Sub-processors
Last updated: July 9, 2026
Sleet Labs LLC operates SEC/OUTBOUND and uses the third-party providers below to deliver the Service. Each provider that processes live client or prospect data is covered by a data processing agreement or equivalent contractual protection. A provider listed ahead of a feature going live is marked below as pending its data processing agreement and processes no real client or prospect data until that agreement is executed. We keep this list current and give clients at least 30 days' notice before a new sub-processor begins processing client data (see our Privacy Policy §6).
Clients who want sub-processor change notices can email privacy@secoutbound.com with the subject line "Sub-processor notices."
| Provider | Role in the Service | Personal data processed | Primary location |
|---|---|---|---|
| Vercel, Inc. | Website hosting, contact-form endpoint, AI Gateway | Server logs, contact-form submissions, AI inputs/outputs | USA |
| Cloudflare, Inc. | DNS, registrar, network security | IP addresses, request metadata | USA |
| Railway Corp. | Application hosting/compute, managed PostgreSQL database, and Redis cache for the self-hosted cal.diy booking scheduler. Data processing agreement executed (DocuSign, 2026-07-09); processes only synthetic test data until the self-hosted cal.diy scheduler goes live; no real booking data yet. | Server and application logs; and, once live, the booking records the scheduler stores — booker name, work email, meeting time and time zone, event/meeting title, connected-calendar references, and any booking-form answers | USA |
| Plus Five Five, Inc. (d/b/a Resend) | Transactional email delivery — contact-form notifications now; booking confirmations, cancellations, reschedules, and reminders once the self-hosted scheduler goes live | Contact-form data (name, email, message); booking-lifecycle email to prospects who book (booker name, work email, meeting time/time zone, event/meeting title, organizer and client contact metadata, message body, delivery metadata) | USA |
| Supabase, Inc. | System-of-record database + per-client dashboard (row-level security) | Prospect/lead and engagement data, isolated per client | USA |
| Google LLC | Google Workspace — sending mailboxes, calendar | Email content, contact metadata | USA |
| ZenLeads Inc. (d/b/a Apollo.io) | B2B contact-data sourcing | Public business contact data we retrieve | USA |
| GBD Software as a Service Ltd. (d/b/a MillionVerifier) | Email-address verification | Email addresses (verification only) | EU (Hungary) |
| 521 Products Pty Ltd (d/b/a Smartlead) | Outbound email sending and engagement tracking. Formal data processing agreement in execution; operating under Smartlead's standard data-processing terms in the interim. | Prospect contact data, email content, engagement events | Australia |
| Anthropic PBC (via Vercel AI Gateway) | AI-assisted email personalization | Prospect public-profile snippets (not used to train the model) | USA |
| Cal.com, Inc. (hosted scheduler only) | Hosted meeting scheduling, when configured | Booking details, calendar metadata | USA |
| Pluot Communications, Inc. (d/b/a Daily.co) | Cal Video meeting rooms for cal.diy booking events — real-time video/screen-share hosting for the discovery call. Data processing agreement in effect (Daily's online DPA, incorporating US state-law service-provider terms); processes only synthetic test data until the self-hosted cal.diy scheduler goes live; no real booking data yet. | Booker/participant display name, IP address, in-call audio/video/screen-share media (calls are not recorded), and room/session metadata (join and leave times, connection-quality signals) | USA |
| Stripe, Inc. | Payment processing for clients | Client billing details (we never see full card numbers) | USA |
ZenLeads Inc. (d/b/a Apollo.io) and GBD Software as a Service Ltd. (d/b/a MillionVerifier) are listed for transparency as independent third-party data sources or verification providers from which we obtain or verify business contact data as an independent controller.
Self-hosted scheduler (cal.diy) status. SEC/OUTBOUND is evaluating a self-hosted cal.diy scheduler in non-production using synthetic data only. Real client or prospect booking data will not flow through it until the remaining processors for that stack are selected, reviewed, and added to this list, and clients have received any required 30-day change notice. The email-delivery layer for booking-lifecycle messages has been selected — Plus Five Five, Inc. (d/b/a Resend), shown above — and the video/meeting-link provider has been selected: Cal Video, provided by Pluot Communications, Inc. (d/b/a Daily.co), shown above. Daily's data processing agreement is now in effect (its online DPA, which includes US state-law service-provider terms); it will begin processing real audio, video, or booking data only after the self-hosted scheduler goes live, and until then it processes synthetic test data only. The application hosting/compute layer, the managed PostgreSQL database, and the Redis cache for the self-hosted scheduler have also been selected — Railway Corp. (shown above) — and their data processing agreement is now executed (DocuSign, 2026-07-09); Railway processes only synthetic test data until the self-hosted scheduler goes live. The connected-calendar authorization model (Google Calendar OAuth) is still undergoing a least-privilege scope, revocability, and token-storage security review before any real client calendar is connected. Hosted Cal.com, Inc. remains the meeting-scheduling sub-processor for any client configured on the hosted scheduler.
Questions about this list: privacy@secoutbound.com.