Sub-processors
Effective Date: 2026-04-16 | Last Updated: 2026-04-16
This page lists the third-party service providers ("Sub-processors") that SignalAEO LLC ("SignalAEO," "we," "us," or "our") uses to deliver the Service, along with the purpose of each engagement, the data categories involved, processing location, and current certifications. This page is maintained to satisfy the notification obligations set out in our Data Processing Agreement.
Overview
A Sub-processor, in the context of Data Protection Laws, is a third party we engage to Process Personal Data on our behalf as part of delivering the Service. We select Sub-processors carefully, review their security posture before engagement, and require them by contract to provide at least the same level of protection for Personal Data as we provide under our DPA with Customer.
The list below reflects Sub-processors currently engaged to provide services to customers of all tiers. A Sub-processor that Processes only SignalAEO's internal corporate data (for example, a payroll provider) is not listed here because it does not Process customer Personal Data.
Current Sub-processors
| Vendor & Service | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Amazon Web Services, Inc. AWS Lightsail Compliance info → | Hosting, compute, managed databases, object storage, and content delivery. | All customer data stored or processed by the Service — account data, billing metadata, configuration, measurement results, logs, and backups. | United States (us-west-1, Northern California region) | SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA, FedRAMP Moderate |
| Stripe, Inc. Stripe Payments and Billing Compliance info → | Processing of subscription payments, billing, invoicing, tax calculation, and fraud detection. | Customer name, business name, billing email, billing address, last four digits of payment card, card network and expiration month/year, transaction history, and device/network metadata used for fraud detection. Full card numbers are transmitted directly to Stripe and are not received or stored by SignalAEO. | United States | PCI DSS Level 1, SOC 1 Type 2, SOC 2 Type 2, ISO 27001 |
| Calendly, LLC Meeting scheduling Compliance info → | Scheduling of sales discovery calls, onboarding calls, and customer success calls booked from our contact page. | Name, business email, call booking time, call notes, responses to pre-call intake questions. | United States | SOC 2 Type 2 |
Last content update: 2026-04-16. This list is updated whenever Sub-processors are added or removed.
Notifications of Changes
We will update this page at least 30 days before a new Sub-processor begins Processing Personal Data on behalf of Customer, except in cases where urgent replacement is required (for example, if an existing Sub-processor experiences a material service interruption or breach and must be replaced on short notice).
Customers may subscribe to email notifications for Sub-processor changes by sending a subscription request to contact@signalaeo.com with the subject "Sub-processor Notification Subscription" and the email address you want on the notification list.
Right to Object
Under our Data Processing Agreement, Customer has the right to object on reasonable data-protection grounds to the engagement of a new Sub-processor during the 30-day notice period. If Customer objects, the parties will work in good faith to find a mutually acceptable resolution. If no resolution is reached, Customer may terminate the affected subscription by providing written notice, without liability for subscription fees relating to periods after termination.
Due Diligence and Oversight
Before engaging any Sub-processor that will Process Personal Data, we:
- Review the Sub-processor's publicly available security and compliance attestations (SOC 2, ISO 27001, PCI DSS, etc.)
- Review the Sub-processor's data processing agreement and ensure it contains protections at least equivalent to those in our DPA with Customer
- Evaluate whether the Sub-processor's processing location and any cross-border data transfers are compatible with the transfer mechanisms in our DPA
- Document the engagement in our internal vendor inventory for ongoing review
We review each Sub-processor engagement at least annually. If a Sub-processor no longer meets our security or compliance requirements, we will either bring the engagement back into compliance or begin a managed transition to an alternative.
Contact
Questions about Sub-processors, or requests for additional due-diligence documentation, should be sent to:
SignalAEO LLC3300 Triumph Blvd, Suites 100 and 200
Lehi, UT 84043
Legal: contact@signalaeo.com