Like any modern SaaS, prospiq relies on a small set of third-party services to deliver the product — cloud hosting, payment processing, email delivery, and a few operational tools. We refer to these collectively as sub-processors. Here's how we handle them.
What a sub-processor is
A sub-processor is a third party that processes customer data on prospiq's behalf in order for us to deliver the service. They operate under contract with prospiq, bound by data protection terms that flow through from our agreement with you.
A sub-processor is not the same as a data partner. The verified contact data we deliver to you comes from sources separate from this — described in How prospiq sources contact data. This article is about the operational infrastructure that runs prospiq itself.
Categories of sub-processors we use
prospiq uses sub-processors in the following categories:
- Cloud infrastructure — for hosting our application, database, and primary data storage
- Payment processing — for handling subscription billing, invoicing, and tax calculation
- Email delivery — for sending transactional emails (sign-in links, billing notifications, support replies)
- Customer support tooling — for managing inbound support conversations
- Application monitoring — for error tracking and uptime monitoring (no customer-stored data is sent to these services; only anonymous operational signals)
Each category contains a small number of named vendors, chosen for their security posture, GDPR/DPDP compatibility, and engineering quality.
Why we don't publish the specific vendor names
We don't publish a public list of named vendors. This is a deliberate choice, not an oversight.
The reasoning:
- Specificity isn't required. GDPR requires that customers know the categories of sub-processors and their function — not the brand names. Most enterprise procurement teams accept categorical disclosure as long as the operational picture is clear.
- Specific vendor names change. Naming a vendor publicly creates the obligation to update the page on every change and gives prospects the wrong signal if they don't read it carefully.
- Targeted disclosure is more useful. Customers who have a specific need to know — auditors, compliance reviewers, security questionnaires — get the specific names directly from us, with the context to interpret them.
This approach matches what's stated in our Data Processing Agreement, Section 7.5: "A current list of categories of Sub-processors and the services they perform is available to Customer upon request."
How to request the specific list
If you need the specific vendor names for compliance, procurement, or due diligence, email privacy@prospiq.net with:
- A short explanation of why you need the list (vendor risk assessment, DPA review, customer audit response, etc.)
- The email address on your prospiq account
We'll send the current list of named sub-processors, the function each one performs, and the data they have access to. We respond to these requests within two business days.
What contractual protections are in place
Every sub-processor we engage:
- Has signed a data processing agreement (DPA) that flows through obligations from our agreement with you
- Has demonstrated reasonable security practices appropriate to the data they handle
- Is bound to use the data only for the specific service they provide, not for their own purposes
- Is bound to delete or return the data when their service is terminated
When sub-processors change
If we change our sub-processor list in a way that materially affects what data is handled or where it's processed, we'll notify customers in advance. For routine changes (like switching email-delivery providers without changing what data is processed), we update the internal list and respond to information requests with the current version.
What this doesn't include
Things that aren't sub-processors:
- Your own integrations — if you connect prospiq to HubSpot, Salesforce, or Zoho, those are your processors, not ours. The data flows from prospiq to your CRM at your instruction.
- Public content delivery — the CDN that serves prospiq.net's static assets (CSS, images, JavaScript) doesn't process customer data, only public files. It's part of infrastructure rather than a sub-processor in the GDPR sense.