# Third-Party Services and Processors This document lists every third-party service that Viola sends user data to, what data is sent, why, and the DPA (Data Processing Agreement) status where the service acts as Viola's processor. Some services below, especially user-selected music providers, are not Viola processors. They are direct services the user chooses to connect; their own terms and privacy policies govern that relationship. All integrations listed below are **optional** unless marked otherwise. Users choose which services to enable. --- ## 1. AI / Language Model Providers ### Anthropic (Claude API) | Field | Value | |-------|-------| | **Data sent** | User prompts, conversation history, tool-use requests | | **Why** | Natural language understanding, agent loop execution | | **Triggered by** | Voice commands, text queries routed to LLM | | **DPA available** | Yes — [Anthropic DPA](https://www.anthropic.com/policies/data-processing-addendum) | | **DPA status** | Required | ### OpenAI (GPT API + Whisper) | Field | Value | |-------|-------| | **Data sent** | User prompts, conversation history, tool-use requests, audio when cloud speech-to-text is enabled | | **Why** | Managed AI, optional BYOK AI provider, and speech-to-text transcription | | **Triggered by** | Voice commands, text queries, managed AI routing, or cloud speech-to-text when enabled | | **DPA available** | Yes — [OpenAI DPA](https://openai.com/policies/data-processing-addendum) | | **DPA status** | Required | ### Additional OpenAI-compatible BYOK providers and custom endpoints | Field | Value | |-------|-------| | **Data sent** | User prompts, conversation history, tool-use requests, relevant profile or learned-model context when included in the prompt, and provider request metadata | | **Why** | Optional AI routing through user-selected provider presets or a custom OpenAI-compatible endpoint | | **Triggered by** | User selects an OpenAI-compatible BYOK provider such as OpenRouter, Groq, Together, Mistral, Perplexity, DeepSeek, Fireworks, xAI, Cohere, or a custom base URL | | **DPA available** | Provider-specific | | **DPA status** | Direct user-provider relationship; user/operator must review the selected provider terms and DPA before enabling | ### Deepgram (cloud speech-to-text, optional) | Field | Value | |-------|-------| | **Data sent** | Voice audio selected for cloud transcription and transcription request metadata | | **Why** | Optional cloud speech-to-text when configured instead of local transcription | | **Triggered by** | User or operator enables Deepgram cloud transcription | | **DPA available** | Provider-specific | | **DPA status** | Required before enabling for user audio | --- ## 2. Payment Processors ### Stripe | Field | Value | |-------|-------| | **Data sent** | User email, plan selection, payment card details (via Stripe Checkout) | | **Why** | Credit card subscription billing | | **Triggered by** | User initiates subscription purchase | | **DPA available** | Yes — [Stripe DPA](https://stripe.com/legal/dpa) | | **DPA status** | Required | ### BTCPay Server (self-hosted) | Field | Value | |-------|-------| | **Data sent** | User ID, plan info, invoice metadata | | **Why** | Bitcoin/Lightning payment processing | | **Triggered by** | User selects cryptocurrency payment | | **DPA available** | N/A — self-hosted, operator controls data | | **DPA status** | Not required (self-hosted infrastructure) | --- ## 3. Music Services (Direct User-Provider Relationship) Music services are direct services the user chooses to connect. Viola is the client. These providers are disclosed here for launch-readiness completeness, but they are not listed as Viola data processors in the Privacy Policy's processor table. ### YouTube / YouTube Music (Google) | Field | Value | |-------|-------| | **Data sent** | Search queries, playback requests, and web player asset requests for launch-supported YouTube/Google music paths | | **Why** | Music search, playback, and playlist resolution where supported | | **Triggered by** | "Play [song]" commands | | **DPA available** | Yes — [Google Cloud DPA](https://cloud.google.com/terms/data-processing-addendum) | | **DPA status** | Covered under Google account/API agreements where applicable; direct user-provider service | ### Spotify (Windows desktop app only) | Field | Value | |-------|-------| | **Data sent** | Search queries, playback requests, Spotify account sign-in, and web player asset requests from the Windows desktop app | | **Why** | Spotify playback in the Windows desktop app; embedded browser playback is not offered | | **Triggered by** | User connects or plays Spotify from the Windows desktop app | | **DPA available** | No | | **DPA status** | Direct user-provider service; Spotify is not a Viola cloud processor | --- ## 4. Account and Calendar Integrations ### Google OAuth (account sign-in and Calendar where enabled) | Field | Value | |-------|-------| | **Data sent** | OAuth authorization request, account identifier/profile claims returned through GoTrue for account sign-in, transient GoTrue OAuth flow-state during sign-in or connection, and Calendar data only where Calendar is enabled | | **Why** | Viola account sign-in and connecting Google Calendar where that feature is enabled | | **Triggered by** | User chooses Continue with Google on the website login page or connects Google Calendar in Settings where available | | **Limited Use** | Viola's use of Google user data complies with the Google API Services User Data Policy, including its Limited Use requirements. Google user data is not used to train AI/ML models and is not transferred to data brokers. | | **DPA available** | Yes — Google Cloud DPA | | **DPA status** | Covered by the Google Cloud DPA above | Google OAuth account sign-in is separate from Calendar scopes. Gmail read, Drive, Chat, and broader Google Workspace restricted-scope features are not part of the public launch. ### Apple identity OAuth (account sign-in) | Field | Value | |-------|-------| | **Data sent** | OAuth authorization request and Apple account identifier/profile claims returned through GoTrue for account sign-in | | **Why** | Viola account sign-in when Apple sign-in is configured and the user chooses Continue with Apple | | **Triggered by** | User chooses Continue with Apple on the website login page | | **DPA available** | Via Apple developer terms | | **DPA status** | Review Apple developer terms if Apple sign-in is enabled | ### Microsoft OAuth / Microsoft Graph Calendar | Field | Value | |-------|-------| | **Data sent** | OAuth authorization data, encrypted OAuth tokens, calendar event data, and calendar request metadata | | **Why** | Connecting the user's Microsoft calendar so Viola can read and manage calendar events at the user's direction | | **Triggered by** | User connects Microsoft calendar | | **DPA available** | Provider-specific Microsoft terms | | **DPA status** | Review Microsoft terms/DPA before enabling | --- ## 5. Messaging Platforms ### Telegram | Field | Value | |-------|-------| | **Data sent** | Bot token for desktop local setup, message text, chat IDs, account-link metadata | | **Why** | Telegram bot messaging channel where enabled | | **DPA status** | Review Telegram Bot API terms | --- ## 6. Utility Services ### wttr.in (Weather) | Field | Value | |-------|-------| | **Data sent** | Location (city name or coordinates), client IP | | **Why** | Weather data retrieval | | **Triggered by** | User asks for weather and primary weather providers do not return a result | | **DPA status** | Free service, no API key, no DPA available | ### National Weather Service / api.weather.gov (Weather) | Field | Value | |-------|-------| | **Data sent** | Latitude and longitude for U.S. weather lookups, client IP | | **Why** | U.S. weather observations and forecast overlay | | **Triggered by** | User asks for weather for a U.S. location or provides U.S. coordinates | | **DPA status** | U.S. government public API; no API key; no DPA available | ### OpenStreetMap Nominatim (Weather Geocoding) | Field | Value | |-------|-------| | **Data sent** | City or location text, client IP | | **Why** | Convert weather location names to coordinates for provider routing | | **Triggered by** | User asks for weather by city or location name | | **DPA status** | Public geocoding service; no API key; review OSMF/Nominatim usage terms | ### ip-api.com (Weather Location Fallback) | Field | Value | |-------|-------| | **Data sent** | Public IP address and client IP metadata | | **Why** | Best-effort fallback city lookup when the user asks for weather without an explicit or saved location | | **Triggered by** | Weather command without a city and without a saved weather location | | **DPA status** | Public/free IP geolocation service; no API key; review provider terms before relying on it for hosted processing | ### EPA AirNow (Air Quality) | Field | Value | |-------|-------| | **Data sent** | Viola downloads the public reporting-area file; per-user coordinates are not sent to AirNow | | **Why** | U.S. air quality enrichment resolved locally from public reporting-area data | | **Triggered by** | U.S. coordinate weather requests when AirNow AQI enrichment is enabled | | **DPA status** | U.S. government/public data source; no API key; no DPA available | ### DuckDuckGo (Web Search) | Field | Value | |-------|-------| | **Data sent** | Search queries | | **Why** | Agent web search (privacy-preserving) | | **DPA status** | No user tracking per DDG privacy policy | ### Free Dictionary API | Field | Value | |-------|-------| | **Data sent** | Word lookup queries | | **Why** | Dictionary/definition lookups | | **DPA status** | Public API, no PII sent | ### User-configured API Vault endpoints and connector templates | Field | Value | |-------|-------| | **Data sent** | User-supplied API keys or tokens, user-authored request payloads, response payloads, and request metadata | | **Why** | User-authored API tools and connector template calls such as GitHub, Notion, Slack, Google Maps, OpenWeatherMap, or custom endpoints | | **Triggered by** | User invokes an API Vault tool or connector template | | **DPA available** | Provider-specific | | **DPA status** | Direct user-provider relationship; user/operator must review each selected endpoint's terms and DPA before enabling | ### Resend (Email Delivery) | Field | Value | |-------|-------| | **Data sent** | Email addresses, subject, body | | **Why** | Transactional email, account notifications, and contact/support form notifications where configured | | **DPA available** | Yes — [Resend DPA](https://resend.com/legal/dpa) | | **DPA status** | Required | ### S3-Compatible Object Storage (Cloudflare R2 or configured S3 backend) | Field | Value | |-------|-------| | **Data sent** | User-uploaded files, phone call recordings, review/support artifacts, object metadata | | **Why** | Cloud file storage, call-recording storage, and user-requested artifact download/export support | | **Triggered by** | User enables cloud storage features, cloud phone recording storage, or a cloud artifact export path | | **DPA available** | Provider-specific; Cloudflare DPA for R2, AWS DPA if AWS S3 is configured | | **DPA status** | Required before enabling the configured storage backend for user content | --- ### Telnyx (Telephony) | Field | Value | |-------|-------| | **Data sent** | Phone numbers called, call audio streams, call metadata (timestamps, durations) | | **Why** | Carrier for Viola's outbound phone calling feature (US numbers only) | | **Triggered by** | User enables phone calling and Viola places an outbound call | | **DPA available** | Yes — [Telnyx DPA](https://telnyx.com/data-processing-addendum) | | **DPA status** | Required | ### Cloudflare | Field | Value | |-------|-------| | **Data sent** | DNS/CDN request metadata; aggregate, cookieless website page-view metrics (Cloudflare Web Analytics); operational alert emails where the Email Service is configured | | **Why** | DNS, CDN, tunnel to the cloud API, cookieless website analytics, optional operator alert email delivery | | **Triggered by** | Always (the website and cloud API are served via Cloudflare) | | **DPA available** | Yes — [Cloudflare DPA](https://www.cloudflare.com/cloudflare-customer-dpa/) | | **DPA status** | Required | --- ## 7. Operator Alerting (Optional) These services receive operational metrics and incident summaries for the operator, not user content. ### PagerDuty | Field | Value | |-------|-------| | **Data sent** | Operational incident summaries and alert metadata | | **Why** | Operator incident paging | | **Triggered by** | Operator alerting configuration | | **DPA status** | Review required if enabled | ### Pushover | Field | Value | |-------|-------| | **Data sent** | Operational alert messages and delivery metadata | | **Why** | Operator push notifications | | **Triggered by** | Operator alerting configuration | | **DPA status** | Review if enabled | ### Telnyx SMS | Field | Value | |-------|-------| | **Data sent** | SMS destination/origin numbers, verification-code message content, HELP/STOP compliance replies, opted-in inbound/outbound conversational SMS content, delivery metadata, and operator alert SMS content when alerts are configured | | **Why** | Account SMS verification, user-requested conversational SMS, legally required SMS opt-out/help handling, and optional operator alerting | | **Triggered by** | Explicit Account SMS opt-in/verification, inbound SMS from a verified/consented launch number, STOP/HELP keywords, or operator alerting configuration | | **DPA status** | Covered by the Telnyx DPA | --- ## 8. Error Monitoring (Optional) ### Sentry | Field | Value | |-------|-------| | **Data sent** | Error stack traces, sanitized context (no secrets) | | **Why** | Production error tracking | | **Triggered by** | Opt-in only via `sentry_dsn` config + privacy consent | | **DPA available** | Yes — [Sentry DPA](https://sentry.io/legal/dpa/) | | **DPA status** | Required if Sentry is used | --- ## Summary of DPA Requirements | Processor | DPA Required | DPA Available | Status | |-----------|:----------:|:------------:|--------| | Anthropic | Yes | Yes | Required | | OpenAI | Yes | Yes | Required | | Additional OpenAI-compatible BYOK providers/custom endpoints | If used | Provider-specific | Review selected provider terms/DPA before enabling | | Deepgram | If used | Provider-specific | Required before enabling for user audio | | Google OAuth | Yes | Yes | Required | | Apple identity OAuth | If used | Terms-based | Review Apple developer terms if enabled | | Microsoft OAuth / Graph | If used | Provider-specific | Review Microsoft terms/DPA before enabling | | Stripe | Yes | Yes | Required | | BTCPay | No | N/A | Self-hosted | | Cloudflare | Yes | Yes | Required | | Telnyx | Yes | Yes | Required | | Spotify | No | N/A | Direct user-provider service for the Windows desktop app; no cloud processor | | Resend | Yes | Yes | Required | | Sentry | If used | Yes | Required if enabled | | PagerDuty | If used | Review | Review required if enabled | | Pushover | If used | Review | Review if enabled | | Telegram | No | Review | Review Telegram Bot API terms when enabled | | wttr.in | No | N/A | Receives city + client IP; no API key, no DPA available | | National Weather Service | No | N/A | Receives U.S. coordinates + client IP; public government API | | OpenStreetMap Nominatim | No | N/A | Receives weather location text + client IP; public geocoding service | | ip-api.com | No | N/A | Receives public IP/client IP metadata for fallback weather-location lookup; no API key | | EPA AirNow | No | N/A | Public reporting-area file only; no per-user coordinates sent | | DuckDuckGo | No | N/A | No tracking | | Free Dictionary API | No | N/A | Public API, no PII sent | | API Vault / user-configured endpoints | If used | Provider-specific | Direct user-provider relationship; review each endpoint before enabling |