Sub-Processors
Last updated: June 14, 2026
1. About this list
ScoutSocial engages the following sub-processors to provide the platform. We will update this list and notify customers before engaging new sub-processors, as described in our Data Processing Agreement.
2. Current Sub-Processors
| Provider | Purpose | Data categories | Location | Transfer mechanism | DPA in place |
|---|---|---|---|---|---|
| Clerk | Authentication and identity management | Account identifiers, email, session metadata | United States | EU SCCs Module Two + UK IDTA | Yes |
| Paddle.com Market Limited (Paddle) | Merchant of record for ScoutSocial subscriptions: checkout, payment processing, tax, invoicing, refund execution, subscription management | Billing identifiers, invoice references, payment-card data (handled by Paddle, not stored by ScoutSocial) | United Kingdom | EU SCCs + UK adequacy | Yes |
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, data storage (S3), content delivery (CloudFront), and transactional email (SES) | All hosted Customer data | United States / EU (Frankfurt) | EU SCCs Module Two + UK IDTA | Yes |
| OpenAI | LLM inference for content generation and pre-publish moderation when enabled | Prompts, generated outputs (identifiers redacted before transmission) | United States | EU SCCs Module Two + DPF Principles + no-training clause | Yes |
| OpenAI (Whisper) | Speech-to-text transcription of uploaded video audio | Uploaded video audio (transient; deleted after transcription) | United States | EU SCCs Module Two + DPF Principles + no-training clause | Yes |
| Anthropic | LLM inference for content generation (alternative provider) | Prompts, generated outputs (identifiers redacted before transmission) | United States | EU SCCs Module Two + DPF Principles + no-training clause | Yes |
| LangChain, Inc. (LangSmith) | LLM tracing and observability when enabled. Traces may include redacted prompts and tool outputs; platform member PII is stripped by our redactor before export. Retention: 90 days. | Redacted prompts, tool traces, operational telemetry | United States | EU SCCs Module Two + UK IDTA | Yes |
| Tavily | Web search and retrieval for the agentic AI content pipeline (grounding/research queries) | Non-personal search terms/topics derived from prompts — no user personal data is sent | United States | N/A — no personal data transferred | N/A — no personal data |
| Google Analytics | Website and product analytics (with user consent) | Pseudonymous usage events, device metadata | United States / Global | EU SCCs Module Two + DPF Principles | Yes |
| Google (reCAPTCHA) | Bot and abuse protection on public forms (beta signup, contact) | IP address, device/browser signals | United States / Global | EU SCCs Module Two + DPF Principles | Yes |
| Google LLC / YouTube API Services | Video publishing, channel management, and performance analytics when customers connect YouTube accounts | YouTube channel/video metadata, analytics, OAuth tokens | United States / Global | EU SCCs Module One (C2C) + DPF Principles | Yes |
| LinkedIn Corporation (Microsoft) | OAuth and LinkedIn Marketing + Community Management APIs for publishing, analytics, and listening when customers connect LinkedIn accounts | LinkedIn profile, post, analytics and Member data (subject to LinkedIn caps) | United States / EU / Global | EU SCCs Module One (C2C) + DPF Principles | Yes |
| X Corp. | OAuth and X API (v2 + Account Activity) for publishing, analytics, and listening when customers connect X accounts | X profile, post, analytics, and interaction data | United States / Global | EU SCCs Module One (C2C) + EU-US DPF certification (incl. Swiss-US, UK Extension) | Yes |
| Meta Platforms, Inc. | Facebook Login and Graph API / Instagram Graph API for publishing and analytics when customers connect Facebook Pages or Instagram Business accounts | Page/account metadata, post content, insights, comment metadata, OAuth tokens | United States / Ireland / Global | EU SCCs Module One (C2C) + DPF Principles | Yes |
| TikTok Inc. | OAuth and TikTok for Developers APIs (Content Posting, Display) for publishing and analytics when customers connect TikTok accounts | TikTok open_id, profile, video metadata, analytics, comment metadata | United States / Singapore / Global | EU SCCs Module One (C2C); EU/UK controller is TikTok Technology Limited (Ireland) | Yes |
| ByteDance Ltd. | Parent company of TikTok Inc.; processes TikTok API traffic as a separate legal entity under TikTok's developer terms. Listed separately because customer data transferred to TikTok may be processed on ByteDance infrastructure under TikTok's privacy and transfer framework. | Same as TikTok Inc., processed on ByteDance infrastructure | Cayman Islands (incorporation) / China / Singapore / Global | EU SCCs Module One (C2C) via TikTok contractual chain | Yes (via TikTok developer agreement) |
| Vercel, Inc. | Frontend hosting and edge delivery | Static assets, request metadata | Global (edge network) | EU SCCs Module Two + UK IDTA | Yes |
| Redis Labs (Redis Inc.) | In-memory caching and task queue | Cached session data, queued job metadata | United States | EU SCCs Module Two + UK IDTA | Yes |
ScoutSocial does not store full payment-card details; card data is handled by Paddle.
3. Changes to this list
We will update this list and notify Customers at least 30 days before adding, replacing or removing a sub-processor that processes Customer Personal Data. Customers may object to a change on reasonable data-protection grounds by emailing privacy@scoutsocial.ai. If the objection cannot be resolved we will discuss a workable alternative; in the absence of resolution the affected Customer may terminate the affected service for convenience.
AI training prohibition. ScoutSocial's contracts with OpenAI and Anthropic prohibit those providers from using Customer prompts, content, Platform Data or AI outputs to train, fine-tune or improve their foundation or production models.
4. Contact
Email: privacy@scoutsocial.ai

