MonkeyMachine — SUB‑PROCESSORS

Meta Platforms, Inc. (1 Meta Way, Menlo Park, CA 94025, USA) — processing of message content, sender/recipient identifiers, timestamps, delivery status, and media attachments transmitted via Facebook Messenger (Graph API / Messenger Platform), Instagram Direct (Instagram Messaging API), and WhatsApp Business (WhatsApp Cloud API). Data is processed by Meta as a Processor (or independent Controller, depending on data type) under the Meta Data Processing Terms and Meta Platform Terms. MonkeyMachine accesses this data solely on the Customer's instructions and does not determine independent purposes for its processing. Applicable sub‑processors of Meta are listed in Meta's own Sub‑Processor Register.

Telegram FZ‑LLC (United Arab Emirates) — processing of messages, user identifiers, chat metadata, and media files via the Telegram Bot API. Data is processed solely to provide the Customer's bot and messaging functionality in accordance with the Telegram API Terms of Service.

Cloudflare, Inc. (San Francisco, CA, USA) — DNS, CDN, WAF, R2 object storage, anti‑DDoS, logging.

YooMoney for Business (YooKassa) — card acquiring, payment processing, fiscal receipts.

Tochka Bank — SBP acquiring, payment settlement.

Postmark (ActiveCampaign, LLC) — transactional emails.

Notisend — transactional and marketing emails.

Gmail (Google LLC) — email sending via Gmail API.

SendGrid (Twilio SendGrid, Inc.) — transactional emails.

Google Analytics 4, PostHog, Plausible, Yandex.Metrica, Cloudflare Web Analytics.

Sentry (Functional Software, Inc.) — error tracking and performance monitoring.

OpenAI (San Francisco, CA, USA), Anthropic (San Francisco, CA, USA), Google AI (Mountain View, CA, USA), OpenRouter (aggregator). Training on customer content: opt‑in only; all providers are contractually prohibited from using Customer or End User data for model training unless the Customer explicitly opts in.

The Platform integrates with external CRM systems and business automation platforms to enable bidirectional synchronization of client data, appointments, orders, and services on behalf of the Customer.

YCLIENTS (LLC "UYCLIENTS") (INN 7707784510, OGRN 1127747001498, Moscow, Russia) — synchronization of client data (name, phone, email), service appointments, services and categories, staff and schedules. Processing is carried out via YCLIENTS API (v1/v2) in accordance with the YCLIENTS Privacy Policy. YCLIENTS is an independent data controller registered with Roskomnadzor. MonkeyMachine processes data received from YCLIENTS solely on behalf of the Customer. Data is stored within the Russian Federation; no cross-border transfer occurs.

amoCRM (LLC "amoCRM") (INN 7726698519, OGRN 1107746238498, Moscow, Russia) — synchronization of contacts (name, phone, email), deals (leads), tasks, and notes. Processing via amoCRM API (v4) using OAuth 2.0 in accordance with the amoCRM Privacy Policy. amoCRM is an independent data controller. Data is stored within the Russian Federation.

RetailCRM (LLC "Retail Soft") (INN 7726680827, Moscow, Russia) — synchronization of orders, client records (name, phone, email, shipping address), order statuses. Processing via RetailCRM API (v5) in accordance with the RetailCRM Privacy Policy. RetailCRM is an independent data controller. Data is stored within the Russian Federation.

General principles for CRM integration data processing:

• Integration is activated solely at the Customer's initiative and may be deactivated at any time through the project control panel;
• The scope of data transferred is determined by the integration settings selected by the Customer;
• The Customer, as the data controller in relation to their clients, is solely responsible for ensuring legal bases for data transfer between systems;
• MonkeyMachine does not independently determine purposes of processing for data received from CRM systems;
• Upon deactivation, synchronization ceases; previously synchronized data is retained within the Customer's account until deleted by the Customer or upon account termination;
• API keys and authorization tokens are encrypted at rest (SOPS/age) and are never disclosed to third parties.

We will notify Customers at least 30 days before engaging a new sub‑processor or materially changing the scope of processing by an existing sub‑processor. Customers may object to a proposed change; where feasible, we will disable the relevant sub‑processor for the objecting Customer without impairing core Service functionality.