Effective date: May 8, 2026
Last updated: May 9, 2026
Last updated: May 9, 2026
1. What is a sub-processor?
Consistent with Article 28 of the GDPR, a “sub-processor” is a third party that Neuroscale engages to process Customer Personal Data on our behalf — for example, a cloud-infrastructure provider that hosts the database where Customer Personal Data is stored. Sub-processors are bound by written contracts that impose data-protection obligations no less protective than those in our DPA with the customer. This page does not list every vendor Neuroscale uses. It lists vendors that may process Customer Personal Data on our behalf to deliver the services, plus a small number of operational vendors whose access to Customer Personal Data is incidental and tightly scoped (e.g., logging, monitoring). Internal-only tools that do not process Customer Personal Data are out of scope of this list.2. Notification of changes
We commit to providing customers with at least 30 days advance notice before adding a new sub-processor that will process Customer Personal Data, or at least 14 days notice where exigent circumstances exist (for example, where adding the sub-processor is necessary to address a security or availability issue). Customers may object to a new sub-processor as set out in the DPA. To receive sub-processor change notifications by email, subscribe through the Neuroscale Trust Center on Vanta (trust.neuroscale.ai) using the “Subscribe to updates” option. Email privacy@neuroscale.ai if you cannot access the Trust Center and we will add you to the notification list directly. Neuroscale may, in the future, migrate this subscription mechanism to a HubSpot or in-house form; the email address you supply through the Trust Center will be carried over and the next notice will reference the new endpoint.
3. Current sub-processors
The “Transfer mechanism” column indicates how cross-border transfers are addressed where the sub-processor processes data outside the data subject’s country: DPF = the EU-U.S. Data Privacy Framework (and UK Extension / Swiss-U.S. DPF where applicable); SCCs = the EU Standard Contractual Clauses (and UK International Data Transfer Addendum where applicable); DPA = a written data processing agreement with the sub-processor; N/A = domestic processing where no cross-border transfer mechanism is required for the relevant data.| Subprocessor | Service | Subprocessing location(s) | Personal data categories | Transfer mechanism |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Primary cloud hosting (compute, storage, database, secrets, KMS); AWS Textract for optical character recognition of submitted documents | US East (us-east-1) and US West (us-west-2). No EU regions in current production deployment; Neuroscale will update this row before any EU-region rollout. | All Customer Personal Data submitted to the services | DPF + SCCs |
| Vultr (Constant Company, LLC) | Secondary cloud hosting — Vultr Cloud Compute, Vultr Bare Metal, Vultr Object Storage, Vultr Kubernetes Engine. Hosts a portion of production compute and database workloads alongside AWS. | US (Vultr US data centers — typically NJ / IL / TX / CA / WA). No EU regions in current production deployment; Neuroscale will update this row before any EU-region rollout. | Customer Personal Data routed to Vultr-hosted services | DPA + SCCs |
| Microsoft 365 | Corporate email (Outlook), document collaboration (SharePoint), eDiscovery (Purview) | US | Workforce data; inbound business communications that may contain personal data of customer contacts | DPF + SCCs |
| Rippling | IdP / SSO, MDM, EDR, HRIS | US | Workforce identity, device inventory, device telemetry | DPF + SCCs |
| Better Stack | Logs, error tracking, uptime monitoring, incident on-call paging | US | Operational and application logs; workforce contact details and alert metadata; no Customer Personal Data content | DPF + SCCs |
| Anthropic | Third-party AI model provider — Claude API used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| OpenAI | Third-party AI model provider — ChatGPT / API used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| xAI | Third-party AI model provider — Grok API used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| Cerebras | Third-party AI inference provider (cerebras.ai) used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| Portkey AI | LLM-gateway service routing model traffic to upstream AI providers | US | Customer prompts and model outputs transiting the gateway to upstream model providers | DPA + SCCs |
| WorkOS | Authentication, single sign-on, and organization and membership management | US | End-user authentication identifiers and organization metadata | DPA + SCCs |
| Resend | Transactional email delivery | US | Recipient email addresses and message content | DPA + SCCs |
| Temporal Cloud | Background workflow orchestration | US | Workflow payloads, which may include Customer Personal Data | DPA + SCCs |
| Vercel | Frontend hosting and edge runtime for the Neuroscale services | US | Request metadata and Customer Personal Data transiting the frontend | DPA + SCCs |
| People Data Labs | Person-profile enrichment | US | Identifiers and profile attributes submitted to and returned from the enrichment service | DPA + SCCs |
| RocketReach | Contact-discovery lookups | US | Identifiers submitted for lookup and returned contact attributes | DPA + SCCs |
| Kickbox | Email-address deliverability validation | US | Email addresses submitted for validation | DPA + SCCs |
| NumVerify (APILayer) | Phone-number validation and carrier lookup | US | Phone numbers submitted for validation | DPA + SCCs |
| Vanta | Compliance management and training (LMS) | US | Workforce metadata | DPF |
| Linear | Ticketing | US | Workforce-generated content | DPF + SCCs |
| GitHub | Source control and CI/CD | US | Neuroscale-employee data; source code | DPF + SCCs |
| Dashlane | Password manager | US | Workforce credentials | DPF + SCCs |
| Material | Email security | US | Inbound corporate email | DPA + SCCs |
| Cloudflare | Cloudflare One — VPN (WARP), Zero Trust access (Access), and DNS/HTTP filtering (Gateway); standard network layer for all staff | US | Workforce network metadata, identity, device-posture signals, DNS/HTTP metadata | DPA + SCCs |
| Tailscale | Restricted-use VPN for production-infrastructure access by Engineering On-call and authorized engineers | US | Network metadata for the production-access cohort only | DPA + SCCs |
| Detectify | Vulnerability scanning | Sweden | Scan results; no Customer Personal Data | SCCs |
| Checkr | Background checks (workforce only) | US | Workforce data (with consent) | DPA + SCCs |
Some of the entries above relate to workforce-only data and do not involve Customer Personal Data; we list them for transparency about the broader supply chain that supports the services.
4. Affiliates
Neuroscale’s affiliates (entities under common control with NEUROSCALE LLC) may also process Customer Personal Data on Neuroscale’s behalf, subject to the same contractual protections that apply to sub-processors.5. Subscribing to changes
To be notified when a sub-processor is added, removed, or replaced, subscribe through the Neuroscale Trust Center on Vanta (trust.neuroscale.ai) using the “Subscribe to updates” option, or email privacy@neuroscale.ai to be added directly. Subscribers receive notice consistent with our DPA commitments.
6. Contact
- Privacy: privacy@neuroscale.ai
- Legal / DPA: legal@neuroscale.ai
- Postal: NEUROSCALE LLC, 46175 Westlake Dr Ste 300, Sterling, VA 20165