Subprocessors & Service Providers
CompanyEnrich uses third-party providers to operate the Services. The current register separates providers that may Process Customer Personal Data under the DPA from providers used for account administration, billing, website analytics, and advertising.
How to read this register
Only a provider identified below as a DPA Subprocessor is included in the general authorization granted under Section 8 of the CompanyEnrich DPA. A provider identified as Outside the DPA processes Account Data, billing data, or website visitor data for a separate purpose and is listed for transparency.
DPA Subprocessors
| Provider and legal entity | Role and scope | Service | Data involved | Processing location | Transfer safeguard |
|---|---|---|---|---|---|
| Hetzner Online GmbH | DPA Subprocessor. Core infrastructure hosting Customer Content and Customer Personal Data. | Cloud servers, compute, databases, storage, backups, and related infrastructure. | Customer Content, Customer Personal Data, service logs, and technical metadata stored or generated in the hosted environment. | Production servers, database, backups, and replicas: Finland. Production compute is hosted in Helsinki. | Hetzner DPA. No restricted transfer for EU-only hosting; an applicable transfer mechanism is required if a third-country location is selected. |
| Cloudflare, Inc. | DPA Subprocessor. CompanyEnrich routes all API traffic, the website, and the MCP service through Cloudflare. | DNS, content delivery, web application firewall, DDoS protection, Turnstile, edge security, and Cloudflare Workers. | API request and response content in transit, IP addresses, network and device metadata, security events, and logs. | Cloudflare's global network and the locations of its approved group entities and subprocessors. | Cloudflare DPA; Standard Contractual Clauses, Data Privacy Framework, adequacy decision, or another lawful mechanism as applicable. |
| Gleap GmbH | DPA Subprocessor when a Customer or user communicates with CompanyEnrich through the support interface. | Customer support, live chat, and user identification. | Name, email address, user identifier, and information voluntarily included in a support message. Screenshot capture, session recording, device diagnostics, and console or network logging are not enabled. | Primary infrastructure in Frankfurt, Germany. Enabled features and approved subprocessors may involve other EU and United States locations. | Gleap DPA; Standard Contractual Clauses or another lawful mechanism for any applicable third-country processing. |
| Google Cloud EMEA Limited Google Workspace | Conditional DPA Subprocessor only where Customer Personal Data is included in support or service-related email. Otherwise used for CompanyEnrich Account Data and business communications outside the DPA. | Business email, file attachments, and related Workspace communication services. | Sender and recipient details, email content, attachments, support communications, and Customer Personal Data voluntarily included by the sender. | Google Workspace data-region setting: No preference. No United States or European regional-storage commitment is made. Google may process data globally where permitted under its applicable terms. | Google Cloud Data Processing Addendum; Standard Contractual Clauses and any confirmed data-region controls as applicable. |
Other material providers
These providers are not authorized as DPA Subprocessors solely by appearing in this section. They process different categories of data under the roles described below.
| Provider and legal entity | Purpose | Role and data | Primary location |
|---|---|---|---|
| Clerk, Inc. | Authentication, user accounts, session management, and access control. | Outside the DPA for ordinary use. Processes Account Data such as names, email addresses, authentication identifiers, credentials, and login metadata. Clerk's DPA identifies Clerk as an independent controller for Account Information and as a processor for other customer personal data. | United States and locations used by Clerk's approved subprocessors. |
| Paddle.com Market Limited | Merchant of Record, checkout, subscription billing, tax, fraud prevention, refunds, and payment administration. | Outside the DPA. Paddle and CompanyEnrich act as independent Controllers for relevant buyer and transaction data under Paddle's merchant-of-record model. | United Kingdom and locations used by Paddle group entities and providers. |
| Google Ireland Limited Google Analytics and Google Ads | Website analytics, advertising, conversion measurement, attribution, and audience functionality. | Outside the DPA. Processes website visitor, device, cookie, advertising, and conversion data subject to the Cookie Policy and consent choices. | European Union, United States, and other Google processing locations. |
| LinkedIn Ireland Unlimited Company | LinkedIn Insight Tag, advertising, conversion measurement, and campaign audiences. | Outside the DPA. Processes website visitor, cookie, device, campaign, and conversion data subject to the Cookie Policy and consent choices. | Ireland, United States, and other LinkedIn processing locations. |
| Microsoft Corporation Microsoft Clarity | Website interaction analytics, session recordings, heatmaps, and usability insights. | Outside the DPA. Processes website interaction and technical data as a Controller, subject to the Cookie Policy, consent choices, and Microsoft terms. | Microsoft Azure and other Microsoft processing locations. |
| Kovan Studio, Inc. UserMotion | Website and product-usage analytics, engagement measurement, and onboarding and activation insights. | Outside the DPA. Processes consented website and product-interaction events, cookie or anonymous identifiers, and user or account attributes where identification is configured. It is not authorized to receive API request or response content solely by appearing in this section. | United States and other locations permitted under UserMotion's applicable terms. |
Changes to this list
CompanyEnrich will provide customers with at least thirty (30) days' advance notice by email or other electronic notice before a new or replacement Subprocessor begins Processing Customer Personal Data. If an urgent replacement is reasonably necessary to protect the Services or Customer Personal Data, CompanyEnrich may appoint the replacement sooner and will provide notice as soon as reasonably practicable.
Customers may raise reasonable data-protection objections by contacting legal@companyenrich.com during the thirty-day notice period.