Subprocessors and Service Providers
OfficeEaze uses the following trusted service providers to deliver our platform. Primary customer data and employee records are stored in the Canadian AWS region (ca-central-1 — Montreal, Quebec).
Some service providers process limited technical, payment, or communication data in the United States or other jurisdictions as noted. Sensitive personal information including Social Insurance Numbers, banking details, dates of birth, and medical information is never transmitted to US-based service providers in plain text.
Platform infrastructure compliance documentation — including SOC 2 Type II report, ISO 27001:2022 certificate, penetration test attestation, and Transfer Impact Assessment — is available at trust.lovable.dev.
| Provider | Purpose | Data | Location | Certifications |
|---|---|---|---|---|
| Lovable Inc. | Application hosting and platform infrastructure | All application traffic and customer data (via AWS infrastructure) | Canada (ca-central-1, Montreal) + United States | SOC 2 Type II · ISO 27001:2022 · GDPR — trust.lovable.dev |
| Amazon Web Services | Cloud infrastructure (via Lovable) | Customer records, employee data, documents, payroll records | Canada (ca-central-1, Montreal) | SOC 2 Type II · ISO 27001 · CSA STAR |
| Anthropic PBC | Harris AI assistant | Company profile and aggregated metrics only — no SINs, banking details, or employee personal information | United States | — |
| Resend Inc. | Inbound email processing only (receipt forwarding and support email intake). No longer used for outbound transactional email. | Inbound email metadata and message content forwarded to the platform | United States | SOC 2 Type II |
| Twilio Inc. | Employee portal SMS authentication | Mobile phone number and 6-digit code only — no employee names or personal data in message content | United States | ISO 27001 · SOC 2 Type II |
| Helcim Inc. | Payment processing | Billing name, billing address, and card or banking details submitted directly by the customer — OfficeEaze receives only a payment token, never raw card data | Canada (Calgary, AB) | PCI DSS Level 1 |
| Cloudflare Inc. | Security infrastructure and DDoS protection | Request routing and security logs | Global CDN | SOC 2 Type II · ISO 27001 |
| Google LLC | Gmail receipt scanning (optional — only if connected) | Gmail OAuth token and receipt email content | United States | ISO 27001 · SOC 2 Type II |
| Microsoft Corporation | Outlook receipt scanning (optional — only if connected) | Outlook OAuth token and receipt email content | United States | ISO 27001 · SOC 2 Type II |
| ElevenLabs Inc. | Harris voice interface (optional — only if used) | Voice audio only | United States | SOC 2 Type II |
| HeyGen | Harris avatar streaming (optional — only if used) | Audio stream for lip-sync animation only | United States | Certification pending confirmation |
| Instatus | System status page and uptime monitoring | Public service status and subscriber email addresses only | United States | — |
Last updated: May 2026.
To request our Data Processing Agreement, SOC 2 Type II report, or penetration test attestation contact: privacy@officeeaze.ca
OfficeEaze has conducted a Privacy Impact Assessment documenting all data flows and cross-border transfer risk assessments. Available to enterprise customers and regulators on request.
OfficeEaze is a trade name of Lou Squared Systems Inc., incorporated under the Canada Business Corporations Act.