Subprocessors
Updated .
This page lists material providers involved in operating Simulacra's website, Studio, Headless API, compliance, support, and business systems. Customer-specific DPAs may include additional terms, notice procedures, or a controlling subprocessor list.
| Provider | Purpose | Data processed | Notes |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure, hosting, storage, networking, monitoring, encryption, and key-management services. | Customer research data where hosted by Simulacra, service metadata, logs, backups, and security telemetry. | Core production infrastructure. Enterprise API mode may use customer-controlled AWS storage and KMS paths. |
| Auth0 by Okta | Authentication, OAuth2 machine-to-machine credentials, tenant access, and credential lifecycle support. | Account identifiers, API client metadata, login and token metadata. Not intended to store customer research datasets. | Used for API and platform identity workflows. |
| Netlify | Marketing website hosting, redirects, and contact-form handling. | Website traffic metadata and contact form submissions. Not used for Studio or API customer research data. | Applies to the public website and launch site. |
| Google Workspace | Business email, calendar, document collaboration, and customer communications. | Business contact data, support and procurement communications, contracts, security questionnaires, and compliance coordination. | Customer research data should not be sent through email unless expressly approved for a support workflow. |
| Twilio SendGrid | Transactional email delivery for account, security, support, and product notifications. | Business contact data, email addresses, and message metadata required to deliver service email. Not used for Studio or API customer research data. | Outbound transactional email only. |
| Zoom | Video meetings, demos, sales calls, customer support calls, and compliance review meetings. | Business contact data, meeting metadata, chat content if used, and recordings or transcripts only when a meeting is recorded. | Customer research data should not be shared over Zoom unless specifically approved for a customer support or validation workflow. |
| Sensiba LLP | Independent SOC 2, SOC 3, and ISO/IEC 27001 audit and certification services. | Sampled audit evidence, policies, control evidence, personnel interviews, and system descriptions. | Receives evidence needed to perform audit and certification services. |
| GitHub | Source control, pull requests, release history, and change-management evidence. | Code, configuration, issue metadata, and change records. Customer research data should not be committed. | Supports secure development lifecycle and audit evidence. |
| Intuit QuickBooks | Accounting, invoicing, billing, tax, and finance recordkeeping. | Customer billing contact information, invoices, payment status, and accounting records. Not used for Studio or API customer research data. | Finance and tax records only. |
Changes and notices
Simulacra may update subprocessors as the service evolves. Enterprise customers with a DPA should rely on the DPA's notice and objection process where it differs from this public page.
Product-specific handling
Not every provider above receives every category of data. The Studio and API have different data lifecycles, described in the Privacy Policy and API Security page. Sensitive audit reports and detailed vendor evidence are available directly from Simulacra where appropriate.
Contact
Questions about subprocessors or DPA terms can be sent to privacy@simulacra-data.com or requested through Compliance contact.