AI Subprocessors & Data Processing

Last updated: June 2026

This page details the third-party subprocessors involved in AI-powered features within the Vistaly platform. It describes what data is processed, where it is processed and stored, and the safeguards in place. For a complete list of all Vistaly subprocessors (including non-AI services), see our Sub-Processors page.

If you have questions about AI data processing, please contact us at dpo@vistaly.com.

Overview

Vistaly uses AI to help product teams synthesize customer conversations into structured opportunity spaces. The core AI capabilities include:

Call and interview processing — transcribing and analyzing customer interviews to extract key insights
Opportunity space generation — automatically organizing insights into structured opportunity trees
Text analysis and summarization — summarizing interview content and identifying patterns across conversations

AI processing of your interview and customer content is performed via Amazon Bedrock (an AWS service) using Anthropic's Claude models. Data sent to Amazon Bedrock is not shared with model providers and is not used to train any models.

AI Subprocessor Details

Subprocessor	Purpose	Data Processed	Processing Region	DPF	Data Retention	Links
Amazon Web Services, Inc.	AI inference and infrastructure. AI-powered features are processed via Amazon Bedrock (an AWS service), which serves Anthropic's Claude models — powering call processing, interview transcript analysis, insight extraction, summarization, and opportunity space generation. AWS also hosts the entire Vistaly application infrastructure, including all databases, file storage, and backups. Customer data at rest — including data used as input to or output from AI features — is stored on AWS in the customer's selected region. Note: authentication (AWS Cognito), payment processing (Stripe), and the account directory always operate in the United States regardless of data residency selection.	All customer data, including interview transcripts, call recordings (text) and other content submitted to AI features, AI-generated insights, opportunity spaces, and user account data.	Your selected region (US or EU), including AI inference via Amazon Bedrock. Authentication, payment, and account directory services always US.	Yes	Data is retained in accordance with Vistaly's data retention policies and the customer's chosen data residency region. Backups follow the same regional constraints. Prompts and completions sent to Amazon Bedrock are processed transiently to generate a response — AWS does not store them, does not share them with model providers (including Anthropic), and does not use them to train any models. AWS does not otherwise access customer content.	Homepage Compliance DPA GDPR Privacy Policy
AssemblyAI, Inc.	Speech-to-text transcription. Used in Vistaly's beta product for converting audio and video recordings of customer interviews into text transcripts for further AI analysis.	Audio and video recordings of customer interviews submitted for transcription.	Your selected region (US or EU)	Yes	Audio data is processed by AssemblyAI for transcription. Vistaly is enrolled in AssemblyAI's opt-out from the Model Improvement Program; customer audio and transcripts are not used to train AssemblyAI's models.	Homepage DPA GDPR Privacy Policy Security
Product Talk LLC	Licensed AI feature provider with platform access. Product Talk licenses AI-powered features integrated into Vistaly, including the Interview Snapshot Generator and OST (Opportunity Solution Tree) Update features. Product Talk does not perform AI inference itself — inference is performed via Amazon Bedrock (AWS) — but has platform access to customer data within Vistaly for product research, service improvement, and quality assurance of the licensed features.	Platform access to customer data relevant to the licensed AI features, including interview transcripts and AI-generated insights and opportunity spaces. Data remains within Vistaly's infrastructure; Product Talk does not store or export customer data.	Your selected region (US or EU) — access only, data remains in Vistaly's infrastructure	No	Product Talk does not retain customer data. All data remains within Vistaly's infrastructure and is subject to Vistaly's data retention policies.	Homepage DPA

Data Flow

The following describes how data flows through AI features in Vistaly:

Input: Customer interview recordings or transcripts are uploaded by the user to Vistaly and stored on AWS in the customer's selected data residency region (US or EU).
Transcription (if applicable): Audio/video recordings are sent to AssemblyAI for speech-to-text conversion. The resulting transcript is stored on AWS.
AI Processing: Transcript text is sent to Amazon Bedrock (using Anthropic's Claude models) for analysis, insight extraction, and opportunity space generation. This processing occurs within the customer's selected data residency region (US or EU).
Storage: AI-generated outputs (insights, opportunity spaces, summaries) are stored on AWS in the customer's selected data residency region.

Data Residency & Regional Processing

Vistaly offers a choice of data residency region — United States or European Union — which customers select during account creation. All customer data at rest (databases, file storage, and backups) is hosted in the selected region on AWS.

AI processing via Amazon Bedrock occurs within the customer’s selected data residency region (US or EU). For EU-resident customers, interview transcript content is processed by Bedrock in the EU region and the results are stored in the EU region; the content is not transmitted outside the EU for AI processing.

In addition to AI processing, certain platform services always operate in the United States regardless of the customer’s chosen data residency region:

Authentication services (AWS Cognito) — hosted in the United States for all customers. Processes login credentials, authentication tokens, and email addresses.
Payment processing (Stripe) — all payment data is processed in the United States by Stripe, a PCI Service Provider Level I. Vistaly does not handle payment information directly.
Account directory — a minimal set of account identifiers (account IDs and URL slugs) is replicated globally to ensure service availability and prevent conflicts across regions. This directory does not contain customer content or personal data beyond account identifiers.

For a complete list of all subprocessors and their data processing regions, see our Sub-Processors page.

Safeguards for Cross-Border Transfers

For all transfers of personal data to subprocessors located outside the customer's chosen region, Vistaly relies on appropriate safeguards including:

Standard Contractual Clauses (SCCs) — incorporated into data processing agreements with subprocessors
Data Processing Agreements (DPAs) — in place with all AI subprocessors
EU-U.S. Data Privacy Framework — relied upon where the subprocessor is certified (AWS is DPF-certified)
Encryption in transit — all data transmitted to AI subprocessors uses TLS encryption
No model training on customer data — data sent to Amazon Bedrock is not used to train any models and is not shared with model providers

AI Output Handling

AI-generated content within Vistaly is treated as untrusted text and rendered with the following safeguards:

Sanitized rendering — AI outputs are displayed exclusively in sanitized React contexts, never as raw HTML or executable markdown. Outputs cannot trigger code execution, script injection, or cross-site scripting in the user’s browser.
No automated side effects — AI outputs are confined to display within the user’s own workspace. They do not initiate outbound network calls, automation, or actions on the user’s behalf without explicit confirmation.
Model-level safety controls — Vistaly relies on the built-in safety training of the underlying Claude models (served via Amazon Bedrock) for harmful-content moderation at the model layer.
Content and prompt-injection guardrails — direct Bedrock calls for transcript processing (formatting and speaker identification) pass through an AWS Bedrock Guardrail that filters harmful content and prompt-injection attempts.
User reporting — users can flag any AI output for review by contacting dpo@vistaly.com.

For more information, see our Sub-Processors, Privacy Policy, GDPR Compliance Statement, EU AI Act Compliance, and Security Policy.