Subprocessors & Data Partners
The third-party services Torbi works with — split into two clear groups: Subprocessors who process data on Torbi's behalf under our DPA, and Data Partners who are independent controllers we license data from. Different legal roles; different opt-out paths.
Infrastructure & hosting
Where the application runs, where data sits at rest, and how we keep it resilient.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Amazon Web Services | Application hosting, primary database, object storage, backups | ap-south-1 (Mumbai) · eu-west-1 (Ireland) | SOC 2ISO 27001GDPR |
| Cloudflare | CDN, DNS, DDoS protection, WAF | Global | SOC 2ISO 27001 |
| Vercel | Marketing website hosting | Global edge · US data plane | SOC 2 |
AI & inference
Foundation-model providers used to draft outreach, classify signals, and run matching. All operate under zero-retention API agreements — your content is not retained beyond the inference request and is not used to train their models.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Anthropic | LLM inference — outreach drafting, classification, summarisation | US | SOC 2 Type IIZero retention |
| OpenAI | LLM inference (fallback) and embeddings | US | SOC 2 Type IIZero retention |
| Pinecone | Vector search for matching | eu-west-1 (Ireland) | SOC 2 Type II |
Email, calling & messaging
Used to send service messages to customers and, where customers route outreach through Torbi's relay, to deliver authenticated email on the customer's domain.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Postmark (ActiveCampaign) | Transactional email (receipts, alerts, password resets) | US | SOC 2 |
| Twilio SendGrid | Customer-domain outreach relay (opt-in) | US · EU | SOC 2 Type IIGDPR |
| Twilio | SMS & WhatsApp Business for opt-in 2FA | US | SOC 2 Type IIGDPR |
Payments & billing
Card data is tokenised by these providers — Torbi never receives or stores raw card numbers.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Stripe | Card & SEPA payment processing (USD, EUR, GBP, etc.) | US · IE | PCI DSS L1SOC 2 Type II |
| Razorpay | Card, UPI, NetBanking payments (INR) | India | PCI DSS L1ISO 27001 |
| Zoho Books | Invoicing, tax records, GST filing (India) | India | SOC 2 Type IIISO 27001 |
Customer support & product analytics
Internal tooling that touches customer account metadata. None of these process Prospect Data.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Intercom | In-product help chat and customer messaging | US · EU (Dublin) | SOC 2 Type IIGDPR |
| Linear | Bug & feedback tracking (issues created from support) | US | SOC 2 Type II |
| PostHog (Cloud EU) | First-party product analytics & session replay (opt-in) | eu-central-1 (Frankfurt) | SOC 2 Type IIGDPR |
| Datadog | Application logging & performance monitoring | eu-west-1 (Ireland) | SOC 2 Type IIISO 27001 |
| Sentry | Error reporting (scrubbed of PII at capture) | US | SOC 2 Type II |
Data Partners — independent controllers
These are not our subprocessors. They are independent third-party services we license data from. Each one is the controller of the data it supplies to Torbi, operates under its own published privacy policy and lawful basis, and runs its own opt-out path. Torbi orchestrates queries through them — it does not maintain its own scraped contact database.
Why this distinction matters. Under GDPR Article 28, a "subprocessor" processes personal data on our instructions, on our behalf. The companies below do not. They collected the data under their own programmes, hold it as their own controllers, and supply records to us in response to queries. If you want a record they hold removed, the most effective route is to use their opt-out — we will also propagate the suppression on our end (see Privacy Policy §11).
| Data Partner | What they supply | HQ | Opt-out / privacy |
|---|---|---|---|
| Apollo.io | B2B contact records (work email, phone, title, employer, LinkedIn URL where supplied) | US | apollo.io/privacy apollo.io/opt-out |
| Clearbit (HubSpot) | Company firmographics, technographic enrichment | US | clearbit.com/privacy HubSpot Trust Center |
| Hunter.io | Email-pattern discovery and verification | France · EU | hunter.io/privacy hunter.io/claim |
| LeadMagic | Email verification, work-email finder fallback | US | leadmagic.io/privacy |
| OpenCorporates | Global company-registry records (public data) | UK | opencorporates.com/info/legal |
| BuiltWith | Public technology-stack detection on company websites | Australia · US | builtwith.com/privacy |
What Torbi does not access or hold
- LinkedIn, Facebook, Instagram, X/Twitter, Reddit, TikTok — Torbi has no direct data-sharing or scraping relationship with any social network. Where a Data Partner above provides a LinkedIn (or similar) profile URL alongside a record, that URL is a deep-link to the platform; clicking it takes you to the platform under the platform's own terms.
- Consumer datasets — Torbi does not buy, license, or integrate consumer-grade data (voter rolls, marketing lists, demographic profiles, location pings).
- Credentialed actions on third-party services — Torbi does not log into LinkedIn or any other service on your behalf using stored credentials, and does not run scripted browser sessions ("phantoms") under user credentials.
Get notified of subprocessor changes
We give at least 30 days' notice before adding or replacing a subprocessor. Subscribe with a work email to receive change alerts — useful for procurement and compliance teams.