Subprocessors

Draft v2 — Subject to counsel review. This list reflects subprocessors active as of the effective date, verified against the live system. We will update this list as subprocessors are added or removed, with reasonable advance notice for material additions.

Effective Date: July 9, 2026

Last Updated: July 9, 2026


This page lists the third-party subprocessors that [Operating Entity] uses to provide the SoloSearcher Service. A subprocessor is any third party that processes personal data on our behalf. All subprocessors are contractually required to process data only as instructed, implement appropriate security measures, and comply with applicable data protection law.

A note on scope: the Service's shared baseline consists of public-record business data (not Service users' personal data). Two entries below (geocoding) receive only shared-baseline business addresses and are listed for transparency even though they process no user personal data.


Active Subprocessors

SubprocessorPurposeData ProcessedLocation
Clerk, Inc.Authentication & identityEmail, name, session tokens, login metadataUnited States
Neon, Inc.PostgreSQL databaseAll application data at rest (private workspace data encrypted per user)United States
Vercel, Inc.Application hostingRequest logs, function execution metadataUnited States / Global CDN
Cloudflare, Inc. (R2)Object storageUploaded documents, encrypted at the application layer before storageUnited States
Anthropic, PBCAI analysis (Claude API)Company data and prompts for analyses you initiateUnited States
Stripe, Inc.Waitlist card verification; future billingEmail, card details (collected directly by Stripe — never by us), verification identifiersUnited States
Upstash, Inc.Rate limitingRequest counters keyed by account/network identifiers — no contentUnited States
Functional Software, Inc. (Sentry)Error monitoringError reports with private content redacted before transmissionUnited States
U.S. Census Bureau (geocoder)GeocodingShared-baseline business addresses onlyUnited States
OpenStreetMap Foundation (Nominatim)Geocoding fallbackShared-baseline business addresses onlyEU

Subprocessor Details

Clerk, Inc.

Purpose: Authentication, session management, MFA, and invitation/waitlist gating.

Data Processed: email address, display name, session tokens and device identifiers, login timestamps, IP addresses, user agents, MFA enrollment status. Passwords, where used, are stored by Clerk — never by us.

Location: United States · Certification: SOC 2 Type II

DPA / Terms: Clerk DPA · Clerk Privacy Policy


Neon, Inc.

Purpose: Primary PostgreSQL database; all application data at rest.

Data Processed: shared-baseline business records; your private workspace rows. Sensitive private content (document ciphertext references, extracted financials) is encrypted with your per-user key at the application layer; database row-level security restricts the application's read/write role to the requesting account's rows.

Location: United States · Certification: SOC 2 Type II

DPA / Terms: Neon DPA · Neon Privacy Policy


Vercel, Inc.

Purpose: Application hosting, serverless functions, CDN.

Data Processed: HTTP request metadata (URL, status, IP, user agent), function execution logs. Application logs are written to avoid private deal content by policy and by redaction helpers.

Location: United States / Global CDN · Certification: SOC 2 Type II

DPA / Terms: Vercel DPA · Vercel Privacy Policy


Cloudflare, Inc. (R2)

Purpose: Object storage for uploaded documents.

Data Processed: documents you upload (CIMs, financial statements). Files are sealed with application-layer encryption before storage, in addition to R2's own at-rest encryption; objects are purged on account deletion.

Location: United States · Certification: SOC 2 Type II, ISO 27001

DPA / Terms: Cloudflare DPA · Cloudflare Privacy Policy


Anthropic, PBC

Purpose: AI analysis (Claude API) — document extraction and analysis skills you initiate.

Data Processed: company data, document content, and prompts for the specific analysis you run. Anthropic does not use API-submitted data for model training under its standard API terms. Invocations are logged on our side with cost metadata only.

Location: United States

DPA / Terms: Anthropic Commercial Terms · Anthropic Privacy Policy


Stripe, Inc.

Purpose: Card verification for waitlist founding reservations; future subscription billing.

Data Processed: email, payment card details (entered on Stripe-hosted surfaces — card numbers never reach our servers), customer and setup-intent identifiers. We store only Stripe's identifiers.

Location: United States · Certification: PCI DSS Level 1, SOC 2

DPA / Terms: Stripe DPA · Stripe Privacy Policy


Upstash, Inc.

Purpose: Redis-backed rate limiting and abuse prevention.

Data Processed: request counters keyed by account ID, API-key prefix, or network address. Counters only — no user content is stored.

Location: United States · Certification: SOC 2 Type II

DPA / Terms: Upstash DPA · Upstash Privacy Policy


Functional Software, Inc. (Sentry)

Purpose: Application error monitoring.

Data Processed: error reports (stack traces, request context). Our integration redacts private deal content and personal data from events before transmission.

Location: United States · Certification: SOC 2 Type II

DPA / Terms: Sentry DPA · Sentry Privacy Policy


U.S. Census Bureau geocoder & OpenStreetMap Nominatim

Purpose: Converting business street addresses to map coordinates for radius search.

Data Processed: shared-baseline business addresses only (public-record data). No user identity, account data, or private workspace content is ever sent. Nominatim usage follows the OSM Foundation's usage policy (throttled, attributed).

Location: United States (Census) / EU (OSMF)


Removed Since v1

The following v1 subprocessors are no longer in use and no longer receive data: PostHog (analytics — removed), Intuit/QuickBooks (integration retired), Brave Software (research enrichment — retired from the product; any future operator-side research tooling will be re-listed if it processes personal data), Hunter.io (email discovery — retired with the outreach feature set).


Version: v2 · Draft: 2026-07-09