Effective date: May 8, 2026
Last updated: May 14, 2026
This page lists the sub-processors that NEUROSCALE LLC (“Neuroscale”) engages to process customer personal data (“Customer Personal Data”) in connection with the Neuroscale services. It supports our Data Processing Addendum (DPA) and our Privacy Notice.

1. What is a sub-processor?

Consistent with Article 28 of the GDPR, a “sub-processor” is a third party that Neuroscale engages to process Customer Personal Data on our behalf — for example, a cloud-infrastructure provider that hosts the database where Customer Personal Data is stored. Sub-processors are bound by written contracts that impose data-protection obligations no less protective than those in our DPA with the customer. This page does not list every vendor Neuroscale uses. It lists vendors that may process Customer Personal Data on our behalf to deliver the services, plus a small number of operational vendors whose access to Customer Personal Data is incidental and tightly scoped (e.g., logging, monitoring). Internal-only tools that do not process Customer Personal Data are out of scope of this list.

2. Notification of changes

We commit to providing customers with at least 30 days advance notice before adding a new sub-processor that will process Customer Personal Data, or at least 14 days notice where exigent circumstances exist (for example, where adding the sub-processor is necessary to address a security or availability issue). Customers may object to a new sub-processor as set out in the DPA. To receive sub-processor change notifications by email, subscribe through the Neuroscale Trust Center (Vanta-hosted) using the “Subscribe to updates” option. Email privacy@neuroscale.ai if you cannot access the Trust Center and we will add you to the notification list directly.

3. Current sub-processors

The “Transfer mechanism” column indicates how cross-border transfers are addressed where the sub-processor processes data outside the data subject’s country: DPF = the EU-U.S. Data Privacy Framework (and UK Extension / Swiss-U.S. DPF where applicable); SCCs = the EU Standard Contractual Clauses (and UK International Data Transfer Addendum where applicable); DPA = a written data processing agreement with the sub-processor; N/A = domestic processing where no cross-border transfer mechanism is required for the relevant data.
DPF column note. “DPF” in the Transfer mechanism column refers to the named sub-processor’s certification under the EU-U.S. DPF (and where applicable the UK Extension and Swiss-U.S. DPF). Neuroscale’s own DPF certification is in progress as described in the Cross-Border Transfers Procedure; until Neuroscale’s certification is issued, transfers from the EEA / UK / Switzerland into Neuroscale’s US operations rely on the SCCs and the UK Addendum incorporated into Neuroscale’s DPA, with supplementary measures. Each row that lists “DPF + SCCs” therefore reflects (a) the sub-processor’s own DPF posture and (b) SCC-based backstop in the event the sub-processor’s DPF certification is suspended, lapses, or is invalidated.
SubprocessorServiceSubprocessing location(s)Personal data categoriesTransfer mechanism
Amazon Web Services (AWS)Primary cloud hosting (compute, storage, database, secrets, KMS); AWS Textract for optical character recognition of submitted documentsUS East (us-east-1) and US West (us-west-2). No EU regions in current production deployment; Neuroscale will update this row before any EU-region rollout.All Customer Personal Data submitted to the servicesDPF + SCCs
Vultr (Constant Company, LLC)Secondary cloud hosting — Vultr Cloud Compute, Vultr Bare Metal, Vultr Object Storage, Vultr Kubernetes Engine. Hosts a portion of production compute and database workloads alongside AWS.US (Vultr US data centers — typically NJ / IL / TX / CA / WA). No EU regions in current production deployment; Neuroscale will update this row before any EU-region rollout.Customer Personal Data routed to Vultr-hosted servicesDPA + SCCs
Microsoft 365Corporate email (Outlook), document collaboration (SharePoint), eDiscovery (Purview)USWorkforce data; inbound business communications that may contain personal data of customer contactsDPF + SCCs
RipplingIdP / SSO, MDM, EDR, HRISUSWorkforce identity, device inventory, device telemetryDPF + SCCs
Better StackLogs, error tracking, uptime monitoring, incident on-call pagingUSOperational and application logs; workforce contact details and alert metadata; no Customer Personal Data contentDPF + SCCs
AnthropicThird-party AI model provider — Claude API used in customer-facing product featuresUSModel inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires itDPA + SCCs
OpenAIThird-party AI model provider — ChatGPT / API used in customer-facing product featuresUSModel inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires itDPA + SCCs
xAIThird-party AI model provider — Grok API used in customer-facing product featuresUSModel inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires itDPA + SCCs
CerebrasThird-party AI inference provider (cerebras.ai) used in customer-facing product featuresUSModel inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires itDPA + SCCs
Portkey AILLM-gateway service routing model traffic to upstream AI providersUSCustomer prompts and model outputs transiting the gateway to upstream model providersDPA + SCCs
WorkOSAuthentication, single sign-on, and organization and membership management for customer-facing product featuresUSEnd-user authentication identifiers and organization metadataDPA + SCCs
ResendTransactional email deliveryUSRecipient email addresses and message contentDPA + SCCs
NylasEmail-account sync and send-on-behalf-of for outreach featuresUSConnected-mailbox content and metadata, including candidate email correspondenceDPA + SCCs
UnipileLinkedIn-account connection and messaging for outreach featuresUSCandidate LinkedIn profile and messaging data for connected accountsDPA + SCCs
OVH US (OVH US LLC)Object storage for candidate profile/avatar imagesUSCandidate profile imagesDPA + SCCs
StripeSubscription billing and payment processingUSCustomer billing-contact identifiers and payment metadata (no card data stored by Neuroscale)DPF + SCCs
Temporal CloudBackground workflow orchestrationUSWorkflow payloads, which may include Customer Personal DataDPA + SCCs
VercelFrontend hosting and edge runtime for the Neuroscale servicesUSRequest metadata and Customer Personal Data transiting the frontendDPA + SCCs
People Data LabsPerson-profile enrichmentUSIdentifiers and profile attributes submitted to and returned from the enrichment serviceDPA + SCCs
RocketReachContact-discovery lookupsUSIdentifiers submitted for lookup and returned contact attributesDPA + SCCs
KickboxEmail-address deliverability validationUSEmail addresses submitted for validationDPA + SCCs
NumVerify (APILayer)Phone-number validation and carrier lookupUSPhone numbers submitted for validationDPA + SCCs
VantaCompliance management and training (LMS)USWorkforce metadataDPF + SCCs
LinearTicketingUSWorkforce-generated contentDPF + SCCs
GitHubSource control and CI/CDUSNeuroscale-employee data; source codeDPF + SCCs
DashlanePassword managerUSWorkforce credentialsDPF + SCCs
CloudflareCloudflare One — VPN (WARP), Zero Trust access (Access), and DNS/HTTP filtering (Gateway); standard network layer for all staffUSWorkforce network metadata, identity, device-posture signals, DNS/HTTP metadataDPA + SCCs
TailscaleRestricted-use VPN for production-infrastructure access by Engineering On-call and authorized engineersUSNetwork metadata for the production-access cohort onlyDPA + SCCs
SnykSoftware-composition / dependency vulnerability scanning (CI)USDependency manifests and scan results; no Customer Personal DataDPF + SCCs
CheckrBackground checks (workforce only)USWorkforce data (with consent)DPA + SCCs
Some of the entries above relate to workforce-only data and do not involve Customer Personal Data; we list them for transparency about the broader supply chain that supports the services.

3.1 Website / marketing analytics and advertising recipients

The recipients below are website and marketing-tier recipients, not product sub-processors: they receive limited Visitor data (e.g., cookie identifiers, device/usage signals) collected on Neuroscale’s public marketing websites, and they do not process Customer Personal Data submitted to the Arbi services. Non-essential tags load only after the corresponding cookie consent is granted. The cookies and similar technologies these recipients set are described in the Cookie Notice.
RecipientServiceLocationData categoriesTransfer mechanism
Mixpanel, Inc.Product and marketing analytics, funnel and retention measurement (marketing website)USCookie identifiers; website usage and event dataDPF + SCCs
LinkedIn CorporationLinkedIn Insight Tag — marketing campaign measurement and audience insightsUSCookie identifiers; ad-engagement and conversion signalsDPF + SCCs
Meta Platforms, Inc.Meta Pixel — marketing campaign measurement and audience insightsUSCookie identifiers; ad-engagement and conversion signalsSCCs
Google LLCGoogle Ads — conversion measurement and audience insightsUSCookie identifiers; ad-engagement and conversion signalsDPF + SCCs
OpenAI, LLCOpenAI pixel — advertising / conversion measurement and audience insightsUSCookie identifiers; ad-engagement and conversion signalsDPF + SCCs
Cookiebot (Cybot A/S)Cookie-consent management platform on Neuroscale’s public websitesEU (Denmark)Cookie-consent state; IP address (truncated); user-agentSCCs

4. Affiliates

Neuroscale’s affiliates (entities under common control with NEUROSCALE LLC) may also process Customer Personal Data on Neuroscale’s behalf, subject to the same contractual protections that apply to sub-processors.

5. Subscribing to changes

To be notified when a sub-processor is added, removed, or replaced, subscribe through the Neuroscale Trust Center (Vanta-hosted) using the “Subscribe to updates” option, or email privacy@neuroscale.ai to be added directly. Subscribers receive notice consistent with our DPA commitments.

6. Contact

For our overall privacy program, see the Privacy Notice.