Sub-processors
Last updated: 25 April 2026
PulseSignal engages the service providers listed below to operate the platform. Providers marked “Outbound read-only” are public data sources we read from; they are not processors of PulseSignal user data. Providers marked with a Data Processing Addendum (DPA) process PulseSignal user or company data under a written contract with data-protection obligations consistent with GDPR Article 28.
We will notify active customers of material sub-processor additions at least 30 days before they begin processing, via the email on file for the account and an update to this page. Objection handling is described in our Privacy Policy.
| Sub-processor | Purpose | Data category | Location | DPA |
|---|---|---|---|---|
| Railway | Application + PostgreSQL hosting (backend workers, database, scheduler) | All customer + company data | United States (us-east) | Yes (Railway Terms of Service) |
| Vercel | Frontend hosting (pulsesignal.co) | Visitor metadata only | United States (global edge) | Yes (Vercel Data Processing Addendum) |
| Groq | LLM inference for briefings, validators, and custom alert expression evaluation | Prompts that reference third-party company names and public observations | United States | Yes (Groq Cloud Terms of Service) |
| SambaNova | LLM inference (fallback provider) | Same as Groq | United States | Yes (SambaNova SambaCloud Terms of Service) |
| Cloudflare Workers AI | LLM inference (fallback provider) | Same as Groq | Global edge | Yes (Cloudflare Data Processing Addendum) |
| OpenRouter | LLM inference (fallback provider) | Same as Groq | United States | Yes (OpenRouter Terms of Service) |
| Amazon SES | Transactional and digest email delivery (fallback provider when Postmark is unavailable) | Recipient email address, message body, digest contents | United States | Yes (AWS Service Terms + Data Processing Addendum) |
| Google Analytics 4 | Website analytics (pageviews, feature usage) on pulsesignal.co | Visitor IP (truncated), cookies, user agent, referrer, page paths | United States / Global | Yes (Google Ads Data Processing Terms) |
| Postmark | Transactional and digest email delivery (IL1-E digests, alert notifications, magic links) | Recipient email address, message body, digest contents | United States | Yes (ActiveCampaign Postmark DPA) |
| Telegram | Internal operations alerting (engineering on-call only) | Operations messages. No customer or company data. | Germany / United States | Not applicable (no personal data processed) |
| GitHub Actions | Common Crawl monthly ingest runner, scheduled index refresh jobs | Public domain lists, ingest logs | United States | Yes (GitHub DPA) |
| GitHub REST API | Public organisation and repository metadata (github_intelligence module) | Outbound read-only | United States | Not applicable (read-only public data) |
| UK Companies House | Public statutory registry lookups (corporate_registry, corporate_graph) | Outbound read-only | United Kingdom | Not applicable (public registry) |
| data.gov.in (MCA India) | Monthly bulk mirror of the Indian Ministry of Corporate Affairs company master data | Outbound read-only | India | Not applicable (public registry) |
| SEC EDGAR | Public US securities filings (sec_edgar, corporate_graph) | Outbound read-only | United States | Not applicable (public registry) |
| Common Crawl | Monthly read of the public web archive index (company_discovery) | Outbound read-only | United States | Not applicable (public dataset) |
| WIPO UDRP | Public domain-name dispute records (litigation_signals) | Outbound read-only | Switzerland | Not applicable (public registry) |
| FedRAMP Marketplace, B Corp, 1% for the Planet, GLEIF | Public certification and legal-entity registries (esg_certifications) | Outbound read-only | United States / Switzerland | Not applicable (public registry) |
| USAspending.gov, SAM.gov, Senate Lobbying Disclosure Act | Public federal contracting and lobbying records (regulatory_presence) | Outbound read-only | United States | Not applicable (public registry) |
| FDA, FTC, FCC, CPSC, OSHA, EPA ECHO | Public federal enforcement records (agency_actions) | Outbound read-only | United States | Not applicable (public registry) |
| CourtListener (Free Law Project) | Public federal and state court docket data (litigation_signals) | Outbound read-only | United States | Not applicable (public court record) |
| archive.org Wayback Machine | Historical snapshots of public web pages (wayback_trajectory) | Outbound read-only | United States | Not applicable (public archive) |
| Google PageSpeed Insights, SSL Labs, W3C Nu Validator | Public web-performance and security scanners (web_performance) | Outbound request of public URLs | United States / Global | Not applicable (public scanners) |
International transfers
Most sub-processors that handle personal data are based in the United States. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission Standard Contractual Clauses (SCCs) incorporated in each provider’s DPA, together with supplementary technical measures (transport encryption, at-rest encryption, access logging).
Questions
Contact privacy@pulsesignal.co to raise an objection to a current or proposed sub-processor, or to request the relevant DPA documentation.