Trust Center
Sub-processors
Sub-processor
List
This page lists all third-party services (“sub-processors”) that may process personal data on behalf of Enrich-CRM. For each, we explain exactly what they do in our pipeline, what data they can access, and what safeguards apply.
In accordance with our DPA, we notify clients of any new or changed sub-processor at least 14 days in advance via the client dashboard or email. Clients may object within that period on reasonable data protection grounds. Questions? privacy@enrich-crm.com
How requests are processed
A full description of the enrichment pipeline — the five steps, which sub-processor is involved at each step, and what data they can access — is set out in the Data Processing Agreement (DPA), Schedule 1: Processing Details, under “Processing flow (enrichment pipeline)”.
Data category legend
Google SERP API
SERP Sub-processor — Search queries during enrichment
Role in the pipeline (step 2): The Google SERP API is a sub-processor we use to run search queries during the enrichment process. Its servers are located in the EU. When an enrichment request arrives, we build search queries from the submitted identifiers and send them to the API. The response is a ranked list of public URLs — no page content is fetched at this stage.
The SERP API does not perform enrichment itself — it only returns URLs. It has no access to the enrichment output we compute or the data we return to clients.
Data accessible
- Search queries constructed from submitted identifiers (e.g. "John Smith Acme Corp LinkedIn", "acme-corp.com VP Sales")
- Queries may contain: firstName, lastName, fullName, companyName, domain, contactLinkedinUrl — depending on what the client submitted
- email, phone, and IDs (LinkedIn Sales Nav ID, company LinkedIn ID) are never included in search queries
- Query logs are retained by the provider per their standard data retention policy
Amazon Web Services (AWS)
Cloud Infrastructure & In-house LLM Processing
Role in the pipeline (steps 3 & 4): AWS hosts our application servers and our in-house LLM. When a SERP result URL is returned by the Google SERP API, our infrastructure (on AWS EU) opens the page in a logged-out browser context, reads the publicly visible HTML, and passes it to the LLM.
The LLM extracts, standardises, and scores the enrichment data entirely in memory. No enrichment data is written to disk or stored — the result is immediately returned to the client. AWS infrastructure also hosts our account database (credentials, settings) and handles all API requests.
Data accessible
- Application server and API request handling
- Encrypted database: account data, API keys, usage counters
- Server and access logs (standard infrastructure logs)
- Automated encrypted backups
- Client account data stored in the database: name, email, company (encrypted at rest, AES-256)
- Identifiers submitted by the client transit through AWS servers during processing (in-memory only)
- HTML content of public pages fetched during enrichment (in-memory only, not stored)
- LLM output (structured enrichment result) is computed in-memory and immediately returned — not persisted
PostHog
Product Analytics & Enrichment Operation Logs
Role in the pipeline (step 5 — logging): After each enrichment operation, we write a structured log event to PostHog. This log records what the client submitted (the input identifiers), which client account made the request, and whether the enrichment succeeded or failed.
This log exists for operational purposes: debugging errors, measuring enrichment success rates by identifier type, and detecting abuse. PostHog also collects standard product analytics (page views, feature usage) from the platform. All data stays within the EU. The enriched output (the result we return to the client) is never sent to PostHog.
Data accessible
- Input identifiers submitted by the client for each enrichment request (e.g. email, name, domain, LinkedIn URL)
- Success or failure status of the enrichment
- Enrichment type requested (e.g. contact enrichment, company enrichment)
- Timestamp and response time
- Client email address (associated with each log event, for debugging and abuse detection)
- Account plan/tier (for segmentation)
- Page views and navigation paths on the platform
- Feature interaction events (e.g. "export clicked", "integration connected")
- Funnel and conversion data
- Browser type, device type, session timestamps
PostHog receives the enrichment inputs (the identifiers you send us) and your client email, for logging purposes. The enrichment output (what we return to you) is never sent to PostHog. You may request deletion of your log data at privacy@enrich-crm.com.
Google Workspace (Gmail)
Internal Communication & Email
Role: Google Workspace (Gmail, Google Drive) is used by the Enrich-CRM team for internal communication and collaboration. It may incidentally process personal data when clients contact us by email or share files (e.g. a CSV containing contact data) via email rather than through the platform’s direct upload.
Google Workspace is not connected to the enrichment pipeline. It is not used to send transactional or marketing emails to clients (handled by HubSpot) nor for customer support (handled by Intercom).
Data accessible
- Email address and name of clients or prospects who contact us by email
- Content of emails sent to @enrich-crm.com addresses by clients
- Personal data potentially included in files (e.g. CSV) sent by clients via email — only if the client chooses email over the platform upload
- We recommend clients use the secure CSV upload in the platform instead of email for any file containing personal data
To minimise exposure, we recommend always using the secure platform upload (CSV import or API) rather than sending files containing personal data by email.
Segment (Twilio)
Customer Data Platform — Event Tracking & Routing
Role: Segment is our customer data platform. It collects user events from our website and app (page views, feature interactions, lifecycle events) and routes them to downstream tools like PostHog and HubSpot. It acts as a data pipeline between our product and other sub-processors.
Segment is not involved in the enrichment pipeline. It only processes data related to how our own clients interact with the Enrich-CRM platform.
Data accessible
- User ID (hashed)
- Email address (for identity resolution across tools)
- Account plan and company name
- User lifecycle events (signup, login, enrichment performed, export, plan upgrade/downgrade)
- Funnel and conversion tracking
- Attribution data (UTM parameters, referral source)
- IP address (used for geolocation, then anonymized)
- Browser and device type
- Session timestamps
Enrichment data (the B2B contact/company data processed on behalf of clients) is never sent to Segment.
HubSpot
Internal CRM & Customer Communications — EU data residency
Role: HubSpot is our internal CRM. It holds the contact and account information of Enrich-CRM’s own customers and prospects — the people who use our platform. We use it for customer follow-up, lifecycle tracking, billing context, and sending transactional and marketing emails.
HubSpot is entirely outside the enrichment pipeline. The B2B data we process on behalf of our clients is never sent to or stored in HubSpot.
Data accessible
- Name, professional email, job title
- Company name, size, industry
- Country and language preferences
- Subscription plan and status (synced from Chargebee)
- Trial / conversion date
- Account value and billing tier
- Transactional emails sent by Enrich-CRM (invoices, account notifications)
- Marketing emails and campaigns (for opted-in users)
- Email open/click tracking
- Account lifecycle stage (lead, trial, active, churned)
- Last login / activity timestamps
HubSpot only contains data about Enrich-CRM’s own clients. The B2B enrichment data processed on behalf of clients is never stored in HubSpot.
Chargebee
Subscription Management & Revenue Operations
Role: Chargebee manages the full subscription lifecycle for Enrich-CRM customers — plan selection, free trials, upgrades, downgrades, renewals, metered billing (credit consumption), and invoicing. It works alongside Stripe for actual payment collection.
Chargebee never touches enrichment data. It only has access to the billing and subscription context of Enrich-CRM’s own clients.
Data accessible
- Subscription plan, status, and history
- Billing cycles and renewal dates
- Credit consumption and overages
- Invoice records and dunning history
- VAT / tax identifier
- Payment method type (not card number)
- Customer name
- Professional email address
- Company name and billing address
Stripe
Payment Collection
Role: Stripe is our payment processor. It handles the actual collection of payments initiated by Chargebee. Card data is entered directly in Stripe’s PCI-DSS-certified interface and is never transmitted to or stored on Enrich-CRM servers.
Stripe never touches enrichment data.
Data accessible
- Payment card details (tokenized — Stripe only, never stored by Enrich-CRM)
- Billing address
- Invoice amounts and payment history
- VAT / tax identifier (when applicable)
- Customer name
- Professional email address
- Company name
Intercom
Customer Support Chat
Role: Intercom powers the support chat visible on our website and in the platform. When a client initiates a conversation, their email address and the full content of the conversation are stored in Intercom so our team can respond and track the history.
Intercom has no access to enrichment data. It is used exclusively for client support conversations.
Data accessible
- Email address of the client initiating the conversation
- Name and company name
- Account plan/tier (for support prioritisation)
- Full content of the support conversation (messages and any attachments sent by the client)
- Support ticket history
- In-app notification status
- Last seen / last login (for context when responding to a ticket)
- Page visited at the time of conversation start
We ask clients not to paste enrichment data into support conversations. Support chats should contain only account, billing, or technical questions.
Slack
Internal Team Messaging
Role: Slack is used by the Enrich-CRM team for internal communication. It may incidentally process personal data when team members discuss client accounts, support issues, or share information related to a specific client’s request.
Slack is not connected to the enrichment pipeline and is not used to communicate directly with clients. It has no programmatic access to client data.
Data accessible
- Email address and name of clients or prospects, if referenced internally by the team
- Account plan or status, if discussed in a support or sales context
- Internal discussion content relating to client requests or issues
- No direct client messages — all client-facing support goes through Intercom
Summary
| Sub-processor | Role | Location | Safeguards | Enrichment data? |
|---|---|---|---|---|
| Google SERP API | SERP — search queries | 🇪🇺 EU servers | GDPR compliant | Search queries (name, company, domain) |
| Google Workspace | Internal email & files | 🇺🇸 USA | SCCs + DPF | No |
| AWS Europe | Infrastructure & LLM processing | 🇪🇺 EU (Paris) | ISO 27001 + SOC 2 | In-memory only — not stored |
| PostHog | Analytics & enrichment logs | 🇪🇺 EU | EU data residency | Input identifiers + success/fail |
| Segment | Event tracking CDP | 🇺🇸 USA | SCCs + DPF | No |
| HubSpot | Internal CRM & emails | 🇪🇺 EU residency | SCCs + DPF | No |
| Chargebee | Subscription management | 🇺🇸 USA | SCCs + ISO 27001 | No |
| Stripe | Payment collection | 🇺🇸 USA | PCI-DSS L1 + DPF | No |
| Intercom | Support chat | 🇺🇸 USA | SCCs + DPF | No |
| Slack | Internal team messaging | 🇺🇸 USA | SCCs + DPF | No |
Sub-processor list · Last updated February 2026 · ENRICH CRM SAS
To object to a sub-processor or ask questions: privacy@enrich-crm.com