Sub-processor List

Effective Date: October 25, 2025 | Questions? Contact legal@surmado.com

This page lists the third-party sub-processors currently authorized by Surmado, Inc. ("Surmado", "we") to process customer data (including Personal Data and Customer Inputs) in connection with the delivery of our Services (Scan, Signal, Solutions). This list is provided pursuant to our Data Processing Addendum (DPA) and may be updated from time to time as described in the DPA.

Sub-processors are third-party companies engaged by Surmado that may have access to or process customer data under our instruction and on our behalf. We conduct diligence on our sub-processors and require them to adhere to data protection terms consistent with our DPA and applicable laws.

AI providers listed here may act as independent controllers for their downstream purposes. Surmado does not transmit account contact details (e.g., name, login email, full billing details) to AI providers for analysis; only user-inputted business-content fields are routed. Where enterprise "no-training" controls are available, we enable them. Surmado operates on a uniform routing posture and does not offer per-customer provider exclusions or custom routing.

---

Infrastructure & Core Services

These providers host our application, databases, and core operational functions.

Google Cloud Services

• Purpose: Cloud hosting provider for application infrastructure (serverless functions, cloud storage for reports and intermediate data via Google Cloud Storage).
• Location: Primarily US regions.

Netlify

• Purpose: Hosting provider for our static website frontend and continuous deployment.
• Location: Global CDN.

Cloudflare

• Purpose: Content Delivery Network (CDN), security (WAF, DDoS protection), DNS services.
• Location: Global CDN.

---

AI & Data Analysis Providers

These providers supply the core AI models and data APIs used to generate analyses within Scan, Signal, and Solutions. Customer Inputs are sent to these providers via API.

OpenAI, L.L.C.

• Purpose: Provides GPT-family AI models used for various analysis, summarization, and content generation tasks across Services.
• Location: Primarily US.

Anthropic, PBC

• Purpose: Provides Claude-family AI models used for strategic analysis, report writing, and content generation across Services.
• Location: Primarily US.

Google LLC

• Purpose: Provides Gemini-family AI models for analysis and summarization. Also provides the PageSpeed Insights API used within the Scan service.
• Location: Primarily US / Global.

xAI Corp.

• Purpose: Provides Grok models used for specific analytical perspectives within the Solutions service.
• Location: Primarily US.

Perplexity AI, Inc.

• Purpose: Provides AI models with web search capabilities used for competitive analysis within the Signal service.
• Location: Primarily US.

Together AI

• Purpose: Provides access to various open-source models including Meta's Llama and DeepSeek.
• Location: Primarily US.

Note: DeepSeek models are served via Together AI, a U.S.-based hosting platform. All processing occurs on U.S. infrastructure; no data is transmitted to the People's Republic of China. See ToS §13C for details.

---

Payments & Billing

These providers process payments and manage financial transactions.

Stripe, Inc.

• Purpose: Payment processing for all Services. Handles credit card data securely (Surmado does not store full card numbers).
• Location: Primarily US / Global.

---

Communications

These providers handle email delivery.

ActiveCampaign, LLC (Postmark)

• Purpose: Transactional email service provider used to deliver reports and service-related communications.
• Location: Primarily US.

---

Authentication & Analytics

These providers manage user authentication and website analytics.

Okta, Inc. (Clerk)

• Purpose: User authentication and management service.
• Location: Primarily US.

Plausible Analytics OÜ

• Purpose: Privacy-focused website analytics.
• Location: EU.

---

Business Operations

While generally not processing core customer service data, these support our operations.

Google LLC (Google Workspace)

• Purpose: Internal email, document storage, and collaboration tools.
• Location: Global.

GitHub, Inc.

• Purpose: Code hosting, version control, and development collaboration.
• Location: Primarily US.

1Password (AgileBits Inc.)

• Purpose: Secure password and secrets management.
• Location: US/Canada.

Stable (Stable Virtual Mailbox)

• Purpose: Virtual mailing address and mail handling.
• Location: US.

---

Updates & Questions

Updates: We will provide notice of changes to this list consistent with the DPA's subprocessor notice process (typically via updates to this page and/or email notification at least 30 days prior to the change).

Questions: If you have questions about our sub-processors, please contact us at legal@surmado.com.

---

Related Legal Documents

• Terms of Service: Complete terms governing use of our Services. See section 13C for AI provider details
• Privacy Policy: How we handle your data
• Data Processing Addendum: GDPR, CPRA compliance. See section 5 for sub-processor terms