Sub-processors
Last updated · 15 June 2026
PulseSignal engages the service providers listed below to operate the platform. Providers marked “Outbound read-only” are public data sources we read from; they are not processors of PulseSignal user data. Providers marked with a Data Processing Addendum (DPA) process PulseSignal user or company data under a written contract with data-protection obligations consistent with GDPR Article 28.
Any LLM prompt that may contain personal data (for example an executive’s name) is processed only by providers located in the United States or the European Union, under terms that prohibit training on our inputs; such prompts are never routed to a provider in a non-adequacy jurisdiction. A China-based provider (DeepSeek) is used only for non-personal public company-data validation (pricing, products, funding, public filings) and is routed away from any people-bearing prompt in code. We never send customer account data, credentials, payment details, or special-category personal data to any LLM provider.
We will notify active customers of material sub-processor additions at least 30 days before they begin processing, via the email on file for the account and an update to this page. Objection handling is described in our Privacy Policy.
| Sub-processor | Purpose | Data category | Location | DPA | Transfer mechanism | Retention |
|---|---|---|---|---|---|---|
| Hetzner Online GmbH | Application, frontend, and PostgreSQL hosting (marketing site pulsesignal.co, app.pulsesignal.co, backend workers, database, scheduler) | All customer + company data | United States (Ashburn, Virginia) | Yes (Hetzner DPA) | EU SCCs Modules 2+3 · UK IDTA | Active term + 30 days |
| Cloudflare, Inc. (CDN / edge proxy) | CDN, DDoS protection, TLS termination, and edge caching for pulsesignal.co (orange-cloud proxy in front of the Hetzner origin) | Visitor metadata (IP, user-agent, referrer, request path) | Global edge | Yes (Cloudflare DPA) | EU SCCs Modules 2+3 · UK IDTA | Edge request logs per Cloudflare retention |
| Polar Software, Inc. (Polar.sh) | Merchant of Record: payment processing, invoicing, subscription billing, and global sales-tax / VAT determination. Polar is the seller of record; it uses Stripe (Stripe, Inc. and Stripe Payments Europe, Ltd) as its underlying payment processor. | Card-holder data (not stored by us; tokenised by Polar / Stripe), billing name, billing email, billing country, VAT ID, invoice history | United States (Polar Software, Inc.); Stripe in the United States and Ireland for EU customers | Yes (Polar Data Processing Addendum, polar.sh/legal/data-processing-addendum; Polar sub-processor list, polar.sh/legal/sub-processors) | EU SCCs Modules 2+3 · UK IDTA | 7 years (tax-record requirement) |
| Sentry (Functional Software, Inc.) | Error and exception monitoring (application + frontend) | Stack traces, error context, request URL, account ID. Personal data redacted before send via PII scrubbing rules. | EU region preferred (Frankfurt) · United States fallback | Yes (Sentry DPA) | EU SCCs Modules 2+3 · UK IDTA | 90 days |
| PostHog Inc. | Product analytics (feature usage, session replay disabled, no third-party trackers) | Account ID, feature event names, coarse browser metadata. No PII by default. | EU region (Frankfurt) where available · United States fallback | Yes (PostHog DPA) | EU SCCs Modules 2+3 · UK IDTA | 13 months (rolling) |
| Groq, Inc. | LLM inference for briefings, validators, and custom alert expression evaluation | Prompts that reference third-party company names and public observations. No customer PII in prompts. | United States | Yes (Groq Cloud Terms) | EU SCCs Modules 2+3 · UK IDTA | Zero retention by contract |
| SambaNova Systems, Inc. | LLM inference (fallback provider) | Same as Groq | United States | Yes (SambaNova SambaCloud Terms) | EU SCCs Modules 2+3 · UK IDTA | Zero retention by contract |
| Cloudflare, Inc. (Workers AI) | LLM inference (fallback provider) | Same as Groq | Global edge | Yes (Cloudflare DPA) | EU SCCs Modules 2+3 · UK IDTA | Zero retention by contract |
| DeepSeek | LLM inference for NON-PERSONAL company-data validation only (pricing / products / funding accuracy + gap-fill) | Public company facts ONLY (pricing, products, funding, public filings). NEVER personal data: any prompt referencing people (executive names, contacts) is routed away from this provider in code. | China | Yes (DeepSeek Open Platform Terms) | Non-personal data only · no personal-data cross-border transfer | No training on inputs · retention per DPA |
| Mistral AI SAS | LLM inference (routing provider) | Same as Groq | France (European Union) | Yes (Mistral AI Terms) | EU-internal · adequacy | No training on inputs · retention per DPA |
| NVIDIA Corporation (NVIDIA NIM) | LLM inference (fallback provider) | Same as Groq | United States | Yes (NVIDIA Cloud Terms) | EU-US DPF · EU SCCs Modules 2+3 · UK IDTA | No training on inputs · retention per DPA |
| Google LLC (Gemini API) | LLM inference (fallback provider) | Same as Groq | United States / Global | Yes (Google Cloud / Generative AI Terms) | EU-US DPF · EU SCCs Modules 2+3 | No training on inputs · retention per DPA |
| Cerebras Systems, Inc. | LLM inference (fallback provider) | Same as Groq | United States | Yes (Cerebras Inference Terms) | EU-US DPF · EU SCCs Modules 2+3 · UK IDTA | No training on inputs · retention per DPA |
| Resend (Resend, Inc.) | Primary transactional and digest email delivery (digests, alert notifications, magic links, OTP verification, contact-form replies, billing notices) | Recipient email address, sender address, subject line, message body, digest contents | United States | Yes (Resend DPA · resend.com/legal/dpa) | EU SCCs Modules 2+3 · UK IDTA | 30 days (delivery logs) |
| SendGrid (Twilio Inc.) | Fallback transactional and digest email delivery when Resend is unavailable or rate-limited (same envelope as Resend; selected automatically by the dispatcher when EMAIL_PROVIDER=auto) | Recipient email address, sender address, subject line, message body, digest contents | United States | Yes (Twilio DPA · twilio.com/legal/data-protection-addendum) | EU SCCs Modules 2+3 · UK IDTA | 30 days (delivery logs) |
| Google Analytics 4 (Google LLC) | Website analytics (pageviews, feature usage) on pulsesignal.co | Visitor IP (truncated to /24), cookies, user agent, referrer, page paths | United States / Global | Yes (Google Ads Data Processing Terms) | EU-US DPF · EU SCCs Modules 2+3 | 14 months |
| Pollinations | Hero image generation for blog drafts | Headline text only; no personal data | Germany | Not applicable (no personal data processed) | EU-internal · adequacy | Not applicable |
| Telegram FZ-LLC | Internal operations alerting (engineering on-call only) and admin draft delivery | Operations messages and admin draft text. No customer or company personal data. | United Arab Emirates · United States · Germany (multi-region) | Not applicable (no customer personal data processed) | Not applicable | Not applicable |
| GitHub Actions (Microsoft GitHub Inc.) | Common Crawl monthly ingest runner | Public domain lists, ingest logs | United States | Yes (GitHub DPA) | EU SCCs Modules 2+3 · UK IDTA | 90 days (action logs) |
| UK Companies House | Public statutory registry lookups (corporate_registry) | Outbound read-only | United Kingdom | Not applicable (public registry) | UK adequacy | Not applicable |
| data.gov.in (MCA India) | Monthly bulk mirror of the Indian Ministry of Corporate Affairs company master data | Outbound read-only | India | Not applicable (public registry) | Not applicable (public data) | Not applicable |
| SEC EDGAR | Public US securities filings (sec_edgar) | Outbound read-only | United States | Not applicable (public registry) | Not applicable (public data) | Not applicable |
| Common Crawl | Monthly read of the public web archive index | Outbound read-only | United States | Not applicable (public dataset) | Not applicable (public data) | Not applicable |
| archive.org Wayback Machine | Historical snapshots of public web pages | Outbound read-only | United States | Not applicable (public archive) | Not applicable (public data) | Not applicable |
International transfers
PulseSignal’s primary application and database are hosted in the United States (Ashburn, Virginia). Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country outside its jurisdiction (principally the United States), we rely on: the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2 controller-to-processor and Module 3 processor-to-processor) for EU transfers; the UK International Data Transfer Addendum (IDTA) version B1.0 for UK transfers; and the EU SCCs as modified by the Swiss FDPIC for Swiss transfers. Each transfer is supplemented by technical measures: TLS 1.2+ in transit, AES-256 at rest, structured audit logging, and least-privilege access.
A transfer impact assessment for each US-located sub-processor is available to customers on written request. We monitor the EU-US Data Privacy Framework and equivalent UK / Swiss extensions and will rely on the framework where the sub-processor is certified and the framework is in force.
For transfers from Canada (PIPEDA / Quebec Law 25), Brazil (LGPD), India (DPDP 2023), Singapore (PDPA), and Australia (Privacy Act 1988), see the corresponding section on /privacy/regional.
Sub-processor change notifications
We notify active customers of material additions at least 30 days before the new provider begins processing, via the billing email on file and by an update to this page. Customers on a signed DPA may object on reasonable data-protection grounds; the objection process is described in section 7 of the DPA.
Questions
Contact privacy@pulsesignal.co to raise an objection to a current or proposed sub-processor, to request the relevant DPA documentation, or to receive a transfer impact assessment.