SoloSearcher

Subprocessors

Draft v1 — Subject to counsel review before launch. This list reflects subprocessors active as of the effective date. We will update this list as subprocessors are added or removed, with reasonable advance notice for material additions.

Effective Date: April 21, 2026

Last Updated: April 21, 2026

This page lists the third-party subprocessors that [Operating Entity] uses to provide the SoloSearcher Service. A subprocessor is any third party that processes personal data on our behalf.

All subprocessors are contractually required to process data only as instructed, implement appropriate security measures, and comply with applicable data protection law.

Active Subprocessors

| Subprocessor | Purpose | Data Processed | Location | |---|---|---|---| | Clerk, Inc. | Authentication & identity | Email, name, session tokens, login metadata | United States | | Neon, Inc. | PostgreSQL database | All user and deal data at rest | United States | | Vercel, Inc. | Application hosting | Request logs, function execution metadata | United States / Global CDN | | Cloudflare, Inc. (R2) | Object storage | Uploaded documents (CIMs, financials, attachments) | United States | | Anthropic, PBC | AI analysis (Claude API) | Deal data, financial metrics, prompts | United States | | PostHog, Inc. | Product analytics | Page views, feature events, session metadata | United States | | Intuit, Inc. (QuickBooks) | Financial data integration | User-authorized financial reports (P&L, Balance Sheet) | United States | | Brave Software, Inc. | Website enrichment | Company domain lookups for research enrichment | United States | | Hunter.io (Anadeea SRL) | Email discovery | Company domains for broker/contact email lookup | Romania / EU |

Subprocessor Details

Clerk, Inc.

Purpose: Authentication, session management, and user identity.

Data Processed:

  • Email address
  • Display name
  • Hashed password (stored by Clerk, never by us)
  • Session tokens and device identifiers
  • Login timestamps, IP addresses, user agent strings
  • MFA enrollment status

Location: United States

Security Certification: SOC 2 Type II

DPA / Terms: Clerk Data Processing Agreement · Clerk Privacy Policy

Note: The Service currently uses Clerk test-tier keys. Production Clerk keys and a formal DPA will be in place before broader user onboarding.

Neon, Inc.

Purpose: Primary PostgreSQL database. All application data is stored here.

Data Processed:

  • User profile data (from Clerk, synced)
  • All deal and pipeline data (companies, contacts, brokers, financials)
  • Outreach activity logs
  • AI invocation logs
  • Audit logs

Location: United States (AWS us-east-1 region)

Security Certification: SOC 2 Type II

DPA / Terms: Neon Privacy Policy · Neon Terms of Service

Vercel, Inc.

Purpose: Application hosting, serverless function execution, and global CDN.

Data Processed:

  • HTTP request logs (URL, status code, IP address, user agent, response time)
  • Serverless function execution logs
  • Build logs

Location: United States, with edge nodes globally

Security Certification: SOC 2 Type II

DPA / Terms: Vercel Data Processing Addendum · Vercel Privacy Policy

Cloudflare, Inc. (R2)

Purpose: Object storage for uploaded financial documents and attachments.

Data Processed:

  • CIMs (Confidential Information Memoranda)
  • Tax returns and financial statements
  • Other user-uploaded documents

Location: United States

Security Certification: ISO 27001, SOC 2 Type II

DPA / Terms: Cloudflare GDPR · Cloudflare Privacy Policy

Anthropic, PBC

Purpose: AI-powered deal analysis using the Claude API.

Data Processed:

  • Company financial data and metrics
  • Deal pipeline data and qualitative notes
  • Prior analysis results
  • Prompts generated by our analysis skill system

Location: United States

Security Certification: SOC 2 Type II (in progress as of effective date — verify current status at anthropic.com)

DPA / Terms: Anthropic Privacy Policy · Anthropic Usage Policy

AI Training: Anthropic does not use API-submitted data for model training under their standard API usage policy.

PostHog, Inc.

Purpose: Product analytics — understanding how the Service is used to improve it.

Data Processed:

  • Page view events
  • Feature interaction events (anonymized where possible)
  • Session metadata (browser, OS, approximate location derived from IP)
  • User identifier (Clerk user ID, hashed)

Location: United States (EU-hosted option available if required)

Security Certification: SOC 2 Type II

DPA / Terms: PostHog Privacy Policy · PostHog DPA

Intuit, Inc. (QuickBooks)

Purpose: User-initiated financial data pull via QuickBooks Online OAuth integration.

Data Processed:

  • OAuth tokens (access + refresh) — stored encrypted in our database
  • Financial reports retrieved on user request: Profit & Loss, Balance Sheet, Cash Flow Statement

Location: United States

Security Certification: SOC 2 Type II

DPA / Terms: Intuit Privacy Policy · QuickBooks API Terms

Note: QuickBooks data is only accessed when you explicitly authorize the integration. We do not access QuickBooks data without your action.

Brave Software, Inc.

Purpose: Website enrichment — fetching publicly available information about target companies to enrich deal records.

Data Processed:

  • Company domain names submitted for enrichment
  • Search queries for company research (no personal data transmitted beyond the company domain)

Location: United States

Security Certification: Not published (as of effective date)

DPA / Terms: Brave Privacy Policy · Brave Search API Terms

Hunter.io (Anadeea SRL)

Purpose: Email discovery — finding and verifying email addresses for broker and business-owner contacts.

Data Processed:

  • Company domain names submitted for email lookup
  • Contact names (first name + last name) for pattern-based email guessing
  • Email addresses returned by Hunter's API (stored in our database)

Location: Romania (EU) — Hunter.io is GDPR-compliant

Security Certification: GDPR compliant

DPA / Terms: Hunter.io Privacy Policy · Hunter.io Terms

Note: Email addresses discovered via Hunter.io may relate to individuals. Ensure your outreach use of discovered emails complies with CAN-SPAM, GDPR Article 6 (legitimate interest), and any applicable local law.

Subprocessors Not Yet Active

The following services are planned but not yet in production. They will be added to this list before being activated:

| Service | Planned Purpose | Target Release | |---|---|---| | Stripe, Inc. | Payment processing | T6a | | Upstash | Redis queue / rate limiting | T5 | | Inngest | Background job orchestration | N1b |

Subprocessor Change Notification

We will publish updates to this list at least 10 days before adding a new subprocessor. Material subprocessor changes will also be communicated via in-app notification.

To subscribe to subprocessor change notifications, contact privacy@[domain placeholder].

Version: v1 · Effective: 2026-04-21