content of calls — ElevenLabs, and through it OpenAI and Google — together with Twilio (telephony and SMS) and Vercel (portal hosting). For each US transfer we rely on a lawful UK safeguard under Chapter V of the UK GDPR: the UK Extension to the EU-US Data Privacy Framework where the provider is certified to it, or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment. By default, OpenAI and Google do not use data submitted through their APIs to train their models.

Your patient database (Supabase) is hosted in London, UK and is not transferred outside the UK. Our voice-server (Render) and automation host (Elestio) run in the EEA, which the UK recognises as providing an adequate level of protection.

4. Retention

Call audio and transcripts are retained for 90 days and then deleted; Fluora does not store call audio in its own systems. Booking details and consent records are kept for longer to support the practice's record-keeping. Your practice remains responsible for retaining the patient's clinical record in its own clinical system in line with NHS and GDC record-keeping guidance.

Subscribe to changes

To be notified whenever this list changes, email subprocessors@fluora.co.uk. Subscribers are notified at least 30 days before any addition, removal or replacement.