Subprocessors

Who else handles your data

Every third-party processor we engage. Ordered by data-sensitivity tier. We will email all paid subscribers at least 30 days before adding a new subprocessor that processes subscriber PII.

Subprocessor	Role	Region	PII?	DPA
Stripe Payment processor + subscription billing Tokenises card data client-side; we never see PAN. PCI-DSS L1 · SOC 2 Type II · ISO 27001	Payment processor + subscription billing	EU + US	PII	DPA →
Vercel Hosting, CDN, edge compute, log retention 30-day log retention; no PII in app logs. SOC 2 Type II · ISO 27001	Hosting, CDN, edge compute, log retention	EU (fra1 primary), US (iad1 failover)	PII	DPA →
Resend Transactional email + audience management All weekly digest, drip and book-funnel email flows. SOC 2 Type II	Transactional email + audience management	US (Tigris primary)	PII	DPA →
PocketBase / Hetzner Subscriber records, share-tokens, scout sessions Single VPS with full-disk encryption + TLS-only. ISO 27001 (Hetzner)	Subscriber records, share-tokens, scout sessions	EU (Hetzner Helsinki)	PII	DPA →
Coinbase Developer Platform x402 facilitator + CDP Server Wallet Used only by /api/agent/deep-signal/x402; agents pay, no human PII. SOC 1 Type II · SOC 2 Type II	x402 facilitator + CDP Server Wallet	US	no PII	DPA →
PostHog (EU Cloud) Pseudonymous product analytics persistence: 'memory'; person_profiles: 'identified_only'. SOC 2 Type II	Pseudonymous product analytics	EU (Frankfurt)	no PII	DPA →
GitHub Source data — public commit/repo events Public events API only; no private repo or OAuth-scoped data. SOC 1 Type II · SOC 2 Type II · ISO 27001	Source data — public commit/repo events	US	no PII	DPA →
Cloudflare Apex DNS + DDoS shield (gitdealflow.com) signals.gitdealflow.com is Vercel-direct, not Cloudflare-fronted. SOC 2 Type II · ISO 27001 · PCI-DSS	Apex DNS + DDoS shield (gitdealflow.com)	Global anycast	PII	DPA →
Anthropic LLM inference for /api/answer + /api/ask summarisation Zero retention via API workspace; queries never used for training. SOC 2 Type II · ISO 27001	LLM inference for /api/answer + /api/ask summarisation	US	no PII	DPA →

Subprocessor

Region

PII?

DPA

Stripe

Payment processor + subscription billing

Tokenises card data client-side; we never see PAN.

PCI-DSS L1 · SOC 2 Type II · ISO 27001

EU + US

PII

DPA →

Vercel

Hosting, CDN, edge compute, log retention

30-day log retention; no PII in app logs.

SOC 2 Type II · ISO 27001

EU (fra1 primary), US (iad1 failover)

PII

DPA →

Resend

Transactional email + audience management

All weekly digest, drip and book-funnel email flows.

SOC 2 Type II

US (Tigris primary)

PII

DPA →

PocketBase / Hetzner

Subscriber records, share-tokens, scout sessions

Single VPS with full-disk encryption + TLS-only.

ISO 27001 (Hetzner)

EU (Hetzner Helsinki)

PII

DPA →

Coinbase Developer Platform

x402 facilitator + CDP Server Wallet

Used only by /api/agent/deep-signal/x402; agents pay, no human PII.

SOC 1 Type II · SOC 2 Type II

no PII

DPA →

PostHog (EU Cloud)

Pseudonymous product analytics

persistence: 'memory'; person_profiles: 'identified_only'.

SOC 2 Type II

EU (Frankfurt)

no PII

DPA →

GitHub

Source data — public commit/repo events

Public events API only; no private repo or OAuth-scoped data.

SOC 1 Type II · SOC 2 Type II · ISO 27001

no PII

DPA →

Cloudflare

Apex DNS + DDoS shield (gitdealflow.com)

signals.gitdealflow.com is Vercel-direct, not Cloudflare-fronted.

SOC 2 Type II · ISO 27001 · PCI-DSS

Global anycast

PII

DPA →

Anthropic

LLM inference for /api/answer + /api/ask summarisation

Zero retention via API workspace; queries never used for training.

SOC 2 Type II · ISO 27001

no PII

DPA →