Effective date: May 8, 2026
Last updated: May 14, 2026
Last updated: May 14, 2026
1. What is a sub-processor?
Consistent with Article 28 of the GDPR, a “sub-processor” is a third party that Neuroscale engages to process Customer Personal Data on our behalf — for example, a cloud-infrastructure provider that hosts the database where Customer Personal Data is stored. Sub-processors are bound by written contracts that impose data-protection obligations no less protective than those in our DPA with the customer. This page does not list every vendor Neuroscale uses. It lists vendors that may process Customer Personal Data on our behalf to deliver the services, plus a small number of operational vendors whose access to Customer Personal Data is incidental and tightly scoped (e.g., logging, monitoring). Internal-only tools that do not process Customer Personal Data are out of scope of this list.2. Notification of changes
We commit to providing customers with at least 30 days advance notice before adding a new sub-processor that will process Customer Personal Data, or at least 14 days notice where exigent circumstances exist (for example, where adding the sub-processor is necessary to address a security or availability issue). Customers may object to a new sub-processor as set out in the DPA. To receive sub-processor change notifications by email, subscribe through the Neuroscale Trust Center (Vanta-hosted) using the “Subscribe to updates” option. Email privacy@neuroscale.ai if you cannot access the Trust Center and we will add you to the notification list directly.3. Current sub-processors
The “Transfer mechanism” column indicates how cross-border transfers are addressed where the sub-processor processes data outside the data subject’s country: DPF = the EU-U.S. Data Privacy Framework (and UK Extension / Swiss-U.S. DPF where applicable); SCCs = the EU Standard Contractual Clauses (and UK International Data Transfer Addendum where applicable); DPA = a written data processing agreement with the sub-processor; N/A = domestic processing where no cross-border transfer mechanism is required for the relevant data.DPF column note. “DPF” in the Transfer mechanism column refers to the named sub-processor’s certification under the EU-U.S. DPF (and where applicable the UK Extension and Swiss-U.S. DPF). Neuroscale’s own DPF certification is in progress as described in the Cross-Border Transfers Procedure; until Neuroscale’s certification is issued, transfers from the EEA / UK / Switzerland into Neuroscale’s US operations rely on the SCCs and the UK Addendum incorporated into Neuroscale’s DPA, with supplementary measures. Each row that lists “DPF + SCCs” therefore reflects (a) the sub-processor’s own DPF posture and (b) SCC-based backstop in the event the sub-processor’s DPF certification is suspended, lapses, or is invalidated.
| Subprocessor | Service | Subprocessing location(s) | Personal data categories | Transfer mechanism |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Primary cloud hosting (compute, storage, database, secrets, KMS); AWS Textract for optical character recognition of submitted documents | US East (us-east-1) and US West (us-west-2). No EU regions in current production deployment; Neuroscale will update this row before any EU-region rollout. | All Customer Personal Data submitted to the services | DPF + SCCs |
| Vultr (Constant Company, LLC) | Secondary cloud hosting — Vultr Cloud Compute, Vultr Bare Metal, Vultr Object Storage, Vultr Kubernetes Engine. Hosts a portion of production compute and database workloads alongside AWS. | US (Vultr US data centers — typically NJ / IL / TX / CA / WA). No EU regions in current production deployment; Neuroscale will update this row before any EU-region rollout. | Customer Personal Data routed to Vultr-hosted services | DPA + SCCs |
| Microsoft 365 | Corporate email (Outlook), document collaboration (SharePoint), eDiscovery (Purview) | US | Workforce data; inbound business communications that may contain personal data of customer contacts | DPF + SCCs |
| Rippling | IdP / SSO, MDM, EDR, HRIS | US | Workforce identity, device inventory, device telemetry | DPF + SCCs |
| Better Stack | Logs, error tracking, uptime monitoring, incident on-call paging | US | Operational and application logs; workforce contact details and alert metadata; no Customer Personal Data content | DPF + SCCs |
| Anthropic | Third-party AI model provider — Claude API used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| OpenAI | Third-party AI model provider — ChatGPT / API used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| xAI | Third-party AI model provider — Grok API used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| Cerebras | Third-party AI inference provider (cerebras.ai) used in customer-facing product features | US | Model inputs and outputs for the relevant feature; Customer Personal Data only when the customer-facing feature requires it | DPA + SCCs |
| Portkey AI | LLM-gateway service routing model traffic to upstream AI providers | US | Customer prompts and model outputs transiting the gateway to upstream model providers | DPA + SCCs |
| WorkOS | Authentication, single sign-on, and organization and membership management for customer-facing product features | US | End-user authentication identifiers and organization metadata | DPA + SCCs |
| Resend | Transactional email delivery | US | Recipient email addresses and message content | DPA + SCCs |
| Nylas | Email-account sync and send-on-behalf-of for outreach features | US | Connected-mailbox content and metadata, including candidate email correspondence | DPA + SCCs |
| Unipile | LinkedIn-account connection and messaging for outreach features | US | Candidate LinkedIn profile and messaging data for connected accounts | DPA + SCCs |
| OVH US (OVH US LLC) | Object storage for candidate profile/avatar images | US | Candidate profile images | DPA + SCCs |
| Stripe | Subscription billing and payment processing | US | Customer billing-contact identifiers and payment metadata (no card data stored by Neuroscale) | DPF + SCCs |
| Temporal Cloud | Background workflow orchestration | US | Workflow payloads, which may include Customer Personal Data | DPA + SCCs |
| Vercel | Frontend hosting and edge runtime for the Neuroscale services | US | Request metadata and Customer Personal Data transiting the frontend | DPA + SCCs |
| People Data Labs | Person-profile enrichment | US | Identifiers and profile attributes submitted to and returned from the enrichment service | DPA + SCCs |
| RocketReach | Contact-discovery lookups | US | Identifiers submitted for lookup and returned contact attributes | DPA + SCCs |
| Kickbox | Email-address deliverability validation | US | Email addresses submitted for validation | DPA + SCCs |
| NumVerify (APILayer) | Phone-number validation and carrier lookup | US | Phone numbers submitted for validation | DPA + SCCs |
| Vanta | Compliance management and training (LMS) | US | Workforce metadata | DPF + SCCs |
| Linear | Ticketing | US | Workforce-generated content | DPF + SCCs |
| GitHub | Source control and CI/CD | US | Neuroscale-employee data; source code | DPF + SCCs |
| Dashlane | Password manager | US | Workforce credentials | DPF + SCCs |
| Cloudflare | Cloudflare One — VPN (WARP), Zero Trust access (Access), and DNS/HTTP filtering (Gateway); standard network layer for all staff | US | Workforce network metadata, identity, device-posture signals, DNS/HTTP metadata | DPA + SCCs |
| Tailscale | Restricted-use VPN for production-infrastructure access by Engineering On-call and authorized engineers | US | Network metadata for the production-access cohort only | DPA + SCCs |
| Snyk | Software-composition / dependency vulnerability scanning (CI) | US | Dependency manifests and scan results; no Customer Personal Data | DPF + SCCs |
| Checkr | Background checks (workforce only) | US | Workforce data (with consent) | DPA + SCCs |
Some of the entries above relate to workforce-only data and do not involve Customer Personal Data; we list them for transparency about the broader supply chain that supports the services.
3.1 Website / marketing analytics and advertising recipients
The recipients below are website and marketing-tier recipients, not product sub-processors: they receive limited Visitor data (e.g., cookie identifiers, device/usage signals) collected on Neuroscale’s public marketing websites, and they do not process Customer Personal Data submitted to the Arbi services. Non-essential tags load only after the corresponding cookie consent is granted. The cookies and similar technologies these recipients set are described in the Cookie Notice.| Recipient | Service | Location | Data categories | Transfer mechanism |
|---|---|---|---|---|
| Mixpanel, Inc. | Product and marketing analytics, funnel and retention measurement (marketing website) | US | Cookie identifiers; website usage and event data | DPF + SCCs |
| LinkedIn Corporation | LinkedIn Insight Tag — marketing campaign measurement and audience insights | US | Cookie identifiers; ad-engagement and conversion signals | DPF + SCCs |
| Meta Platforms, Inc. | Meta Pixel — marketing campaign measurement and audience insights | US | Cookie identifiers; ad-engagement and conversion signals | SCCs |
| Google LLC | Google Ads — conversion measurement and audience insights | US | Cookie identifiers; ad-engagement and conversion signals | DPF + SCCs |
| OpenAI, LLC | OpenAI pixel — advertising / conversion measurement and audience insights | US | Cookie identifiers; ad-engagement and conversion signals | DPF + SCCs |
| Cookiebot (Cybot A/S) | Cookie-consent management platform on Neuroscale’s public websites | EU (Denmark) | Cookie-consent state; IP address (truncated); user-agent | SCCs |
4. Affiliates
Neuroscale’s affiliates (entities under common control with NEUROSCALE LLC) may also process Customer Personal Data on Neuroscale’s behalf, subject to the same contractual protections that apply to sub-processors.5. Subscribing to changes
To be notified when a sub-processor is added, removed, or replaced, subscribe through the Neuroscale Trust Center (Vanta-hosted) using the “Subscribe to updates” option, or email privacy@neuroscale.ai to be added directly. Subscribers receive notice consistent with our DPA commitments.6. Contact
- Privacy: privacy@neuroscale.ai
- Legal / DPA: legal@neuroscale.ai
- Postal: NEUROSCALE LLC, 46175 Westlake Dr Ste 300, Sterling, VA 20165