Subprocessors
Third parties that process personal data on behalf of Acua customers.
Last updated: April 24, 2026
01
What is a subprocessor?
A subprocessor is a third party engaged by Acua to process personal data on behalf of our customers, where our customer is the controller of that data and Acua acts as the processor. This definition follows the terminology used under the EU General Data Protection Regulation (GDPR), the UK GDPR, Japan's Act on the Protection of Personal Information (APPI), Thailand's Personal Data Protection Act (PDPA), and Vietnam's Decree No. 13/2023/ND-CP on Personal Data Protection, where applicable.
02
Why Acua uses subprocessors
Acua relies on established cloud, authentication, AI, messaging, and analytics providers so that the platform can be delivered securely and reliably across our operating regions. Using specialised providers for clearly defined functions — rather than building everything in-house — allows us to offer better security, higher availability, and faster incident response than Acua could practically achieve alone.
03
How we evaluate and onboard subprocessors
Before a new subprocessor is engaged, Acua reviews the provider against the following criteria, adjusted to the nature and volume of data the provider will process:
•Security posture, typically evidenced by SOC 2 Type II, ISO/IEC 27001, or an equivalent independent report •A written data processing agreement that includes GDPR Article 28 terms, applicable cross-border transfer mechanisms (for example, Standard Contractual Clauses), and a breach notification commitment •Scoping the provider's access to the minimum data necessary to deliver the relevant function ("least privilege") •A documented sub-subprocessor policy by the provider, so that we understand the downstream processing chain •Ongoing monitoring through re-review of each provider's security reports, or sooner if the scope of processing materially changes
04
Current subprocessors
The table below lists the third-party subprocessors currently engaged by Acua to process personal data as part of the Acua services. Regions reflect the primary processing region for data generated through Acua; some providers may replicate or back up data to additional regions under their own published policies.
| Provider | Service / category | Purpose of processing | Data location / processing region | Applicable service area | Website | Notes |
|---|---|---|---|---|---|---|
| Google LLC (Google Cloud Platform) | Application hosting, managed database (Cloud SQL), object storage (Cloud Storage) | Hosting of the Acua application and storage of customer account data and uploaded documents | Thailand (GCP region asia-southeast3, Bangkok) for production application and Cloud SQL. Object storage regions may include Japan. | All Acua services | cloud.google.com | Processing under Google Cloud’s Data Processing Addendum. |
| Google LLC (Google Document AI) | Document OCR and structured data extraction | Extract text and structured fields from invoices, receipts, and similar documents uploaded by customers | United States | Invoice processing, expense receipts, and other document-ingestion features | cloud.google.com/document-ai | Listed separately from Google Cloud Platform because processing occurs under a distinct Google service with its own regional footprint. |
| Google LLC (Vertex AI / Gemini) | Generative AI model inference | AI-assisted document understanding, data extraction, and text generation used by Acua features | Processed via Google Cloud (Vertex AI); regional availability depends on the specific model endpoint. | AI-assisted features across the Acua platform | cloud.google.com/vertex-ai | Contracting entity is Google LLC; data handling follows Google Cloud’s Data Processing Addendum. Customer content is not used to train general-purpose models under the Vertex AI terms. |
| Okta, Inc. (Auth0) | Authentication and identity management | User sign-in, session management, and identity-provider integration for the Acua application | Japan (Auth0 tenant region) | All Acua services | auth0.com | Contracting entity is Okta, Inc. (Auth0 was acquired by Okta in 2021). |
| Temporal Technologies, Inc. (Temporal Cloud) | Workflow orchestration | Durable execution of background workflows (for example, document processing pipelines and scheduled jobs) | Temporal Cloud namespace region; confirm current configuration with your Acua account team. | Acua services that rely on workflow orchestration | temporal.io | Workflow inputs and outputs may contain personal data embedded in workflow payloads. |
| Resend, Inc. | Transactional email delivery | Delivery of outbound transactional emails (account notifications, receipts, password resets) | United States (primary region) | All Acua services | resend.com | Email metadata (sender, recipient, subject, delivery status) is retained by Resend in accordance with its retention policy. |
| Wildbit LLC (Postmark) | Inbound email and webhook processing | Receiving and normalising inbound emails addressed to Acua (for example, invoices forwarded by customers) | United States (primary region) | Inbound email ingestion features | postmarkapp.com | Contracting entity is Wildbit LLC (operator of Postmark), an ActiveCampaign company. |
| PostHog Inc. | Product analytics | Usage analytics, feature-adoption measurement, and session analytics to improve the Acua product | PostHog Cloud (tenant region configured by Acua). | All Acua services | posthog.com | Acua configures PostHog to minimise the collection of personal data. See the Privacy Policy for cookies and tracking. |
| Slack Technologies, LLC | Slack integration delivery | Delivering Acua notifications and workflows into Slack workspaces where a customer has explicitly enabled the Slack integration | United States (Slack primary region). | Customers who enable the Slack integration | slack.com | Only applies to customers who opt in by installing the Acua Slack app. No Slack processing occurs for customers who do not enable the integration. |
05
Updates to this list
Acua reviews this list on an ongoing basis and will update this page when a new subprocessor begins processing personal data on behalf of customers, or when an existing subprocessor is removed. Customers with a signed data processing agreement that entitles them to advance notice of subprocessor changes will be notified in accordance with the notice mechanism described in that agreement. For customers on click-through or standard terms, the updated list on this page is the authoritative source; the "Last updated" date above reflects the most recent change.
06
Contact
Questions about this page, or about the processing of personal data by any of the subprocessors listed above, can be sent to privacy@acua.ai. For general enquiries, please use our Contact page.
Acua Inc.
MIEUX Shibuya Building 8F, 5-3 MaruyamachĹŤ, Shibuya-ku, Tokyo 150-0044, Japan
Acua Inc.
MIEUX Shibuya Building 8F, 5-3 MaruyamachĹŤ, Shibuya-ku, Tokyo 150-0044, Japan