Sub-processors
Overview
Aurora Coach uses third-party service providers ("Sub-processors") to assist in providing the Service and in operating our business. These Sub-processors process Personal Data on our behalf and are bound by contractual obligations to maintain the confidentiality and security of that data.
This page lists all of our current Sub-processors, covering both those that process customer data under our Data Processing Agreement (Section 6) and those that process prospect or marketing data referenced in Section 13 of our Privacy Policy.
Current Sub-processors
| Sub-processor | Purpose | Location | Data Processing | Terms |
|---|---|---|---|---|
| Anthropic, PBC | AI Processing | United States | Processes coaching interactions to generate AI recommendations. Data is processed in real-time and not retained for model training. Anthropic is contractually prohibited from using Personal Data to train or improve their AI models. | Terms |
| Cantab Research Ltd (Speechmatics) | Speech-to-Text Transcription | United Kingdom | Processes audio from voice-based coaching interactions to generate transcripts that are then passed to our AI coaching pipeline. Under Speechmatics' standard Terms of Service, audio files are deleted within 7 days following termination of the subscription; transcripts are licensed to Speechmatics on a perpetual basis for the purpose of machine learning and improving their speech recognition software. Speechmatics acts as a Processor and is bound by the data protection obligations set out in their Terms of Service. | Terms |
| Salesforce, Inc. (Heroku) | Cloud Infrastructure | European Union | Hosts our application and databases. All Personal Data is stored and processed within EU data centers. Provides computing, storage, and database services. | Terms |
| Stripe, Inc. | Payment Processing | United States / European Union | Processes subscription payments and billing. Handles payment card data in compliance with PCI-DSS. EU customer payment data is processed within the EU where possible. | Terms |
| Cloudflare, Inc. | CDN, DDoS Protection, WAF | United States / Global | Provides content delivery, DDoS mitigation, and web application firewall services. Proxies and inspects web traffic for security threats. Traffic is processed at the nearest data center to the user; EU users' traffic is processed within EU data centers. | Terms |
| Apollo.io, Inc. | B2B Outreach Platform | United States | Stores prospect contact data, runs outbound email sequences, and tracks engagement (opens, replies, unsubscribes). Apollo is also an independent controller with respect to its source B2B contact database; our use of that database is separately governed by Apollo's own privacy policy. | Terms |
| HubSpot, Inc. | CRM and Marketing Operations | United States | Tracks prospect and customer lifecycle state, stores marketing communications, and records compliance flags including unsubscribe and objection status. HubSpot, Inc. is self-certified under the EU-US Data Privacy Framework. | Terms |
| Google Ireland Limited (Google Workspace) | Corporate Email Infrastructure | European Union / United States | Provides corporate email for addresses such as [email protected], including handling of reply correspondence from prospects and customers. Transfers to Google LLC (US) rely on the EU-US Data Privacy Framework and the Google Workspace Data Processing Amendment. | Terms |
| PostHog Inc. | Product Analytics and Event Tracking | European Union | Captures website usage analytics (pageviews and interactions on the marketing site, gated by Analytics & Performance cookie consent) and server-side funnel telemetry (signup, demo, and ROI-calculator outcomes, processed under Legitimate Interest as operational and security telemetry). Data is processed on PostHog's EU instance (eu.posthog.com) via a first-party proxy domain. Identifiers are anonymous client-side IDs or SHA-256 hashes of email addresses; raw email is not used as an identifier. Transfers to PostHog Inc. (US) where applicable rely on Standard Contractual Clauses. | Terms |
Data Protection Measures
We rely on each Sub-processor's published terms and Data Processing Addendum (DPA), accepted as a condition of using their services. The specific obligations and safeguards each Sub-processor commits to are set out in their respective Terms linked above. In summary:
- Each Sub-processor's published terms include data protection commitments governing how they handle Personal Data we send them. Where those terms differ from the commitments in our own Data Processing Agreement, the relevant specifics are noted in the table above.
- International data transfers rely on the safeguards each Sub-processor publishes — Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or equivalent mechanisms — as set out in their respective DPAs.
- Due diligence on security and privacy practices when selecting Sub-processors.
Changes to Sub-processors
In accordance with our Terms of Service, we will notify customers at least 30 days in advance before adding or replacing Sub-processors. Notifications will be sent to the email address associated with your account.
If you have concerns about a new Sub-processor, you may object by contacting us within the notification period. We will work with you to address your concerns or, if we cannot resolve them, you may terminate your subscription in accordance with our Terms of Service.
Update History
- May 26, 2026: Added PostHog Inc. — product analytics and server-side funnel telemetry (EU instance via first-party proxy).
- April 22, 2026: Added Cantab Research Ltd (Speechmatics) — speech-to-text transcription for voice-based coaching interactions.
- April 21, 2026: Added Apollo.io, HubSpot, and Google Workspace; broadened scope to cover marketing and prospect operations.
- February 3, 2026: Added Cloudflare, Inc. (CDN, DDoS Protection, WAF)
- January 12, 2026: Updated Data Protection Measures to align with DPA
- January 9, 2026: Initial publication of Sub-processor list
Contact
For questions about our Sub-processors or data processing practices, please contact:
- Email: [email protected]
- Legal inquiries: [email protected]