Subprocessors & Third-Party Services
Last updated: April 10, 2026
SpeechTherapyMagic uses the following third-party service providers (“subprocessors”) to deliver our Service. Each subprocessor is contractually bound to handle data only as directed and to maintain appropriate security measures. This list is updated as subprocessors change.
| Service | Provider | Purpose | Data Received | Location |
|---|---|---|---|---|
| Story & content generation | OpenAI | Generate personalized stories, worksheets, and reading passages | Target speech sounds, grade level, story parameters (no student names or health identifiers). Default 30-day retention; zero data retention available on request. | United States and international |
| Image generation | OpenAI | Create illustrations for generated stories | Story scene descriptions and art style parameters. Default 30-day retention. | United States and international |
| Text-to-speech | OpenAI | Read story text aloud | Story page text. Default 30-day retention. | United States and international |
| Pronunciation scoring | SpeechAce | Score speech audio for accuracy on target sounds | Audio recordings (retention is customer-configurable; we configure zero/30-day retention for FERPA compliance), expected text | United States (Seattle, WA) |
| Payment processing | Stripe | Process subscription payments | Billing name, email address, payment card data (Stripe handles card data directly — we never see raw card numbers). GDPR-compliant with Standard Contractual Clauses in place. | Global infrastructure (AWS-based) |
| App hosting & CDN | Cloudflare Workers/Pages | Host the frontend application and serve content globally | Page requests, session cookies (no persistent student data stored). SOC 2 Type II certified; COPPA/FERPA compliance is customer responsibility. | Global (Cloudflare edge network, 165+ cities) |
| File storage | Cloudflare R2 | Store generated story images and assets | Generated images (no student PII embedded). SOC 2 Type II certified; jurisdictional restrictions available on request. | Global (default US; jurisdictional restriction available) |
| Transactional email | Brevo | Send account verification, receipt, and notification emails | Email address, first name. GDPR-compliant; student data is not included in emails. | European Union (France/Germany) |
| Authentication | Google OAuth | Allow sign-in with Google account | Email address, name (only if user chooses Google sign-in). Regional data residency options available. | Global infrastructure |
| Error monitoring | Sentry | Track application errors and crashes | Error stack traces, page URL, browser info (no student data included in error reports). SOC 2 Type II, ISO 27001, HIPAA attestation available. | United States (Iowa) or EU (Frankfurt) — customer choice at setup |
| Backend API server | DigitalOcean | Host the backend API server (managed via Laravel Forge) | Backend application data including user accounts, session scores, and practice history. SOC 2 Type II certified; HIPAA-eligible with BAA. | United States (New York) |
Changes to This List
We will provide 30 days' notice before adding a new subprocessor that handles Student Data. Schools with a signed DPA may object to new subprocessors — see our Data Processing Agreement at /dpa.
Removal Requests
To request information about how a specific subprocessor handles your data, contact us via the contact form at speechtherapymagic.com/contact.