Privacy/Sub-processors

Sub-processors

Last updated · 10 July 2026

PulseSignal engages the service providers listed below to operate the platform. Providers marked “Outbound read-only” are public data sources we read from; they are not processors of PulseSignal user data. Providers marked with a Data Processing Addendum (DPA) process PulseSignal user or company data under a written contract with data-protection obligations consistent with GDPR Article 28.

Any LLM prompt that may contain personal data (for example, an executive’s name) is sent only to providers located in the United States or the European Union, and is routed away in code from any provider we cannot confirm excludes our inputs from model training, and never to a provider in a non-adequacy jurisdiction. These providers process the prompt under their standard published API terms; we do not hold a separately negotiated data-processing agreement with every model host, so we do not represent a blanket contractual no-training or zero-retention guarantee across the LLM fleet. One provider, OpenRouter, Inc. (United States), routes requests onward to downstream model hosts, whose locations are set by OpenRouter, not by us. A China-based provider (DeepSeek) is used only for non-personal public company-data validation (pricing, products, funding, public filings) and is routed away from any people-bearing prompt in code. We keep exposure low by minimising what is sent: we never send customer account data, credentials, payment details, or special-category personal data to any LLM provider.

We will notify active customers of material sub-processor additions at least 30 days before they begin processing, via the email on file for the account and an update to this page. Objection handling is described in our Privacy Policy.

Sub-processorPurposeData categoryLocationDPATransfer mechanismRetention
Hetzner Online GmbHApplication, frontend, and PostgreSQL hosting; sole origin for both the marketing site (pulsesignal.co, www.pulsesignal.co) and the app dashboard (app.pulsesignal.co), plus backend workers, database, and schedulerAll customer + company dataUnited States (Ashburn, Virginia)Yes (Hetzner DPA)EU SCCs Modules 2+3 · UK IDTAActive term + 30 days
Polar Software, Inc. (Polar.sh)Merchant of Record: payment processing, invoicing, subscription billing, and global sales-tax / VAT determination. Polar is the seller of record; it uses Stripe (Stripe, Inc. and Stripe Payments Europe, Ltd) as its underlying payment processor.Card-holder data (not stored by us; tokenized by Polar / Stripe), billing name, billing email, billing country, VAT ID, invoice historyUnited States (Polar Software, Inc.); Stripe in the United States and Ireland for EU customersYes (Polar Data Processing Addendum, polar.sh/legal/data-processing-addendum; Polar sub-processor list, polar.sh/legal/sub-processors)EU SCCs Modules 2+3 · UK IDTA7 years (tax-record requirement)
Sentry (Functional Software, Inc.)Error and exception monitoring (application + frontend)Stack traces, error context, request URL, account ID. Personal data redacted before send via PII scrubbing rules.United StatesYes (Sentry DPA)EU SCCs Modules 2+3 · UK IDTA90 days
PostHog Inc.Product analytics (feature usage, session replay disabled, no third-party trackers)Account ID, feature event names, coarse browser metadata. No PII by default.United StatesYes (PostHog DPA)EU SCCs Modules 2+3 · UK IDTA13 months (rolling)
Google LLC (Sign in with Google)Customer authentication via Google OAuth sign-inEmail address and basic profile returned at login. No other Google account data is requested.United States / GlobalYes (Google Cloud Data Processing Addendum)EU-US DPF · EU SCCs Modules 2+3Login-time exchange; we store only the returned email and name in the account record
Groq, Inc.LLM inference for briefings, validators, and custom alert expression evaluationPrompts that reference third-party company names and public observations. No customer PII in prompts.United StatesYes (Groq Cloud Terms)EU SCCs Modules 2+3 · UK IDTAPer provider standard API terms
SambaNova Systems, Inc.LLM inference (fallback provider)Same as GroqUnited StatesYes (SambaNova SambaCloud Terms)EU SCCs Modules 2+3 · UK IDTAPer provider standard API terms
Cloudflare, Inc. (Workers AI)LLM inference (fallback provider)Same as GroqGlobal edgeYes (Cloudflare DPA)EU SCCs Modules 2+3 · UK IDTAPer provider standard API terms
DeepSeekLLM inference for NON-PERSONAL company-data validation only (pricing / products / funding accuracy + gap-fill)Public company facts ONLY (pricing, products, funding, public filings). NEVER personal data: any prompt referencing people (executive names, contacts) is routed away from this provider in code.ChinaYes (DeepSeek Open Platform Terms)Non-personal data only · no personal-data cross-border transferPer provider standard terms · non-personal data only
Mistral AI SASLLM inference (routing provider)Same as GroqFrance (European Union)Yes (Mistral AI Terms)EU-internal · adequacyPer provider standard API terms
NVIDIA Corporation (NVIDIA NIM)LLM inference (fallback provider)Same as GroqUnited StatesYes (NVIDIA Cloud Terms)EU-US DPF · EU SCCs Modules 2+3 · UK IDTAPer provider standard API terms
Google LLC (Gemini API)LLM inference (fallback provider)Same as GroqUnited States / GlobalYes (Google Cloud / Generative AI Terms)EU-US DPF · EU SCCs Modules 2+3Per provider standard API terms
Cerebras Systems, Inc.LLM inference (fallback provider)Same as GroqUnited StatesYes (Cerebras Inference Terms)EU-US DPF · EU SCCs Modules 2+3 · UK IDTAPer provider standard API terms
OpenRouter, Inc.LLM inference routing in the enrichment provider cascade (dispatches requests to downstream model hosts)Same as GroqUnited States (routes to downstream model hosts)Yes (OpenRouter Terms of Service)EU SCCs Modules 2+3 · UK IDTAPer provider standard API terms
Brave Software, Inc. (Brave Search API)Web search used during enrichment validationSearch queries that can contain company and executive names. No customer data.United StatesYes (Brave Search API Terms)EU SCCs Modules 2+3 · UK IDTAPer Brave Search API terms
Resend (Resend, Inc.)Primary transactional and digest email delivery (digests, alert notifications, magic links, OTP verification, contact-form replies, billing notices)Recipient email address, sender address, subject line, message body, digest contentsUnited StatesYes (Resend DPA · resend.com/legal/dpa)EU SCCs Modules 2+3 · UK IDTA30 days (delivery logs)
SendGrid (Twilio Inc.)Fallback transactional and digest email delivery when Resend is unavailable or rate-limited (same envelope as Resend; selected automatically by the dispatcher when EMAIL_PROVIDER=auto)Recipient email address, sender address, subject line, message body, digest contentsUnited StatesYes (Twilio DPA · twilio.com/legal/data-protection-addendum)EU SCCs Modules 2+3 · UK IDTA30 days (delivery logs)
Slack Technologies LLC (Salesforce, Inc.)Pro+ alert delivery into customer Slack workspaces via an OAuth botWorkspace OAuth tokens, channel IDs, and the alert content delivered into the customer workspaceUnited StatesYes (Salesforce / Slack DPA)EU-US DPF · EU SCCs Modules 2+3 · UK IDTATokens until the integration is disconnected; delivered messages persist in the customer workspace under the customer retention settings
Google Analytics 4 (Google LLC)Website analytics (pageviews, feature usage) on pulsesignal.co and app.pulsesignal.coVisitor IP (truncated to /24), cookies, user agent, referrer, page pathsUnited States / GlobalYes (Google Ads Data Processing Terms)EU-US DPF · EU SCCs Modules 2+314 months
Apollo.io, Inc.GTM prospect contact lookup for PulseSignal outreach (our own go-to-market, not a customer-facing feature)Third-party professional contact data (names, roles, business emails). No customer data.United StatesYes (Apollo DPA)EU SCCs Modules 2+3 · UK IDTAPer Apollo terms
Explorium Ltd.GTM contact enrichment for PulseSignal outreachThird-party professional contact data. No customer data.Israel / United StatesYes (Explorium DPA)EU adequacy (Israel) · EU SCCs Modules 2+3Per Explorium terms
Hunter Web Services SASGTM email finding for PulseSignal outreachThird-party professional contact data. No customer data.France (European Union)Yes (Hunter DPA)EU-internal · adequacyPer Hunter terms
PollinationsHero image generation for blog draftsHeadline text only; no personal dataGermanyNot applicable (no personal data processed)EU-internal · adequacyNot applicable
Bluesky PBCPublic-post firehose reads for mention tracking, plus an authenticated PulseSignal publishing accountPublic posts (outbound read) and our own published content. No customer data.United StatesNot applicable (no customer personal data processed)Not applicableNot applicable
Hashnode Inc.Blog and content publishing accountOur own published content. No customer data.United StatesNot applicable (no customer personal data processed)Not applicableNot applicable
Telegram FZ-LLCInternal operations alerting (engineering on-call only) and admin draft deliveryOperations messages and admin draft text. No customer or company personal data.United Arab Emirates · United States · Germany (multi-region)Not applicable (no customer personal data processed)Not applicableNot applicable
UptimeRobot Service Provider Ltd.External uptime monitoring of production endpointsMonitored endpoint URLs and response metadata. No customer data.Malta (European Union)Not applicable (no customer personal data processed)Not applicableNot applicable
GitHub Actions (Microsoft GitHub Inc.)Common Crawl monthly ingest runnerPublic domain lists, ingest logsUnited StatesYes (GitHub DPA)EU SCCs Modules 2+3 · UK IDTA90 days (action logs)
IPRoyal (UAB IPRoyal)Proxy egress for public-web scraping during enrichmentOutbound public-web requests (product data). No customer data.Lithuania (European Union) · global exit nodesNot applicable (no customer personal data processed)Not applicableNot applicable
ScraperAPIPaid scraping API for antibot-protected public pages during enrichmentOutbound public-web requests (product data). No customer data.United StatesNot applicable (no customer personal data processed)Not applicableNot applicable
UK Companies HousePublic statutory registry lookups (corporate_registry)Outbound read-onlyUnited KingdomNot applicable (public registry)UK adequacyNot applicable
data.gov.in (MCA India)Monthly bulk mirror of the Indian Ministry of Corporate Affairs company master dataOutbound read-onlyIndiaNot applicable (public registry)Not applicable (public data)Not applicable
SEC EDGARPublic US securities filings (sec_edgar)Outbound read-onlyUnited StatesNot applicable (public registry)Not applicable (public data)Not applicable
Common CrawlMonthly read of the public web archive indexOutbound read-onlyUnited StatesNot applicable (public dataset)Not applicable (public data)Not applicable
archive.org Wayback MachineHistorical snapshots of public web pagesOutbound read-onlyUnited StatesNot applicable (public archive)Not applicable (public data)Not applicable

International transfers

PulseSignal’s primary application and database are hosted in the United States (Ashburn, Virginia). Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country outside its jurisdiction (principally the United States), we rely on: the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2 controller-to-processor and Module 3 processor-to-processor) for EU transfers; the UK International Data Transfer Addendum (IDTA) version B1.0 for UK transfers; and the EU SCCs as modified by the Swiss FDPIC for Swiss transfers. Each transfer is supplemented by technical measures: TLS 1.2+ in transit, AES-256 at rest, structured audit logging, and least-privilege access.

A transfer impact assessment for each US-located sub-processor is available to customers on written request. We monitor the EU-US Data Privacy Framework and equivalent UK / Swiss extensions and will rely on the framework where the sub-processor is certified and the framework is in force.

For transfers from Canada (PIPEDA / Quebec Law 25), Brazil (LGPD), India (DPDP 2023), Singapore (PDPA), and Australia (Privacy Act 1988), see the corresponding section on /privacy/regional.

Sub-processor change notifications

We notify active customers of material additions at least 30 days before the new provider begins processing, via the billing email on file and by an update to this page. Customers on a signed DPA may object on reasonable data-protection grounds; the objection process is described in section 7 of the DPA.

Questions

Contact privacy@pulsesignal.co to raise an objection to a current or proposed sub-processor, to request the relevant DPA documentation, or to receive a transfer impact assessment.