Sub-processors
Article 28(2) GDPR · CCPA Service Provider posture · 18 vendors
The following third parties (the “Sub-processors”) Process Personal Data on Ataski’s behalf in the course of providing the Service. Each Sub-processor is bound by a written agreement with obligations no less protective than those in Ataski’s Data Processing Agreement. Ataski provides 30 days’ prior notice via in-app banner and email to the workspace admin before adding or removing any Sub-processor; Customer may object on reasonable grounds during that window.
Last updated: 2026-06-05 · List fingerprint:
8f39b75edc931a76…
| Sub-processor | Purpose | Country | Data categories | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Application server hosting (CCX23 Ashburn) | Germany (data center USA) |
|
Vendor DPA ↗ |
| Neon, Inc. | Postgres database hosting | USA |
|
Vendor DPA ↗ |
| Cloudflare, Inc. | DNS, CDN, WAF, R2 object storage (PDFs, HTML snapshots) | USA |
|
Vendor DPA ↗ |
| WorkOS, Inc. | Authentication (SSO / SAML / passwordless) | USA |
|
Vendor DPA ↗ |
| Wildbit, LLC (Postmark) | Transactional email delivery + inbound webhook | USA |
|
Vendor DPA ↗ |
| Anthropic, PBC | Worker LLM inference (Claude API) | USA |
|
Vendor DPA ↗ |
| OpenAI, OpCo, LLC | Cross-family supervisor LLM + embeddings | USA |
|
Vendor DPA ↗ |
| Google LLC (Vertex AI / Gemini) | Tier-3 tiebreaker LLM when worker and supervisor disagree | USA |
|
Vendor DPA ↗ |
| Recall.ai (Reduct Video, Inc.) | Meeting bot identity + transcription (Meeting Coordinator, Board Pack co-pilot) | USA |
|
Vendor DPA ↗ |
| Bright Data Ltd | MCP-orchestrator primary: SERP search, Web Unlocker, firmographic datasets | Israel (global data centers) |
|
Vendor DPA ↗ |
| Perplexity AI, Inc. | Sonar API — search and synthesis for personalization context | USA |
|
Vendor DPA ↗ |
| ZeroBounce, Inc. | Email deliverability verification (PAYG, no vendor-side PII retention) | USA |
|
Vendor DPA ↗ |
| Apify Technologies s.r.o. | Pre-built actors for non-LinkedIn scraping and signal aggregation | Czech Republic (EU) |
|
Vendor DPA ↗ |
| Stripe, Inc. | Billing / payment processing (Checkout, customer portal, Stripe Tax) | USA |
|
Vendor DPA ↗ |
| Langfuse GmbH | LLM trace storage (async-pushed prompts + completions) | Germany (EU) |
|
Vendor DPA ↗ |
| Bugsink B.V. | Error tracking (Sentry-compatible, PII off by default) | Netherlands (EU) |
|
Vendor DPA ↗ |
| PostHog, Inc. | Product analytics (page-view and event telemetry) | USA |
|
Vendor DPA ↗ |
| Better Stack sp. z o.o. (Logtail) | Uptime monitoring and heartbeats | Poland (EU) |
|
Vendor DPA ↗ |
What does “sub-processor” mean?
A sub-processor is any third party Ataski engages to Process Personal Data on Customer's behalf (GDPR Article 28(4)). Customers are not asked to negotiate with each sub-processor individually; instead, Ataski warrants in the master DPA that each sub-processor is bound by back-to-back data protection obligations and that Ataski remains liable to Customer for sub-processor performance.
What gets notified when this list changes?
Adding, removing, or materially changing a sub-processor triggers a 30-day notice to every workspace admin email on file, plus an in-app banner on the affected role's dashboard. Customer may object within that window. The above fingerprint changes with the list, so external monitoring can detect change without polling per-vendor.
Why isn't my favourite vendor here?
Ataski operates as a CCPA Service Provider (Cal. Civ. Code §1798.140(ag)) and is not a data broker. We do not engage data-broker sub-processors (Hunter, Apollo, ZoomInfo, Crunchbase, Coresignal). Contact discovery uses public-source compose patterns and customer-supplied lists per our security posture.