Subprocessors
Draft v2 — Subject to counsel review. This list reflects subprocessors active as of the effective date, verified against the live system. We will update this list as subprocessors are added or removed, with reasonable advance notice for material additions.
Effective Date: July 9, 2026
Last Updated: July 9, 2026
This page lists the third-party subprocessors that [Operating Entity] uses to provide the SoloSearcher Service. A subprocessor is any third party that processes personal data on our behalf. All subprocessors are contractually required to process data only as instructed, implement appropriate security measures, and comply with applicable data protection law.
A note on scope: the Service's shared baseline consists of public-record business data (not Service users' personal data). Two entries below (geocoding) receive only shared-baseline business addresses and are listed for transparency even though they process no user personal data.
Active Subprocessors
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Clerk, Inc. | Authentication & identity | Email, name, session tokens, login metadata | United States |
| Neon, Inc. | PostgreSQL database | All application data at rest (private workspace data encrypted per user) | United States |
| Vercel, Inc. | Application hosting | Request logs, function execution metadata | United States / Global CDN |
| Cloudflare, Inc. (R2) | Object storage | Uploaded documents, encrypted at the application layer before storage | United States |
| Anthropic, PBC | AI analysis (Claude API) | Company data and prompts for analyses you initiate | United States |
| Stripe, Inc. | Waitlist card verification; future billing | Email, card details (collected directly by Stripe — never by us), verification identifiers | United States |
| Upstash, Inc. | Rate limiting | Request counters keyed by account/network identifiers — no content | United States |
| Functional Software, Inc. (Sentry) | Error monitoring | Error reports with private content redacted before transmission | United States |
| U.S. Census Bureau (geocoder) | Geocoding | Shared-baseline business addresses only | United States |
| OpenStreetMap Foundation (Nominatim) | Geocoding fallback | Shared-baseline business addresses only | EU |
Subprocessor Details
Clerk, Inc.
Purpose: Authentication, session management, MFA, and invitation/waitlist gating.
Data Processed: email address, display name, session tokens and device identifiers, login timestamps, IP addresses, user agents, MFA enrollment status. Passwords, where used, are stored by Clerk — never by us.
Location: United States · Certification: SOC 2 Type II
DPA / Terms: Clerk DPA · Clerk Privacy Policy
Neon, Inc.
Purpose: Primary PostgreSQL database; all application data at rest.
Data Processed: shared-baseline business records; your private workspace rows. Sensitive private content (document ciphertext references, extracted financials) is encrypted with your per-user key at the application layer; database row-level security restricts the application's read/write role to the requesting account's rows.
Location: United States · Certification: SOC 2 Type II
DPA / Terms: Neon DPA · Neon Privacy Policy
Vercel, Inc.
Purpose: Application hosting, serverless functions, CDN.
Data Processed: HTTP request metadata (URL, status, IP, user agent), function execution logs. Application logs are written to avoid private deal content by policy and by redaction helpers.
Location: United States / Global CDN · Certification: SOC 2 Type II
DPA / Terms: Vercel DPA · Vercel Privacy Policy
Cloudflare, Inc. (R2)
Purpose: Object storage for uploaded documents.
Data Processed: documents you upload (CIMs, financial statements). Files are sealed with application-layer encryption before storage, in addition to R2's own at-rest encryption; objects are purged on account deletion.
Location: United States · Certification: SOC 2 Type II, ISO 27001
DPA / Terms: Cloudflare DPA · Cloudflare Privacy Policy
Anthropic, PBC
Purpose: AI analysis (Claude API) — document extraction and analysis skills you initiate.
Data Processed: company data, document content, and prompts for the specific analysis you run. Anthropic does not use API-submitted data for model training under its standard API terms. Invocations are logged on our side with cost metadata only.
Location: United States
DPA / Terms: Anthropic Commercial Terms · Anthropic Privacy Policy
Stripe, Inc.
Purpose: Card verification for waitlist founding reservations; future subscription billing.
Data Processed: email, payment card details (entered on Stripe-hosted surfaces — card numbers never reach our servers), customer and setup-intent identifiers. We store only Stripe's identifiers.
Location: United States · Certification: PCI DSS Level 1, SOC 2
DPA / Terms: Stripe DPA · Stripe Privacy Policy
Upstash, Inc.
Purpose: Redis-backed rate limiting and abuse prevention.
Data Processed: request counters keyed by account ID, API-key prefix, or network address. Counters only — no user content is stored.
Location: United States · Certification: SOC 2 Type II
DPA / Terms: Upstash DPA · Upstash Privacy Policy
Functional Software, Inc. (Sentry)
Purpose: Application error monitoring.
Data Processed: error reports (stack traces, request context). Our integration redacts private deal content and personal data from events before transmission.
Location: United States · Certification: SOC 2 Type II
DPA / Terms: Sentry DPA · Sentry Privacy Policy
U.S. Census Bureau geocoder & OpenStreetMap Nominatim
Purpose: Converting business street addresses to map coordinates for radius search.
Data Processed: shared-baseline business addresses only (public-record data). No user identity, account data, or private workspace content is ever sent. Nominatim usage follows the OSM Foundation's usage policy (throttled, attributed).
Location: United States (Census) / EU (OSMF)
Removed Since v1
The following v1 subprocessors are no longer in use and no longer receive data: PostHog (analytics — removed), Intuit/QuickBooks (integration retired), Brave Software (research enrichment — retired from the product; any future operator-side research tooling will be re-listed if it processes personal data), Hunter.io (email discovery — retired with the outreach feature set).
Version: v2 · Draft: 2026-07-09