Sub-processor List

Last Updated: May 25, 2026

1. Purpose

This Sub-processor List identifies the third-party service providers (“Sub-processors”) engaged by Stimaro LLC (“Stimaro™”) to assist in providing the Stimaro estimating software and related services (the “Service”). Sub-processors may have access to personal data submitted to or generated through the Service in connection with their support of Stimaro's operations.

This list is maintained in accordance with Stimaro's Privacy Policy and Data Processing Agreement (“DPA”). The most current version of this list is published at: https://stimaro.com/legal/subprocessors.

Capitalized terms used but not defined in this Sub-processor List have the meanings set forth in Stimaro's DPA or Privacy Policy.

This Sub-processor List does not include Customer-Enabled Third-Party Services, meaning third-party services, APIs, model providers, OCR tools, integrations, local services, or other services that a Customer chooses to connect to or enable within the Service using Customer's own account, credentials, API key, token, URL, settings, or configuration. Customer-Enabled Third-Party Services are governed by the applicable third party's own terms, privacy policies, data processing terms, security practices, retention practices, and model training practices, unless expressly identified by Stimaro as a Sub-processor in this list, an Order Form, or a Data Processing Agreement.

2. Current Stimaro-Controlled Sub-processors

The following Sub-processors are currently engaged by Stimaro or are expected to be engaged by Stimaro-controlled accounts to support the Service. Stimaro-controlled Sub-processors are service providers that Stimaro selects, contracts with, and uses to provide, secure, support, bill for, or operate the Service.

2.1 Core Service and Business Operations Sub-processors

Sub-processorService ProvidedLocationData ProcessedPrivacy Policy
Cloudflare, Inc.Application hosting (Workers), database (D1), static site hosting (Pages), admin authentication (Cloudflare Access), worker observability, and DNS/CDN/edge securityGlobal edge network with US data residency for D1 databasesAll customer data routed through the Stimaro platform API, customer-uploaded content, admin authentication tokens, IP addresses, and standard request metadatahttps://www.cloudflare.com/privacypolicy/
WorkOS, Inc.Customer identity and authentication (AuthKit), hosted sign-in, organization membership management, webhooks, and device activationUnited StatesCustomer user email addresses, names, organization affiliations, authentication credentials, session tokens, and device identifiershttps://workos.com/privacy
PostHog, Inc.Product analytics, error tracking, telemetry, and production source map upload for the Stimaro desktop applicationUnited StatesAnonymized usage events, install identifiers, error reports, and application performance data. Telemetry payloads are scrubbed of personal data where possible, however install identifiers and event metadata may still be considered personal data under certain privacy frameworkshttps://posthog.com/privacy
Formspree, Inc.Marketing website contact form endpoint and lead submission processingUnited StatesContact form submissions including name, email address, company name, message content, and submission metadatahttps://formspree.io/legal/privacy-policy/
Intuit Inc. (QuickBooks)Accounting system of record. Used to store and process customer billing information, invoice records, and account referencesUnited StatesCustomer billing contact name and email, billing address, invoice records, payment status, and accounting metadata. No direct API integration with the Stimaro platform; data is entered and managed manuallyhttps://www.intuit.com/privacy/statement/
Google LLC (Google Workspace)Business email hosting, calendar, document storage, and internal collaboration for Stimaro's business operations. Used to send and receive all customer-facing email correspondence (support, sales, security)United StatesCustomer email correspondence, customer contact names and email addresses, email metadata, attachments shared via email, and calendar event participantshttps://policies.google.com/privacy
DocuSign, Inc.Electronic signature and contract execution platform used to send, route, and store fully executed customer agreements including the Master Services Agreement, Order Forms, Data Processing Agreement, and Founding Contractor AddendumUnited StatesCustomer signatory names, business email addresses, IP addresses, signature timestamps, and the full content of executed agreementshttps://www.docusign.com/company/privacy-policy
Calendly LLCMeeting scheduling and pre-demo questionnaire collection for prospect and customer meetings with Stimaro team membersUnited StatesProspect and customer names, business email addresses, scheduled meeting times, time zones, and responses to pre-demo questionnaire fields (team size, current tool, timeline, etc.)https://calendly.com/privacy
Tally Forms BVCustomer-facing intake form for onboarding (collecting workflow information, cost structure details, team member information, and uploaded sample documents from new customers)Belgium (EU)Customer-submitted form responses including names, business email addresses, company information, descriptions of estimating workflows, cost structure details, and any files uploaded by the customer (which may include cost libraries, estimate templates, bid sheets, and other potentially sensitive business documents)https://tally.so/privacy
Plus Five Five, Inc. (Resend)Transactional and automated email deliveryUnited StatesEmail address, email metadata, message content, and any name or other information included in emails; if tracking is enabled, email engagement/analytics data such as opens, clicks, IP address, location, operating system, browser, device, email client, and spam complaintshttps://resend.com/legal/privacy-policy

2.2 Business Development and Prospecting Providers

Sub-processorService ProvidedLocationData ProcessedPrivacy Policy
HubSpot, Inc.Customer relationship management (CRM), email tracking, lead capture, sales pipeline management, and prospect engagementUnited StatesProspect and customer names, business email addresses, company affiliations, communication history, deal pipeline data, and engagement metricshttps://legal.hubspot.com/privacy-policy
Apollo.io, Inc.B2B prospect data enrichment, contact discovery, and sales intelligence for outbound prospecting activitiesUnited StatesPublicly available business contact information including names, job titles, business email addresses, and company affiliationshttps://www.apollo.io/privacy-policy
Hunter.io (Hunter SAS)Email address verification and discovery for outbound prospecting activitiesFrance (EU)Publicly available business email addresses and email deliverability validation datahttps://hunter.io/privacy-policy

2.3 AI/OCR, Model Routing, and API-Based Services

No model training on customer data: all AI features below are accessed via commercial API agreements that contractually prohibit the AI providers from training their models on Stimaro customer input data.

Sub-processorService ProvidedLocationData ProcessedPrivacy Policy
Google LLC (Gemini API)AI-powered request-for-quote (RFQ) content extractionUnited StatesCustomer estimating content submitted to RFQ extraction features, including text and structured data from RFQ documentshttps://policies.google.com/privacy and https://cloud.google.com/terms/
Anthropic, PBCAI-powered template cloning within the Stimaro product. Separately used for internal source code review workflowsUnited StatesCustomer estimating templates and template metadata submitted to template cloning features. Source code review workflows process Stimaro source code only and do not involve customer datahttps://www.anthropic.com/legal/privacy
Mistral AI SASAI-powered optical character recognition (OCR) for specification PDFs and imagesFrance (EU)Customer-uploaded specification PDFs, images, and the extracted text content from those fileshttps://mistral.ai/terms/#privacy-policy
Application Hosting Provider (TBD)Hosting of the Service application and Customer DataUnited StatesAll Customer Data submitted to or generated through the Service. Provider to be confirmed at time of selection (target: SOC 2 Type II)To be confirmed at time of selection
Error Monitoring Provider (TBD)Application error and performance monitoringUnited StatesApplication logs; error reports; technical and session data. Provider to be confirmed at time of selectionTo be confirmed at time of selection
Security Scanning Provider (TBD)Source code, dependency, and infrastructure vulnerability scanningUnited StatesSource code metadata; configuration data; dependency information (no production Customer Data). Provider to be confirmed at time of selectionTo be confirmed at time of selection
License Management Provider (TBD)Issuance and management of software license keysUnited StatesAuthorized User account information; license activation data; device identifiers. Provider to be confirmed at time of selectionTo be confirmed at time of selection

Entries marked “TBD” refer to categories of Sub-processors that Stimaro intends to engage prior to or at the time of launch of the Service. Stimaro will update this list with the specific Sub-processor name, location, and certifications upon final selection. Engagement of any TBD Sub-processor will be subject to the notification and update procedures described in Section 3.

2.4 Customer-Enabled Third-Party Services

The Service may allow Customers to connect or configure third-party services using Customer-provided accounts, credentials, API keys, tokens, URLs, or settings. These may include AI model providers, model-routing providers, OCR tools, local services, accounting systems, project management systems, reporting tools, or other integrations. Customer-Enabled Third-Party Services are not Stimaro Sub-processors unless expressly identified in this Sub-processor List, an applicable Order Form, or a Data Processing Agreement. Customer is responsible for reviewing and accepting the applicable third-party terms, privacy policies, data processing terms, retention practices, model training practices, security practices, usage limits, and pricing for any Customer-Enabled Third-Party Service that Customer chooses to enable or connect. Examples may include OpenRouter, local Ollama deployments, OCR tools, accounting systems, project management systems, or other services configured by Customer. Where such services are configured using Customer's own account or API key, they are treated as Customer-Enabled Third-Party Services unless Stimaro expressly identifies them as Sub-processors. Stimaro does not recommend submitting Customer Data, vendor quote documents, bid files, pricing information, estimating materials, confidential information, or personal information to unpaid AI services. If Stimaro uses a Stimaro-controlled AI provider for Customer Data, Stimaro will use a paid/business configuration where commercially available and appropriate.

3. Updates and Notification

3.1 Maintenance of List. Stimaro maintains an up-to-date list of Sub-processors at https://stimaro.com/legal/subprocessors. The current version of this Sub-processor List supersedes any prior versions.

3.2 Notification of Changes. Stimaro will notify Customers of the addition or replacement of a Sub-processor by:

  • Updating this Sub-processor List on the URL identified above; and
  • Sending an email notification to the primary contact email address on file for the Customer prior to the new Sub-processor Processing Personal Data.

3.3 Customer Subscription to Notifications. Customers may request to receive notifications of Sub-processor changes by contacting Stimaro at the email address set forth in Section 6.

3.4 Frequency of Updates. Stimaro reviews and updates this Sub-processor List as needed when adding, replacing, or removing Sub-processors. Stimaro recommends that Customers review this list periodically to remain informed of the Sub-processors engaged in connection with the Service.

For clarity, this notification process applies to Stimaro-controlled Sub-processors engaged by Stimaro. It does not apply to Customer-Enabled Third-Party Services that a Customer independently chooses to enable, connect, or configure using Customer's own account, credentials, API key, token, URL, or settings.

4. Sub-processor Obligations

Stimaro requires each Sub-processor to enter into a written agreement that:

  • Imposes data protection and confidentiality obligations substantially equivalent to those set forth in Stimaro's DPA;
  • Restricts the Sub-processor's Processing of personal data to the limited purposes for which the Sub-processor is engaged;
  • Requires appropriate technical and organizational security measures to protect personal data;
  • Includes commitments regarding data breach notification consistent with applicable law.

Stimaro remains liable to Customer for the acts and omissions of its Sub-processors relating to Processing of personal data, in accordance with Stimaro's DPA.

These obligations apply to Stimaro-controlled Sub-processors and do not apply to Customer-Enabled Third-Party Services unless such services are expressly identified as Stimaro Sub-processors in this Sub-processor List, an Order Form, or a Data Processing Agreement.

5. Data Location and International Transfers

As of the date of this Sub-processor List, Stimaro's current core Sub-processors primarily Process personal data in the United States. Certain providers, including content delivery, infrastructure, analytics, security, model-routing, AI, OCR, or cloud service providers, may operate global networks or rely on affiliates, infrastructure, or service providers in additional jurisdictions as necessary to provide their services. Location information in this list reflects Stimaro's current understanding based on provider documentation and may vary depending on provider configuration, Customer location, selected model, or Customer-Enabled Third-Party Service.

Stimaro does not currently target Customers subject to the EU General Data Protection Regulation, UK GDPR, or similar non-U.S. data protection laws. If a Customer becomes subject to such laws, the Parties will cooperate to implement appropriate transfer mechanisms, such as Standard Contractual Clauses or other required safeguards, prior to any transfer of personal data for which such mechanisms are required, in accordance with Stimaro's DPA.

6. Contact and Inquiries

Questions or concerns regarding Stimaro's Sub-processors, this Sub-processor List, or Stimaro's data processing practices may be directed to:

Stimaro LLC

ATTN: Legal

169 Madison Ave STE 98516

New York, NY 10016

Email: [email protected]