Sub-processors
Last updated · 10 July 2026
PulseSignal engages the service providers listed below to operate the platform. Providers marked “Outbound read-only” are public data sources we read from; they are not processors of PulseSignal user data. Providers marked with a Data Processing Addendum (DPA) process PulseSignal user or company data under a written contract with data-protection obligations consistent with GDPR Article 28.
Any LLM prompt that may contain personal data (for example an executive’s name) is sent only to providers we contract with in the United States or the European Union, under terms that prohibit training on our inputs; we never contract with a provider in a non-adequacy jurisdiction for such prompts. One contracted provider, OpenRouter, Inc. (United States), routes requests onward to downstream model hosts, whose locations are determined by OpenRouter rather than by us. A China-based provider (DeepSeek) is used only for non-personal public company-data validation (pricing, products, funding, public filings) and is routed away from any people-bearing prompt in code. We never send customer account data, credentials, payment details, or special-category personal data to any LLM provider.
We will notify active customers of material sub-processor additions at least 30 days before they begin processing, via the email on file for the account and an update to this page. Objection handling is described in our Privacy Policy.
| Sub-processor | Purpose | Data category | Location | DPA | Transfer mechanism | Retention |
|---|---|---|---|---|---|---|
| Hetzner Online GmbH | Application, frontend, and PostgreSQL hosting; sole origin for both the marketing site (pulsesignal.co, www.pulsesignal.co) and the app dashboard (app.pulsesignal.co), plus backend workers, database, and scheduler | All customer + company data | United States (Ashburn, Virginia) | Yes (Hetzner DPA) | EU SCCs Modules 2+3 · UK IDTA | Active term + 30 days |
| Polar Software, Inc. (Polar.sh) | Merchant of Record: payment processing, invoicing, subscription billing, and global sales-tax / VAT determination. Polar is the seller of record; it uses Stripe (Stripe, Inc. and Stripe Payments Europe, Ltd) as its underlying payment processor. | Card-holder data (not stored by us; tokenized by Polar / Stripe), billing name, billing email, billing country, VAT ID, invoice history | United States (Polar Software, Inc.); Stripe in the United States and Ireland for EU customers | Yes (Polar Data Processing Addendum, polar.sh/legal/data-processing-addendum; Polar sub-processor list, polar.sh/legal/sub-processors) | EU SCCs Modules 2+3 · UK IDTA | 7 years (tax-record requirement) |
| Sentry (Functional Software, Inc.) | Error and exception monitoring (application + frontend) | Stack traces, error context, request URL, account ID. Personal data redacted before send via PII scrubbing rules. | United States | Yes (Sentry DPA) | EU SCCs Modules 2+3 · UK IDTA | 90 days |
| PostHog Inc. | Product analytics (feature usage, session replay disabled, no third-party trackers) | Account ID, feature event names, coarse browser metadata. No PII by default. | United States | Yes (PostHog DPA) | EU SCCs Modules 2+3 · UK IDTA | 13 months (rolling) |
| Google LLC (Sign in with Google) | Customer authentication via Google OAuth sign-in | Email address and basic profile returned at login. No other Google account data is requested. | United States / Global | Yes (Google Cloud Data Processing Addendum) | EU-US DPF · EU SCCs Modules 2+3 | Login-time exchange; we store only the returned email and name in the account record |
| Groq, Inc. | LLM inference for briefings, validators, and custom alert expression evaluation | Prompts that reference third-party company names and public observations. No customer PII in prompts. | United States | Yes (Groq Cloud Terms) | EU SCCs Modules 2+3 · UK IDTA | Zero retention by contract |
| SambaNova Systems, Inc. | LLM inference (fallback provider) | Same as Groq | United States | Yes (SambaNova SambaCloud Terms) | EU SCCs Modules 2+3 · UK IDTA | Zero retention by contract |
| Cloudflare, Inc. (Workers AI) | LLM inference (fallback provider) | Same as Groq | Global edge | Yes (Cloudflare DPA) | EU SCCs Modules 2+3 · UK IDTA | Zero retention by contract |
| DeepSeek | LLM inference for NON-PERSONAL company-data validation only (pricing / products / funding accuracy + gap-fill) | Public company facts ONLY (pricing, products, funding, public filings). NEVER personal data: any prompt referencing people (executive names, contacts) is routed away from this provider in code. | China | Yes (DeepSeek Open Platform Terms) | Non-personal data only · no personal-data cross-border transfer | No training on inputs · retention per DPA |
| Mistral AI SAS | LLM inference (routing provider) | Same as Groq | France (European Union) | Yes (Mistral AI Terms) | EU-internal · adequacy | No training on inputs · retention per DPA |
| NVIDIA Corporation (NVIDIA NIM) | LLM inference (fallback provider) | Same as Groq | United States | Yes (NVIDIA Cloud Terms) | EU-US DPF · EU SCCs Modules 2+3 · UK IDTA | No training on inputs · retention per DPA |
| Google LLC (Gemini API) | LLM inference (fallback provider) | Same as Groq | United States / Global | Yes (Google Cloud / Generative AI Terms) | EU-US DPF · EU SCCs Modules 2+3 | No training on inputs · retention per DPA |
| Cerebras Systems, Inc. | LLM inference (fallback provider) | Same as Groq | United States | Yes (Cerebras Inference Terms) | EU-US DPF · EU SCCs Modules 2+3 · UK IDTA | No training on inputs · retention per DPA |
| OpenRouter, Inc. | LLM inference routing in the enrichment provider cascade (dispatches requests to downstream model hosts) | Same as Groq | United States (routes to downstream model hosts) | Yes (OpenRouter Terms of Service) | EU SCCs Modules 2+3 · UK IDTA | No training on inputs · retention per provider terms |
| Brave Software, Inc. (Brave Search API) | Web search used during enrichment validation | Search queries that can contain company and executive names. No customer data. | United States | Yes (Brave Search API Terms) | EU SCCs Modules 2+3 · UK IDTA | Per Brave Search API terms |
| Resend (Resend, Inc.) | Primary transactional and digest email delivery (digests, alert notifications, magic links, OTP verification, contact-form replies, billing notices) | Recipient email address, sender address, subject line, message body, digest contents | United States | Yes (Resend DPA · resend.com/legal/dpa) | EU SCCs Modules 2+3 · UK IDTA | 30 days (delivery logs) |
| SendGrid (Twilio Inc.) | Fallback transactional and digest email delivery when Resend is unavailable or rate-limited (same envelope as Resend; selected automatically by the dispatcher when EMAIL_PROVIDER=auto) | Recipient email address, sender address, subject line, message body, digest contents | United States | Yes (Twilio DPA · twilio.com/legal/data-protection-addendum) | EU SCCs Modules 2+3 · UK IDTA | 30 days (delivery logs) |
| Slack Technologies LLC (Salesforce, Inc.) | Pro+ alert delivery into customer Slack workspaces via an OAuth bot | Workspace OAuth tokens, channel IDs, and the alert content delivered into the customer workspace | United States | Yes (Salesforce / Slack DPA) | EU-US DPF · EU SCCs Modules 2+3 · UK IDTA | Tokens until the integration is disconnected; delivered messages persist in the customer workspace under the customer retention settings |
| Google Analytics 4 (Google LLC) | Website analytics (pageviews, feature usage) on pulsesignal.co and app.pulsesignal.co | Visitor IP (truncated to /24), cookies, user agent, referrer, page paths | United States / Global | Yes (Google Ads Data Processing Terms) | EU-US DPF · EU SCCs Modules 2+3 | 14 months |
| Apollo.io, Inc. | GTM prospect contact lookup for PulseSignal outreach (our own go-to-market, not a customer-facing feature) | Third-party professional contact data (names, roles, business emails). No customer data. | United States | Yes (Apollo DPA) | EU SCCs Modules 2+3 · UK IDTA | Per Apollo terms |
| Explorium Ltd. | GTM contact enrichment for PulseSignal outreach | Third-party professional contact data. No customer data. | Israel / United States | Yes (Explorium DPA) | EU adequacy (Israel) · EU SCCs Modules 2+3 | Per Explorium terms |
| Hunter Web Services SAS | GTM email finding for PulseSignal outreach | Third-party professional contact data. No customer data. | France (European Union) | Yes (Hunter DPA) | EU-internal · adequacy | Per Hunter terms |
| Pollinations | Hero image generation for blog drafts | Headline text only; no personal data | Germany | Not applicable (no personal data processed) | EU-internal · adequacy | Not applicable |
| Bluesky PBC | Public-post firehose reads for mention tracking, plus an authenticated PulseSignal publishing account | Public posts (outbound read) and our own published content. No customer data. | United States | Not applicable (no customer personal data processed) | Not applicable | Not applicable |
| Hashnode Inc. | Blog and content publishing account | Our own published content. No customer data. | United States | Not applicable (no customer personal data processed) | Not applicable | Not applicable |
| Telegram FZ-LLC | Internal operations alerting (engineering on-call only) and admin draft delivery | Operations messages and admin draft text. No customer or company personal data. | United Arab Emirates · United States · Germany (multi-region) | Not applicable (no customer personal data processed) | Not applicable | Not applicable |
| UptimeRobot Service Provider Ltd. | External uptime monitoring of production endpoints | Monitored endpoint URLs and response metadata. No customer data. | Malta (European Union) | Not applicable (no customer personal data processed) | Not applicable | Not applicable |
| GitHub Actions (Microsoft GitHub Inc.) | Common Crawl monthly ingest runner | Public domain lists, ingest logs | United States | Yes (GitHub DPA) | EU SCCs Modules 2+3 · UK IDTA | 90 days (action logs) |
| IPRoyal (UAB IPRoyal) | Proxy egress for public-web scraping during enrichment | Outbound public-web requests (product data). No customer data. | Lithuania (European Union) · global exit nodes | Not applicable (no customer personal data processed) | Not applicable | Not applicable |
| ScraperAPI | Paid scraping API for antibot-protected public pages during enrichment | Outbound public-web requests (product data). No customer data. | United States | Not applicable (no customer personal data processed) | Not applicable | Not applicable |
| UK Companies House | Public statutory registry lookups (corporate_registry) | Outbound read-only | United Kingdom | Not applicable (public registry) | UK adequacy | Not applicable |
| data.gov.in (MCA India) | Monthly bulk mirror of the Indian Ministry of Corporate Affairs company master data | Outbound read-only | India | Not applicable (public registry) | Not applicable (public data) | Not applicable |
| SEC EDGAR | Public US securities filings (sec_edgar) | Outbound read-only | United States | Not applicable (public registry) | Not applicable (public data) | Not applicable |
| Common Crawl | Monthly read of the public web archive index | Outbound read-only | United States | Not applicable (public dataset) | Not applicable (public data) | Not applicable |
| archive.org Wayback Machine | Historical snapshots of public web pages | Outbound read-only | United States | Not applicable (public archive) | Not applicable (public data) | Not applicable |
International transfers
PulseSignal’s primary application and database are hosted in the United States (Ashburn, Virginia). Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country outside its jurisdiction (principally the United States), we rely on: the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2 controller-to-processor and Module 3 processor-to-processor) for EU transfers; the UK International Data Transfer Addendum (IDTA) version B1.0 for UK transfers; and the EU SCCs as modified by the Swiss FDPIC for Swiss transfers. Each transfer is supplemented by technical measures: TLS 1.2+ in transit, AES-256 at rest, structured audit logging, and least-privilege access.
A transfer impact assessment for each US-located sub-processor is available to customers on written request. We monitor the EU-US Data Privacy Framework and equivalent UK / Swiss extensions and will rely on the framework where the sub-processor is certified and the framework is in force.
For transfers from Canada (PIPEDA / Quebec Law 25), Brazil (LGPD), India (DPDP 2023), Singapore (PDPA), and Australia (Privacy Act 1988), see the corresponding section on /privacy/regional.
Sub-processor change notifications
We notify active customers of material additions at least 30 days before the new provider begins processing, via the billing email on file and by an update to this page. Customers on a signed DPA may object on reasonable data-protection grounds; the objection process is described in section 7 of the DPA.
Questions
Contact privacy@pulsesignal.co to raise an objection to a current or proposed sub-processor, to request the relevant DPA documentation, or to receive a transfer impact assessment.