Almi Sub-Processor Disclosure & Management Policy

1. Purpose

This document identifies every third‑party service provider ("Sub‑Processor") that RespondWize, Inc. (doing business as Almi) engages to process personal information and conversation data on behalf of the University of Montana ("UM") and Almi Users. It also explains the due‑diligence, contractual, and notice mechanisms Almi uses to safeguard that data.

2. Current Sub-Processors

• Amazon Web Services (AWS) – Primary hosting environment located in AWS US‑East (N. Virginia). Provides compute, encrypted storage, managed PostgreSQL, and network security controls. Holds SOC 2 (Type 2) and ISO 27001 certifications.
• Render – US‑based platform‑as‑a‑service that orchestrates application deployments on top of AWS infrastructure. Inherits AWS physical controls and implements TLS 1.2+ for all connections.
• Twilio – Telephony infrastructure for voice calls and SMS messaging terminated in the United States. Holds SOC 2 (Type 2) and ISO 27001 certifications; HIPAA‑eligible environment.
• Retell AI — cloud‑native voice‑AI interface that handles call routing and real‑time transcription. Retell operates on an elastic, microservices architecture and holds SOC 2 Type I & II attestations. The service advertises a 99.99 % uptime SLA and provides HIPAA‑aligned security controls, making it suitable for regulated workloads.
• OpenAI – Large‑language‑model API used for conversations, email drafting, match scoring, and summarization. Data submitted via API is stored by OpenAI for up to 30 days for abuse monitoring and is not used to train their models.

3. Due Diligence & Contractual Safeguards

Vendor Risk Review

Almi evaluates each Sub‑Processor's SOC 2 or equivalent security report annually and reviews their data‑protection policies for FERPA alignment.

Data‑Protection Addendum

Almi ensures each Sub‑Processor is bound—either through the provider's published Data Processing Addendum / Service Terms (e.g., AWS, Twilio, OpenAI) or, where commercially feasible, a negotiated amendment—with commitments that:

• employ encryption in transit (TLS 1.2 +) and at rest (AES‑256 or equivalent);
• maintain security controls aligned with SOC 2 Type II, ISO 27001, or an equivalent industry‑recognized framework, or otherwise provide risk‑assessment evidence acceptable to Almi;
• provide prompt breach notification without undue delay (and ideally within 24 hours) after becoming aware of an incident affecting Customer Data; and
• restrict the use and disclosure of Customer Data to providing the contracted services, thereby enabling Almi to meet its FERPA obligations.

Right to Audit

Almi's contracts reserve the right to request audit evidence or conduct a security questionnaire at least once per year.

4. Change-Management & University Notice

Almi will notify the University of Montana at least 30 days in advance of adding, replacing, or materially changing a Sub‑Processor.

If UM objects on reasonable data‑protection grounds within 15 days of notice, Almi will work in good faith to resolve the objection—by offering an alternative, implementing additional safeguards, or, if necessary, refraining from using the new Sub‑Processor for UM data.

5. Contact

Questions regarding this policy can be directed to steve@respondwize.com