Skip to main content
GymAxis — Smarter Fitness. Stronger Business.
Legal · Compliance

Sub-processors

Last updated: 28 May 2026 · v1.0

This page lists every third-party processor that may handle Customer Personal Data under GymAxis AI's Data Processing Agreement.

30-day change notice

GymAxis will provide customers at least 30 days' notice before adding, replacing or materially changing a sub-processor. Customers may object in writing; if the objection cannot be resolved within 30 days the customer may terminate the affected workload without penalty. Subscribe at dpo@gymaxisai.com.

1. Infrastructure & hosting

Sub-processorPurposeRegionTransfer mechanism
Emergent LabsPlatform hosting (compute, container orchestration, network ingress)UK / EUUK GDPR / EU SCCs (if any non-UK/EEA)
MongoDB (via Emergent-managed cluster)Primary application databaseUK / EUSub-processor of Emergent Labs

2. Communications

Sub-processorPurposeRegionTransfer mechanism
ResendTransactional + marketing email deliveryUS / EU-FrankfurtSCCs · UK IDTA
Twilio (planned, currently mocked)SMS dispatchUSSCCs · UK IDTA

3. Payments

Sub-processorPurposeRegionTransfer mechanism
Stripe Payments Europe Ltd / Stripe Inc.Card processing, subscription billing, Stripe Connect for engineer payoutsUK / Ireland / USSCCs · UK IDTA · Stripe DPA

4. AI / LLM providers

GymAxis uses Large Language Models for the AI Assistant, SEO Autopilot, Tender drafting and CRM insights. Provider selection happens via the Emergent LLM Key proxy.

Sub-processorPurposeRegionTransfer mechanism
OpenAIText (GPT-4o / GPT-5.2), image (GPT Image 1), Whisper STTUSSCCs · OpenAI DPA · "no training on API data"
AnthropicText (Claude Sonnet 4.5)US / EUSCCs · Anthropic DPA
Google (Gemini)Text, image (Nano Banana)US / EUSCCs · Google DPA

Operator obligation: Do not paste raw special-category data (health, biometric, criminal) into AI prompts. Use the redact-before-prompt pattern documented in the Help Centre.

5. Observability & analytics

Sub-processorPurposeRegionTransfer mechanism
Sentry (enabled when SENTRY_DSN is set)Server + client error tracking (no PII)US / EU optionsSCCs · UK IDTA
PostHog (planned)Product analytics, anonymous event metadataEU-FrankfurtSCCs

6. Integrations enabled per-tenant (opt-in, not default)

These sub-processors only receive data if the customer explicitly enables the integration in their workspace:

Sub-processorTriggered byData categories
Microsoft (Outlook Calendar)Tenant connects Microsoft 365 accountCalendar events, meeting attendees
DocuSignTenant sends a CRM quote for signatureRecipient name + email, document content
Sage 200Tenant maps Sage company in /master-admin/integrationsInvoice + customer ledger data
Sicon (Service Manager)Tenant connects Sicon credentialsEquipment service history
Google Calendar (via Emergent Auth)Tenant connects Google accountCalendar events
Meta (Instagram Graph API) (planned)Tenant connects IG Business accountPost content + media

7. Audit & legal

GymAxis itself acts as data processor when handling Customer Personal Data on behalf of a Tenant. Where Tenant Personal Data ends up in our paid sub-processors above, we have a written DPA in place with each. A list of executed DPAs is available on request: dpo@gymaxisai.com.

8. Changes to this list

VersionDateChange
1.02026-05-28Initial publication

9. Contact

We use essential cookies to keep you signed in and provide core functionality. We do not use tracking or advertising cookies. Privacy Policy

Made with Emergent