This Subprocessor List ("List") identifies third-party service providers ("Subprocessors") that LocalBeat engages to process customer data in connection with the LocalBeat service. This List is maintained in accordance with our Data Processing Addendum and GDPR compliance obligations.

Plain English: This document lists all the companies we work with that might handle your data, and explains what they do and where they're located.

1. Introduction

1.1 Purpose

LocalBeat uses third-party service providers (Subprocessors) to deliver and support our services. This List provides transparency about these relationships and compliance with data protection regulations, including the General Data Protection Regulation (GDPR).

1.2 Data Processing Roles

• Data Controller: You (the customer) determine the purposes and means of processing personal data on your LocalBeat site
• Data Processor: LocalBeat processes data on your behalf to provide the service
• Subprocessors: Third parties engaged by LocalBeat to assist in data processing

1.3 Contractual Safeguards

All Subprocessors are bound by written agreements that include:

• Obligations to process data only per LocalBeat's instructions
• Appropriate technical and organizational security measures
• Confidentiality commitments
• Data breach notification requirements
• Assistance with data subject requests and audits
• Data deletion or return upon termination

1.4 International Transfers

Some Subprocessors are located outside the European Economic Area (EEA). International data transfers are protected by:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries with adequate data protection (e.g., UK, Switzerland)
• Data Privacy Framework: Where applicable (U.S. entities)

2. Current Subprocessors

The following table lists all Subprocessors currently engaged by LocalBeat:

2.1 Infrastructure Provider Details

Several Subprocessors rely on Amazon Web Services (AWS) as their underlying infrastructure provider. AWS operates data centers globally and is compliant with:

• ISO 27001, ISO 27017, ISO 27018 (information security)
• SOC 1, SOC 2, SOC 3 (audit reports)
• GDPR and EU-U.S. Data Privacy Framework
• PCI DSS Level 1 (payment card security)

AWS Privacy Notice: https://aws.amazon.com/privacy/

3. Categories of Data Processed

3.1 Personal Data Types

Subprocessors may process the following categories of personal data on LocalBeat's behalf:

Account & Identity Data

• Name, email address, phone number
• Account username and encrypted password
• Profile information and preferences
• Organization or business name

Subprocessors: Clerk (authentication), Vercel (hosting), Neon (database storage)

Payment & Billing Data

• Billing address and contact information
• Payment method details (tokenized by Stripe, not stored by LocalBeat)
• Transaction history and invoices
• Tax identification numbers (if provided)

Subprocessors: Stripe (payment processing), Neon (billing records)

Content & Usage Data

• User-created content (posts, pages, media)
• Website visitor analytics (anonymized)
• Feature usage and interaction logs
• AI generation prompts and outputs

Subprocessors: Cloudinary (media files), OpenAI (AI generation), Vercel Analytics (anonymized analytics), Neon (content storage)

Newsletter & Email Data

• Newsletter subscriber email addresses
• Subscription preferences and categories
• Email open and click tracking data
• Unsubscribe records

Subprocessors: Resend (email delivery), Neon (subscriber storage)

Technical & Diagnostic Data

• IP addresses (hashed or anonymized)
• Browser type, device type, operating system
• Log data and error reports
• Performance metrics

Subprocessors: Vercel (hosting logs), Sentry (error tracking, if enabled), Vercel Analytics (performance metrics)

3.2 Data Processing Purposes

Subprocessors process data solely for the following purposes:

• Service Delivery: Providing core platform functionality
• Security: Authentication, fraud prevention, and security monitoring
• Performance: Content delivery, caching, and optimization
• Billing: Payment processing and invoice generation
• Support: Customer support and troubleshooting
• Compliance: Legal obligations and regulatory compliance

3.3 Data Minimization

LocalBeat shares only the minimum data necessary with each Subprocessor:

• Stripe receives payment data but not content data
• OpenAI receives AI generation prompts but not subscriber lists
• Resend receives email addresses but not payment information
• Vercel Analytics collects anonymized usage data without identifying information

4. Notification of Changes

4.1 Adding New Subprocessors

Before engaging a new Subprocessor or materially changing an existing Subprocessor's role, LocalBeat will:

• Update this Subprocessor List with new details
• Send email notification to customers at least 30 days before the new Subprocessor begins processing data
• Provide opportunity to object (see Section 5)

4.2 Minor Changes

Minor changes that do not affect data processing practices (e.g., updated privacy policy links, company address changes) will be reflected on this page without advance notice.

4.3 Removing Subprocessors

When we discontinue use of a Subprocessor:

• This List will be updated to reflect the change
• Customer data will be deleted or returned per contractual terms
• No customer objection process needed (data protection improves)

4.4 Monitoring Changes

To stay informed of Subprocessor changes:

• Bookmark this page and check periodically
• Subscribe to email notifications via Dashboard → Settings → Email Preferences
• Monitor version number and "Last Updated" date at top of page

5. Customer Objection Rights

5.1 Right to Object

If you object to the use of a new Subprocessor on reasonable grounds relating to data protection:

• Submit written objection to privacy@mylocalbeat.com within 30 days of notification
• Include specific data protection concerns (e.g., inadequate security, problematic jurisdiction)
• We will work with you to address concerns or identify alternative solutions

5.2 Resolution Process

Upon receiving an objection, LocalBeat will:

1. Acknowledge receipt within 5 business days
2. Review the objection and assess alternatives
3. Respond within 15 business days with:
   • Mitigation measures to address concerns, or
   • Alternative Subprocessor options, or
   • Technical solution to avoid data transfer to objected Subprocessor

5.3 If No Resolution

If we cannot resolve your objection:

• You may terminate your subscription without penalty
• Pro-rated refund for unused subscription time
• 60-day grace period to export data and migrate to alternative platform

5.4 Reasonable Grounds

"Reasonable grounds" for objection include:

• Subprocessor lacks adequate data protection measures
• Subprocessor's jurisdiction poses significant legal risks (e.g., government surveillance)
• Subprocessor's security certifications are insufficient
• Conflict with your industry-specific compliance requirements (HIPAA, PCI, etc.)

Objections based solely on preference or competitive concerns are not considered reasonable grounds.

6. Security & Compliance

6.1 Subprocessor Vetting

LocalBeat evaluates all Subprocessors before engagement based on:

• Security Certifications: SOC 2, ISO 27001, or equivalent
• Privacy Compliance: GDPR, CCPA, and applicable regulations
• Data Transfer Mechanisms: Standard Contractual Clauses or adequacy decisions
• Incident Response: Data breach notification procedures
• Financial Stability: Company viability and business continuity

6.2 Ongoing Monitoring

We continuously monitor Subprocessor compliance through:

• Annual review of security certifications and audit reports
• Privacy policy and terms of service change monitoring
• Security incident and breach disclosure reviews
• Performance and reliability monitoring

6.3 Data Breach Protocol

If a Subprocessor experiences a data breach affecting LocalBeat customer data:

• Subprocessor must notify LocalBeat within 24 hours
• LocalBeat will assess impact and determine customer notification requirements
• Affected customers will be notified within 72 hours (GDPR requirement)
• Notification will include: nature of breach, data affected, mitigation steps, support resources

6.4 Audit Rights

Enterprise customers with Data Processing Addendums have the right to:

• Request Subprocessor audit reports (SOC 2, ISO certifications)
• Review LocalBeat's due diligence documentation
• Request information about Subprocessor security practices

Contact compliance@mylocalbeat.com to exercise audit rights.

7. Contact Information

7.1 Questions About Subprocessors

For questions about this Subprocessor List or data processing practices:

• Email: privacy@mylocalbeat.com
• Data Protection Officer: dpo@mylocalbeat.com

7.2 Objections to New Subprocessors

To object to a new Subprocessor:

• Email: privacy@mylocalbeat.com
• Subject Line: "Subprocessor Objection - [Subprocessor Name]"
• Include: Your account details, specific concerns, and data protection grounds

7.3 Data Subject Requests

For data access, correction, deletion, or portability requests:

• In-App: Dashboard → Settings → Privacy & Data
• Email: privacy@mylocalbeat.com

7.4 Compliance Inquiries

For enterprise compliance questions, audit requests, or DPA inquiries:

• Email: compliance@mylocalbeat.com