Sub-processor List
Last Updated: May 25, 2026
1. Purpose
This Sub-processor List identifies the third-party service providers (“Sub-processors”) engaged by Stimaro LLC (“Stimaro™”) to assist in providing the Stimaro estimating software and related services (the “Service”). Sub-processors may have access to personal data submitted to or generated through the Service in connection with their support of Stimaro's operations.
This list is maintained in accordance with Stimaro's Privacy Policy and Data Processing Agreement (“DPA”). The most current version of this list is published at: https://stimaro.com/legal/subprocessors.
Capitalized terms used but not defined in this Sub-processor List have the meanings set forth in Stimaro's DPA or Privacy Policy.
This Sub-processor List does not include Customer-Enabled Third-Party Services, meaning third-party services, APIs, model providers, OCR tools, integrations, local services, or other services that a Customer chooses to connect to or enable within the Service using Customer's own account, credentials, API key, token, URL, settings, or configuration. Customer-Enabled Third-Party Services are governed by the applicable third party's own terms, privacy policies, data processing terms, security practices, retention practices, and model training practices, unless expressly identified by Stimaro as a Sub-processor in this list, an Order Form, or a Data Processing Agreement.
2. Current Stimaro-Controlled Sub-processors
The following Sub-processors are currently engaged by Stimaro or are expected to be engaged by Stimaro-controlled accounts to support the Service. Stimaro-controlled Sub-processors are service providers that Stimaro selects, contracts with, and uses to provide, secure, support, bill for, or operate the Service.
2.1 Core Service and Business Operations Sub-processors
| Sub-processor | Service Provided | Location | Data Processed | Privacy Policy |
|---|---|---|---|---|
| Cloudflare, Inc. | Application hosting (Workers), database (D1), static site hosting (Pages), admin authentication (Cloudflare Access), worker observability, and DNS/CDN/edge security | Global edge network with US data residency for D1 databases | All customer data routed through the Stimaro platform API, customer-uploaded content, admin authentication tokens, IP addresses, and standard request metadata | https://www.cloudflare.com/privacypolicy/ |
| WorkOS, Inc. | Customer identity and authentication (AuthKit), hosted sign-in, organization membership management, webhooks, and device activation | United States | Customer user email addresses, names, organization affiliations, authentication credentials, session tokens, and device identifiers | https://workos.com/privacy |
| PostHog, Inc. | Product analytics, error tracking, telemetry, and production source map upload for the Stimaro desktop application | United States | Anonymized usage events, install identifiers, error reports, and application performance data. Telemetry payloads are scrubbed of personal data where possible, however install identifiers and event metadata may still be considered personal data under certain privacy frameworks | https://posthog.com/privacy |
| Formspree, Inc. | Marketing website contact form endpoint and lead submission processing | United States | Contact form submissions including name, email address, company name, message content, and submission metadata | https://formspree.io/legal/privacy-policy/ |
| Intuit Inc. (QuickBooks) | Accounting system of record. Used to store and process customer billing information, invoice records, and account references | United States | Customer billing contact name and email, billing address, invoice records, payment status, and accounting metadata. No direct API integration with the Stimaro platform; data is entered and managed manually | https://www.intuit.com/privacy/statement/ |
| Google LLC (Google Workspace) | Business email hosting, calendar, document storage, and internal collaboration for Stimaro's business operations. Used to send and receive all customer-facing email correspondence (support, sales, security) | United States | Customer email correspondence, customer contact names and email addresses, email metadata, attachments shared via email, and calendar event participants | https://policies.google.com/privacy |
| DocuSign, Inc. | Electronic signature and contract execution platform used to send, route, and store fully executed customer agreements including the Master Services Agreement, Order Forms, Data Processing Agreement, and Founding Contractor Addendum | United States | Customer signatory names, business email addresses, IP addresses, signature timestamps, and the full content of executed agreements | https://www.docusign.com/company/privacy-policy |
| Calendly LLC | Meeting scheduling and pre-demo questionnaire collection for prospect and customer meetings with Stimaro team members | United States | Prospect and customer names, business email addresses, scheduled meeting times, time zones, and responses to pre-demo questionnaire fields (team size, current tool, timeline, etc.) | https://calendly.com/privacy |
| Tally Forms BV | Customer-facing intake form for onboarding (collecting workflow information, cost structure details, team member information, and uploaded sample documents from new customers) | Belgium (EU) | Customer-submitted form responses including names, business email addresses, company information, descriptions of estimating workflows, cost structure details, and any files uploaded by the customer (which may include cost libraries, estimate templates, bid sheets, and other potentially sensitive business documents) | https://tally.so/privacy |
| Plus Five Five, Inc. (Resend) | Transactional and automated email delivery | United States | Email address, email metadata, message content, and any name or other information included in emails; if tracking is enabled, email engagement/analytics data such as opens, clicks, IP address, location, operating system, browser, device, email client, and spam complaints | https://resend.com/legal/privacy-policy |
2.2 Business Development and Prospecting Providers
| Sub-processor | Service Provided | Location | Data Processed | Privacy Policy |
|---|---|---|---|---|
| HubSpot, Inc. | Customer relationship management (CRM), email tracking, lead capture, sales pipeline management, and prospect engagement | United States | Prospect and customer names, business email addresses, company affiliations, communication history, deal pipeline data, and engagement metrics | https://legal.hubspot.com/privacy-policy |
| Apollo.io, Inc. | B2B prospect data enrichment, contact discovery, and sales intelligence for outbound prospecting activities | United States | Publicly available business contact information including names, job titles, business email addresses, and company affiliations | https://www.apollo.io/privacy-policy |
| Hunter.io (Hunter SAS) | Email address verification and discovery for outbound prospecting activities | France (EU) | Publicly available business email addresses and email deliverability validation data | https://hunter.io/privacy-policy |
2.3 AI/OCR, Model Routing, and API-Based Services
No model training on customer data: all AI features below are accessed via commercial API agreements that contractually prohibit the AI providers from training their models on Stimaro customer input data.
| Sub-processor | Service Provided | Location | Data Processed | Privacy Policy |
|---|---|---|---|---|
| Google LLC (Gemini API) | AI-powered request-for-quote (RFQ) content extraction | United States | Customer estimating content submitted to RFQ extraction features, including text and structured data from RFQ documents | https://policies.google.com/privacy and https://cloud.google.com/terms/ |
| Anthropic, PBC | AI-powered template cloning within the Stimaro product. Separately used for internal source code review workflows | United States | Customer estimating templates and template metadata submitted to template cloning features. Source code review workflows process Stimaro source code only and do not involve customer data | https://www.anthropic.com/legal/privacy |
| Mistral AI SAS | AI-powered optical character recognition (OCR) for specification PDFs and images | France (EU) | Customer-uploaded specification PDFs, images, and the extracted text content from those files | https://mistral.ai/terms/#privacy-policy |
| Application Hosting Provider (TBD) | Hosting of the Service application and Customer Data | United States | All Customer Data submitted to or generated through the Service. Provider to be confirmed at time of selection (target: SOC 2 Type II) | To be confirmed at time of selection |
| Error Monitoring Provider (TBD) | Application error and performance monitoring | United States | Application logs; error reports; technical and session data. Provider to be confirmed at time of selection | To be confirmed at time of selection |
| Security Scanning Provider (TBD) | Source code, dependency, and infrastructure vulnerability scanning | United States | Source code metadata; configuration data; dependency information (no production Customer Data). Provider to be confirmed at time of selection | To be confirmed at time of selection |
| License Management Provider (TBD) | Issuance and management of software license keys | United States | Authorized User account information; license activation data; device identifiers. Provider to be confirmed at time of selection | To be confirmed at time of selection |
Entries marked “TBD” refer to categories of Sub-processors that Stimaro intends to engage prior to or at the time of launch of the Service. Stimaro will update this list with the specific Sub-processor name, location, and certifications upon final selection. Engagement of any TBD Sub-processor will be subject to the notification and update procedures described in Section 3.
2.4 Customer-Enabled Third-Party Services
The Service may allow Customers to connect or configure third-party services using Customer-provided accounts, credentials, API keys, tokens, URLs, or settings. These may include AI model providers, model-routing providers, OCR tools, local services, accounting systems, project management systems, reporting tools, or other integrations. Customer-Enabled Third-Party Services are not Stimaro Sub-processors unless expressly identified in this Sub-processor List, an applicable Order Form, or a Data Processing Agreement. Customer is responsible for reviewing and accepting the applicable third-party terms, privacy policies, data processing terms, retention practices, model training practices, security practices, usage limits, and pricing for any Customer-Enabled Third-Party Service that Customer chooses to enable or connect. Examples may include OpenRouter, local Ollama deployments, OCR tools, accounting systems, project management systems, or other services configured by Customer. Where such services are configured using Customer's own account or API key, they are treated as Customer-Enabled Third-Party Services unless Stimaro expressly identifies them as Sub-processors. Stimaro does not recommend submitting Customer Data, vendor quote documents, bid files, pricing information, estimating materials, confidential information, or personal information to unpaid AI services. If Stimaro uses a Stimaro-controlled AI provider for Customer Data, Stimaro will use a paid/business configuration where commercially available and appropriate.
3. Updates and Notification
3.1 Maintenance of List. Stimaro maintains an up-to-date list of Sub-processors at https://stimaro.com/legal/subprocessors. The current version of this Sub-processor List supersedes any prior versions.
3.2 Notification of Changes. Stimaro will notify Customers of the addition or replacement of a Sub-processor by:
- Updating this Sub-processor List on the URL identified above; and
- Sending an email notification to the primary contact email address on file for the Customer prior to the new Sub-processor Processing Personal Data.
3.3 Customer Subscription to Notifications. Customers may request to receive notifications of Sub-processor changes by contacting Stimaro at the email address set forth in Section 6.
3.4 Frequency of Updates. Stimaro reviews and updates this Sub-processor List as needed when adding, replacing, or removing Sub-processors. Stimaro recommends that Customers review this list periodically to remain informed of the Sub-processors engaged in connection with the Service.
For clarity, this notification process applies to Stimaro-controlled Sub-processors engaged by Stimaro. It does not apply to Customer-Enabled Third-Party Services that a Customer independently chooses to enable, connect, or configure using Customer's own account, credentials, API key, token, URL, or settings.
4. Sub-processor Obligations
Stimaro requires each Sub-processor to enter into a written agreement that:
- Imposes data protection and confidentiality obligations substantially equivalent to those set forth in Stimaro's DPA;
- Restricts the Sub-processor's Processing of personal data to the limited purposes for which the Sub-processor is engaged;
- Requires appropriate technical and organizational security measures to protect personal data;
- Includes commitments regarding data breach notification consistent with applicable law.
Stimaro remains liable to Customer for the acts and omissions of its Sub-processors relating to Processing of personal data, in accordance with Stimaro's DPA.
These obligations apply to Stimaro-controlled Sub-processors and do not apply to Customer-Enabled Third-Party Services unless such services are expressly identified as Stimaro Sub-processors in this Sub-processor List, an Order Form, or a Data Processing Agreement.
5. Data Location and International Transfers
As of the date of this Sub-processor List, Stimaro's current core Sub-processors primarily Process personal data in the United States. Certain providers, including content delivery, infrastructure, analytics, security, model-routing, AI, OCR, or cloud service providers, may operate global networks or rely on affiliates, infrastructure, or service providers in additional jurisdictions as necessary to provide their services. Location information in this list reflects Stimaro's current understanding based on provider documentation and may vary depending on provider configuration, Customer location, selected model, or Customer-Enabled Third-Party Service.
Stimaro does not currently target Customers subject to the EU General Data Protection Regulation, UK GDPR, or similar non-U.S. data protection laws. If a Customer becomes subject to such laws, the Parties will cooperate to implement appropriate transfer mechanisms, such as Standard Contractual Clauses or other required safeguards, prior to any transfer of personal data for which such mechanisms are required, in accordance with Stimaro's DPA.
6. Contact and Inquiries
Questions or concerns regarding Stimaro's Sub-processors, this Sub-processor List, or Stimaro's data processing practices may be directed to:
Stimaro LLC
ATTN: Legal
169 Madison Ave STE 98516
New York, NY 10016
Email: [email protected]