SEC / OUTBOUND Home

Sub-processors

Last updated: July 9, 2026

Sleet Labs LLC operates SEC/OUTBOUND and uses the third-party providers below to deliver the Service. Each provider that processes live client or prospect data is covered by a data processing agreement or equivalent contractual protection. A provider listed ahead of a feature going live is marked below as pending its data processing agreement and processes no real client or prospect data until that agreement is executed. We keep this list current and give clients at least 30 days' notice before a new sub-processor begins processing client data (see our Privacy Policy §6).

Clients who want sub-processor change notices can email privacy@secoutbound.com with the subject line "Sub-processor notices."

Provider Role in the Service Personal data processed Primary location
Vercel, Inc. Website hosting, contact-form endpoint, AI Gateway Server logs, contact-form submissions, AI inputs/outputs USA
Cloudflare, Inc. DNS, registrar, network security IP addresses, request metadata USA
Railway Corp. Application hosting/compute, managed PostgreSQL database, and Redis cache for the self-hosted cal.diy booking scheduler. Data processing agreement executed (DocuSign, 2026-07-09); processes only synthetic test data until the self-hosted cal.diy scheduler goes live; no real booking data yet. Server and application logs; and, once live, the booking records the scheduler stores — booker name, work email, meeting time and time zone, event/meeting title, connected-calendar references, and any booking-form answers USA
Plus Five Five, Inc. (d/b/a Resend) Transactional email delivery — contact-form notifications now; booking confirmations, cancellations, reschedules, and reminders once the self-hosted scheduler goes live Contact-form data (name, email, message); booking-lifecycle email to prospects who book (booker name, work email, meeting time/time zone, event/meeting title, organizer and client contact metadata, message body, delivery metadata) USA
Supabase, Inc. System-of-record database + per-client dashboard (row-level security) Prospect/lead and engagement data, isolated per client USA
Google LLC Google Workspace — sending mailboxes, calendar Email content, contact metadata USA
ZenLeads Inc. (d/b/a Apollo.io) B2B contact-data sourcing Public business contact data we retrieve USA
GBD Software as a Service Ltd. (d/b/a MillionVerifier) Email-address verification Email addresses (verification only) EU (Hungary)
521 Products Pty Ltd (d/b/a Smartlead) Outbound email sending and engagement tracking. Formal data processing agreement in execution; operating under Smartlead's standard data-processing terms in the interim. Prospect contact data, email content, engagement events Australia
Anthropic PBC (via Vercel AI Gateway) AI-assisted email personalization Prospect public-profile snippets (not used to train the model) USA
Cal.com, Inc. (hosted scheduler only) Hosted meeting scheduling, when configured Booking details, calendar metadata USA
Pluot Communications, Inc. (d/b/a Daily.co) Cal Video meeting rooms for cal.diy booking events — real-time video/screen-share hosting for the discovery call. Data processing agreement in effect (Daily's online DPA, incorporating US state-law service-provider terms); processes only synthetic test data until the self-hosted cal.diy scheduler goes live; no real booking data yet. Booker/participant display name, IP address, in-call audio/video/screen-share media (calls are not recorded), and room/session metadata (join and leave times, connection-quality signals) USA
Stripe, Inc. Payment processing for clients Client billing details (we never see full card numbers) USA

ZenLeads Inc. (d/b/a Apollo.io) and GBD Software as a Service Ltd. (d/b/a MillionVerifier) are listed for transparency as independent third-party data sources or verification providers from which we obtain or verify business contact data as an independent controller.

Self-hosted scheduler (cal.diy) status. SEC/OUTBOUND is evaluating a self-hosted cal.diy scheduler in non-production using synthetic data only. Real client or prospect booking data will not flow through it until the remaining processors for that stack are selected, reviewed, and added to this list, and clients have received any required 30-day change notice. The email-delivery layer for booking-lifecycle messages has been selected — Plus Five Five, Inc. (d/b/a Resend), shown above — and the video/meeting-link provider has been selected: Cal Video, provided by Pluot Communications, Inc. (d/b/a Daily.co), shown above. Daily's data processing agreement is now in effect (its online DPA, which includes US state-law service-provider terms); it will begin processing real audio, video, or booking data only after the self-hosted scheduler goes live, and until then it processes synthetic test data only. The application hosting/compute layer, the managed PostgreSQL database, and the Redis cache for the self-hosted scheduler have also been selected — Railway Corp. (shown above) — and their data processing agreement is now executed (DocuSign, 2026-07-09); Railway processes only synthetic test data until the self-hosted scheduler goes live. The connected-calendar authorization model (Google Calendar OAuth) is still undergoing a least-privilege scope, revocability, and token-storage security review before any real client calendar is connected. Hosted Cal.com, Inc. remains the meeting-scheduling sub-processor for any client configured on the hosted scheduler.

Questions about this list: privacy@secoutbound.com.