Subprocessors & Third-Party Security

Wispr Flow relies on trusted third-party services for transcription, authentication, payments, and analytics. Here you'll find which services handle your data, how they're secured, and what controls you have.

What it is

Subprocessors are third-party companies that process data on Wispr Flow's behalf. Wispr maintains rigorous vendor management practices — including security reviews, data processing agreements, and ongoing monitoring — to ensure your data remains protected across every service.

How it works in Flow

Overview

Wispr Flow integrates with third-party services across several categories. Each subprocessor is contractually bound to protect your data and undergoes security review before onboarding.

Categories of service providers

• AI/LLM Providers: Baseten (transcription pipeline including ASR and formatting), OpenAI, Anthropic, Cerebras (text processing), Fireworks AI (command mode fallback), OpenRouter

• Authentication: Supabase

• Payment Processing: Stripe (web/desktop), RevenueCat (iOS App Store, Google Play Store)

• Analytics & Messaging: PostHog (product analytics), Segment (data pipeline), Customer.io (transactional email), Sentry (error tracking), Firebase Analytics (Android attribution), AppsFlyer (Android attribution)

• Data Storage: ClickHouse (analytics warehouse), AWS S3

• Communications: Twilio (inbound SMS handling)

• Status & Monitoring: incident.io (status page)

• Enterprise Services: WorkOS (SSO/SCIM), Attio (CRM — syncs enterprise user stats such as word counts, streaks, app usage, and subscription billing data), Pylon (customer support — stores per-user subscription plan, billing platform, enterprise role, and referral information)

Data processing requirements

All subprocessors that process customer data are contractually required to:

• Implement appropriate technical and organizational security measures

• Limit data processing to purposes specified in agreements

• Maintain confidentiality of processed data

• Adhere to zero data retention when Privacy Mode is enabled

• Notify Wispr Flow of any security incidents or breaches

Account deletion and data removal

Upon account deletion, user data removal begins automatically. Email marketing profiles are deleted from Customer.io, and existing data is deleted and future collection suppressed in Segment via SUPPRESS_WITH_DELETE. Active personal Stripe subscriptions are cancelled immediately.

Remaining analytics data (PostHog events, ClickHouse records, usage history) and authentication records (Supabase) are removed as part of a follow-up support-driven cleanup process.

If certain external service deletions fail during the process, the remaining services still complete and the team is notified for follow-up.

Analytics and error tracking

There are currently no in-app controls to opt out of analytics or error tracking.

Privacy Mode and subprocessors

When Privacy Mode is enabled:

• Subprocessors are contractually bound to zero data retention requirements

• No subprocessor retains customer dictation data after processing

• Real-time processing ensures no persistent storage of dictation content

Enterprise administrators can enable Privacy Mode for all organization members through Zero Data Retention (ZDR) settings. Once a HIPAA BAA is signed, ZDR cannot be disabled by anyone. Wispr may also permanently lock ZDR via an internal setting (zdrLocked) — contact support to modify if this is set.

Individual users cannot disable Privacy Mode when either (1) they have personally signed a HIPAA BAA, or (2) their enterprise organization has enforced ZDR.

The HIPAA BAA can be reviewed and signed in-app on desktop and iOS. Desktop opens the BAA PDF in an external browser; iOS displays it inline within the app. Enter your legal name to sign. Signing is irreversible and permanently enforces Privacy Mode on the account.

All users on desktop have three local data storage options:

• Store data locally: Default behavior

• Auto-delete local data every 24 hours: Auto-purge history older than 1 day

• Never store data locally: Block all local data storage and immediately wipe existing data

Enterprise administrators can set a minimum restrictiveness floor that limits which options organization members can select. On iOS, a simpler binary toggle (Auto-delete transcripts) is available instead of the three-option dropdown.

Subprocessor changes

Changes to the subprocessor list:

• Are communicated to customers via the Data Processing Addendum

• Include notification of new subprocessors or changes to existing ones

• Allow customers to review subprocessor security practices

Vendor security assessments

The vendor management program includes:

• Security questionnaire reviews for prospective vendors

• Analysis of vendor security certifications

• Periodic reviews of subprocessor security posture

• Monitoring of vendor security incidents and breaches

Third-party service providers with access to customer data or the production environment maintain relevant security certifications (SOC 2, ISO 27001, etc.), undergo periodic security assessments, and are reviewed as part of annual SOC 2 and ISO 27001 audits.

Security incidents are handled according to incident response procedures and applicable legal requirements, including timely notification to affected customers as required by law.

Infrastructure and data processing locations

Wispr Flow's cloud infrastructure leverages Amazon Web Services (AWS) services including S3, SQS, and Secrets Manager, along with Supabase (authentication), Redis, and ClickHouse (analytics). The default AWS region is US East (us-east-1). The primary production API endpoint is api.wisprflow.ai.

Infrastructure security includes:

• Infrastructure security controls provided by AWS

• Compliance with cloud provider security best practices

• High availability data centers with multiple availability zones

• Virtual Private Cloud (VPC) environment with network segmentation

• Failover capabilities for production servers in the event of hardware or software failures

All production systems are hosted in cloud environments equipped with appropriate physical security controls, which are the responsibility of the subservice organizations.

Authentication is processed via Supabase. Email delivery uses api.wisprflow.com (.com domain) for improved deliverability.

Subprocessors may process data in various geographic locations. The Data Processing Addendum includes:

• Appropriate data transfer mechanisms (Standard Contractual Clauses where applicable)

• Customer notice of international data transfers

• Safeguards for data processed outside the customer's region

FAQs

Limitations and notes

• Customers do not have individual approval rights over specific LLM providers or model families.

• There are no in-app controls to opt out of analytics tracking independently of account deletion.

• Subprocessors may process data in various geographic locations outside the customer's region.

• Account deletion is a two-phase process: marketing and data pipeline records are removed immediately, while analytics events, usage history, and authentication records are removed in a follow-up cleanup by the support team.

• Dictation sessions on desktop are limited to approximately 20 minutes (with a warning at 19 minutes). iOS sessions are limited to approximately 5 minutes.

• Enterprise admins who are the sole admin or paying admin cannot delete their accounts when other members exist without first transferring roles. If the admin is the only member, the enterprise is automatically disbanded upon account deletion.

• When an enterprise subscription lapses and the enterprise is disbanded, SSO configuration data is preserved for potential reactivation, but enterprise domains are marked as deleted, which prevents new SSO logins until the subscription is restored.

• ZDR enforcement, local data storage policies, and SSO enforcement are available on the Enterprise plan only.