Per our Privacy Policy, AgencyPitch shares limited data with the following subprocessors. We notify customers at least 30 days before adding any new subprocessor that processes personal data.
Core infrastructure
| Subprocessor | Purpose | Location | Compliance |
|---|
| Google Cloud / Firebase | Authentication, Firestore database, file storage, analytics events. | USA (us-central1) | SOC 2 II, ISO 27001, GDPR, HIPAA |
| Vercel | Web application hosting + edge CDN. | Global | SOC 2 II, GDPR, CCPA |
| Railway | PDF rendering microservice (Puppeteer + Chromium). | USA | SOC 2 II |
AI providers
| Subprocessor | Purpose | Location | Data retention |
|---|
| Anthropic (Claude) | AI proposal generation (fallback model). | USA | 30 days for abuse monitoring; not used for training. |
| Google AI (Gemini) | AI proposal generation (primary model). | USA | Per Google AI policy; not used for training paid tier. |
Payments + email
| Subprocessor | Purpose | Location | Compliance |
|---|
| Razorpay | Subscription billing and one-time payments. | India + global | PCI DSS Level 1, ISO 27001 |
| Resend | Transactional email (proposal-view notifications, billing receipts). | USA | SOC 2 II, GDPR |
Analytics + monitoring
| Subprocessor | Purpose | Location |
|---|
| PostHog | Product analytics (page views, feature usage). Self-host option available for Enterprise. | USA / EU (configurable) |
| Sentry | Error monitoring + performance traces. | USA |
Cross-border data transfers
Where AgencyPitch transfers personal data of EU/UK residents to the US or India, transfers happen under Standard Contractual Clauses (SCCs) plus supplementary technical measures (encryption in transit and at rest).
How to be notified of new subprocessors
Email privacy@agencypitch.io with the subject line “subprocessor-updates” and we’ll add you to the notification list. We notify at least 30 days before any new subprocessor that processes personal data is added to the stack.