Sub-processors

Every third party that touches your data — listed by name.

When Emaration runs an audit or an ongoing engagement, a small set of well-known vendors help us do the work. This page lists each one, what they do for us, what client data they could see, and where they sit. It is the canonical list referenced by our Terms and our Data Processing Addendum.

Last updated: May 25, 2026 · Effective for: all clients under MSA / DPA v1 · Change notice: 15 days in advance, by email.

What "sub-processor" means. Under our DPA, you (the client) decide what data is collected and why. We process it on your instructions. A sub-processor is any third party we use to help us do that — a cloud platform, an AI vendor, an analytics tool. Every vendor below is bound to data-protection terms no less protective than our DPA.

1. Core infrastructure

4 vendors

These are the underlying platforms our work runs on — cloud compute, payment, DNS, business email.

Cloud platform

Google LLC — Google Cloud Platform

BigQuery, Cloud Run, Cloud Storage, Secret Manager, IAM. Our data warehouse and serverless compute.

Data touched: Aggregated and pseudonymous analytics; audit artifacts; client-attributable datasets.
Location: United States (us-west / us-central regions)
Policies: DPA · Privacy

Payments

Stripe, Inc.

Audit payments and retainer billing.

Data touched: Billing contact name, email, billing address, card token. Card numbers never reach our systems.
Location: United States
Policies: DPA · Privacy

DNS & edge

Cloudflare, Inc.

Domain registrar, DNS, Pages hosting, edge security for emaration.ai.

Data touched: Domain metadata; standard request logs from visitors to our site (no client data warehoused here).
Location: United States (global edge)
Policies: DPA · Privacy

Business email

Google LLC — Google Workspace

human@emaration.ai and andrew@emaration.ai. Email correspondence with clients.

Data touched: Whatever clients send us by email; client contact info; working files in Drive.
Location: United States
Policies: DPA · Privacy

2. AI / ML

2 vendors

The model vendors our orchestration routes work to. See the methodology for how we choose, evaluate, and fall back.

Foundation model

Anthropic PBC — Claude API

Reasoning, audit narrative writing, content drafts, full-context interpretation.

Data touched: Excerpts of your analytics, content, and text we pass in to perform the task. Anthropic does not train on API data by default.
Location: United States
Policies: DPA · Privacy

Foundation model

OpenAI, L.L.C.

Secondary model and specific workflows where we route to it per the orchestration spec.

Data touched: Task-specific excerpts. API data is not used for model training by default.
Location: United States
Policies: DPA · Privacy

3. Analytics & measurement

4 vendors

Tools that read your existing analytics, tag-management, or search data on your property.

Web analytics

Google LLC — GA4, GTM, server-side GTM

Web analytics and tag management running on your property.

Data touched: IP address (typically truncated by GA4), device identifiers, cookie IDs, conversion events.
Location: United States (or region you configure)
Policies: Data terms · Privacy

SEO data

Ahrefs Pte. Ltd.

Keyword research, competitor analysis, content-gap mapping, rank tracking.

Data touched: Public web data plus references to your domain. No client-private data is shared with Ahrefs.
Location: Singapore (HQ); global infrastructure
Policies: Privacy

Site crawl

Screaming Frog Ltd.

Local site-crawl analysis for audits and migration QA. Runs on Andrew's workstation.

Data touched: Your public-site HTML. Data stays on the workstation; nothing is uploaded to Screaming Frog as a service.
Location: United Kingdom (vendor); United States (workstation)
Policies: Privacy

Call tracking — optional

CallRail, Inc.

Used only when you opt in to call tracking on your account.

Data touched: Inbound caller phone numbers and (if you enable it) call recordings.
Location: United States
Policies: DPA · Privacy

4. Productivity & collaboration

3 vendors

Where drafts, briefs, and project notes live while we work on them. Client data is kept to what the project requires.

Project workspace

Notion Labs, Inc.

Brief storage, internal docs, per-engagement client workspaces.

Data touched: Project notes, deliverable drafts, content briefs that may reference your business.
Location: United States
Policies: DPA · Privacy

Workflow automation

Make.com (Celonis SE)

Limited workflow automation between tools.

Data touched: Routing metadata between systems we run. Not used for primary content-of-work transit.
Location: European Union
Policies: DPA · Privacy

Portal hosting

Hetzner Online GmbH

Self-hosted client portal and CRM (Postgres, NocoDB, n8n, Pocketbase).

Data touched: Intake form responses, project records, internal lead data once a client is onboarded.
Location: Germany / Finland (your region selection at intake)
Policies: Privacy & DPA

5. Per-client variable

added on opt-in only

These vendors are only engaged when a specific deliverable in your scope of work requires them — for example, a local-citation push or stock imagery for a content sprint. We disclose them in your monthly report and on your individual sub-processor schedule before any data is sent.

Local citations

BrightLocal / Yext (à la carte)

When local SEO citations are in scope. Data: business name, address, phone, hours. Location: United States / United Kingdom.

Stock imagery

Unsplash+ / Adobe Stock

For licensed visuals in content sprints. No client data passes to these vendors.

Vertical-specific

Per-engagement specialist tools

Occasionally needed for a specific vertical's data (e.g., veterinary scheduling integrations). Always disclosed before activation, always opt-in.

6. Notification of changes & right to object

We commit to giving you advance notice before any vendor on this list changes in a way that affects how your data is processed.

30-day change notice for the public list. The list above is the canonical record. When we add or replace a sub-processor that will process client data, the list updates here at least 30 days before the change takes effect for new engagements.
15-day individual notice for existing clients. Active clients also receive direct email notice at least 15 days before the change applies to their account, per Section 6.4 of the DPA.
Right to object. Within 10 days of receiving notice, you may object on reasonable data-protection grounds. If we cannot resolve the objection together, you may terminate the affected SOW without penalty.
Get notified. Email human@emaration.ai with "Sub-processor change notifications" in the subject and we will add you to the change list. No marketing — this list is used for change notice only.

Questions about a specific vendor? Email human@emaration.ai. A founder will respond within one business day. If you need a security questionnaire response or a written confirmation of a sub-processor's status under your DPA, ask and we will send one.

Back to home Privacy Policy Terms of Service