Subprocessors

Every third party that touches your data, named.

A subprocessor is any third-party service Web Cited (Aliso LLC dba Web Cited) uses to actually deliver the audit - hosting the marketing site, running the intake API, processing payments, sending transactional email, holding the CRM record, or querying the LLM backends that the audit tests. The list below is the canonical list. If a provider is not on this page or in our Privacy Policy, we are not using it. Customers will be notified by email before any new subprocessor is added.

Personal-data processors

These providers handle your contact details, your company information, or your payment information.

Cloudflare

Purpose: Hosts the marketing site (Cloudflare Pages), runs the intake API at api.web-cited.com (Cloudflare Workers), and stores at-rest operational data on Cloudflare's storage backends.
Data categories: Contact details (name, email), company name and website, intake-form scope notes, audit-trail metadata. Infrastructure access logs (IP, request headers) may be retained by Cloudflare at the infrastructure level; Web Cited does not access these.
Region: United States (global edge network).
Reference: Cloudflare Privacy Policy · Cloudflare DPA.

HubSpot

Purpose: Customer relationship management (CRM) system holding your contact record and deal record.
Data categories: Name, work email, company name and website, deal stage, audit tier selected, scope notes, correspondence history.
Region: United States.
Reference: HubSpot Privacy Policy · HubSpot DPA.

Resend

Purpose: Transactional email delivery for scope confirmation, kickoff, follow-up, and support replies, sent from a verified Web Cited sub-domain.
Data categories: Recipient name and email, message subject and body, delivery metadata, message logs.
Region: United States.
Reference: Resend Privacy Policy · Resend DPA.

Stripe

Purpose: Payment processor for invoices and hosted checkout. Web Cited never sees your card data.
Data categories: Billing name and address, business name, invoice metadata, payment method details (held by Stripe, not Web Cited).
Region: United States.
Reference: Stripe Privacy Policy · Stripe DPA.

Audit-content backends

These providers process your Customer Content - the buyer questions, brand and competitor list, and URLs you submit on intake. They do not directly receive your name, email, or other contact details.

Railway

Purpose: Managed application hosting that runs the audit pipeline at audit.web-cited.com and stores intermediate audit state during processing.
Data categories: Submitted URLs, buyer questions, brand and competitor list, per-engine LLM responses, intermediate audit artifacts.
Region: United States.
Reference: Railway Privacy Policy · Railway DPA.

OpenAI

Purpose: LLM backend queried with your buyer questions to test how OpenAI's models answer.
Data categories: Buyer questions and surrounding prompt context only. No contact details, no payment information.
Region: United States.
Reference: OpenAI Privacy Policy · OpenAI DPA.

Anthropic

Purpose: LLM backend queried with your buyer questions to test how Anthropic's Claude models answer.
Data categories: Buyer questions and surrounding prompt context only. No contact details, no payment information.
Region: United States.
Reference: Anthropic Privacy Policy · Anthropic DPA.

Google (Gemini)

Purpose: LLM backend (Gemini API) queried with your buyer questions to test how Google's models answer.
Data categories: Buyer questions and surrounding prompt context only. No contact details, no payment information.
Region: United States.
Reference: Google Privacy Policy · Google Cloud DPA.

Perplexity

Purpose: LLM backend (Perplexity API) queried with your buyer questions to test how Perplexity's models answer.
Data categories: Buyer questions and surrounding prompt context only. No contact details, no payment information.
Region: United States.
Reference: Perplexity Privacy Policy.

DataForSEO

Purpose: Structured search-engine and SERP (search engine results page) data provider.
Data categories: Submitted query strings derived from your buyer questions and competitor list. No contact details, no payment information.
Region: United States.
Reference: DataForSEO Privacy Policy · DataForSEO DPA.

How we add or change a subprocessor

Before Web Cited adds a new subprocessor that will handle your personal data or your Customer Content, we will:

Notify customers by email at the address on file, with the new provider's name, purpose, data categories, region, and a link to its privacy policy and DPA.
Update this page and the corresponding section of the Privacy Policy and Terms of Service §6.7.
Honor any objection raised by a customer under the mechanism described in the Terms of Service. If we cannot accommodate an objection, the customer may terminate the affected engagement consistent with the Terms.

Removing a subprocessor (because we have stopped using a service) does not require advance notice; we will simply update this page and the related documents.

Questions about a subprocessor

If your procurement, security, or privacy function needs more detail on any provider above - the regional sub-processor list, retention, sub-processor flowdown commitments, or a copy of an executed DPA - use the contact form and select the most appropriate subject. We respond inside one business day.

This page is the canonical subprocessor list. Where this page and the Privacy Policy or Terms of Service describe the same fact differently, the legal documents govern; we will reconcile this page to match at next review.

Last reviewed: May 10, 2026.