Beolta — Subprocessor List
Operated by: Editale OÜ (registry code 17430609), Narva mnt 7-557, 10117 Tallinn, Estonia Last updated: 2026-06-07 Version: 1.5.0
Changes to this list are announced via email and in-app notification at least 30 days before a new subprocessor is added or materially changed. You may object to a new subprocessor on reasonable data-protection grounds within 14 calendar days of that notice, as set out in Article 8 of the Data Processing Agreement (see also Section 8.6 of the Terms of Service).
Current Subprocessors
| Subprocessor | Role | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication, file storage | All Personal Data stored in the Services (account data, usage logs, ToS acceptance records, contractor profiles, buyer-side contact data) | EU (Frankfurt, AWS eu-central-1) | Intra-EEA — no transfer outside EEA |
| Railway Corp. | Web application hosting (app.beolta.com, SSR) | HTTP request metadata, session data, application logs | US / EU | SCCs (EC Decision 2021/914) Module 3 |
| Amazon Web Services, Inc. (AWS Amplify) | Static-site hosting (beolta.com landing) | Web server access logs | EU (eu-west-1) default; CDN edges global | SCCs Module 3 for any non-EEA edge cache; otherwise intra-EEA |
| Stripe, Inc. | Payment processing and billing | Billing name and address; tokenised payment-method details; invoice records | US / EU | SCCs; PCI DSS Level 1 certified; EU–US Data Privacy Framework where applicable |
| Anthropic, PBC | AI model inference (research briefs, outreach drafts) | Prospect and company context included in prompts (no registered-user PII transmitted) | US | SCCs; EU–US Data Privacy Framework where applicable; API terms preclude training on customer data; prompts not retained beyond standard short-term operational logs |
| OpenAI, LLC | AI model inference (fallback / supplementary) | Prospect and company context included in prompts (no registered-user PII transmitted) | US | SCCs; EU–US Data Privacy Framework where applicable; API terms preclude training on customer data; prompts not retained beyond standard short-term operational logs |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracking | Stack traces; limited session context (user ID, email on error) | US | SCCs; EU–US Data Privacy Framework where applicable; data-minimisation configured |
| Trigger.dev Ltd | Background job processing (signal pipeline, retention, email digest) | Job payloads (may contain user IDs and prospect data while in flight) | EU / US | SCCs; EU–US Data Privacy Framework where applicable |
| Resend, Inc. | Transactional email delivery | Recipient email address; email content | US | SCCs; EU–US Data Privacy Framework where applicable |
| Unipile SAS | LinkedIn outreach API (connection requests, InMail, direct messages to buyer-side decision-makers) | Buyer-side decision-maker LinkedIn profile identifiers (LinkedIn URN / profile URL, display name) and the content of outreach messages sent to them; sender LinkedIn account identifiers | EU (France) | Intra-EEA — no transfer outside EEA |
| Enrich Labs FZ L.L.C. (InboxKit) | Cold-outreach mailbox provisioning and email-warmup infrastructure | Sender mailbox identity data (mailbox display names, usernames, mailbox email addresses on sender-controlled domains) and warmup peer-traffic recipient addresses; SMTP/IMAP credentials for provisioned mailboxes | UAE (Dubai); data processed in US / EU / UAE per InboxKit Privacy Policy; provisioned mailboxes on US-region Google Workspace / Microsoft 365 | Standard Contractual Clauses (EC Decision 2021/914) per InboxKit's published Privacy Policy; engaged via acceptance of InboxKit's online terms (click-wrap), no separately negotiated DPA |
| Apollo.io, Inc. | B2B contact and company data enrichment (buyer-side contact sourcing) | Business contact data of buyer-side decision-makers (name, business email, business phone, business title, employer, public LinkedIn URL) | US | SCCs; Apollo operates under its own GDPR / CCPA compliance regime |
| People Data Labs, Inc. | B2B contact and company data enrichment (corroborating coverage) | Business contact data of buyer-side decision-makers (same categories as Apollo; overlapping coverage for cross-verification) | US | SCCs; PDL operates under its own GDPR / CCPA compliance regime |
| Hunter Web Services, Inc. | Business-email enrichment (email-finder, domain-search, email-verifier); fallback to Apollo in the decision-maker email cascade | Sent: buyer-side decision-maker first name + last name + employer company domain. Received and stored: business email address, deliverability / confidence score, and domain-level email patterns | US / EU | SCCs |
| TheirStack, S.L. | Public job-posting and technology-signal aggregation | Public job postings; company-level data; hiring-manager names only where publicly listed | EU (Spain) | Intra-EEA — no transfer outside EEA |
| BuiltWith Pty Ltd | Public technology-stack scanner | Per-domain technology signals; no personal data | US / AU | SCCs |
| Apify Technologies s.r.o. | Operator of scrapers against public marketplaces (Clutch, DesignRush, TechBehemoths) | Public agency / contractor directory listings; public decision-maker profile snippets | US / EU | SCCs |
The list above is reproduced in identical form in Privacy Policy §6.1 and in Annex II of the Data Processing Agreement.
Beolta additionally acquires personal data from the public data sources described in Privacy Policy §5.2 — public registries, public agency directories, and similar conspicuously published business sources. Public data sources do not act as subprocessors in the Article 28 GDPR sense.
Removed Subprocessors
| Subprocessor | Role at removal | Removed on | Reason |
|---|---|---|---|
| Proxycurl Pte. Ltd. | LinkedIn data enrichment | 2026-05-13 | Discontinued — no longer used by any active ingestion path. Replaced by Apollo / PDL coverage. |
| PredictLeads (4see, Inc.) | Public signal aggregation (funding, hiring, executive changes) | 2026-05-19 | Service retired — coverage replaced by Apollo, TheirStack, Apify, and SEC EDGAR signals. |
| Clearbit (operated by HubSpot, Inc.) | B2B firmographic and contact enrichment | 2026-06-07 | Over-disclosed — no connector has ever been active in production. Removed from live disclosure tables to correct the over-disclosure. |
Questions
Contact privacy@beolta.com with any questions about this subprocessor list.