Aurora sub-processors

Last updated: May 24, 2026

What this page is. A complete list of the third-party services Aurora AI Solutions Studio UG ("Aurora") uses to deliver ClientPulse, ContentPulse, Aurora Operator, and the KI-Beratung consulting line. Customers, prospects, and Datenschutzaufsichtsbehörden can consult this page at any time to see the full sub-processor chain that touches their data.

This list is the canonical version. The same content appears in the relevant sections of our Data Processing Agreement (DPA §4) and our Privacy Policy (§4). If you spot any inconsistency, the most recently dated source wins; please email privacy@helloaurora.ai so we can reconcile.

How to read the tables

Sub-processor: the legal entity that processes personal data on Aurora's behalf.
Purpose: what Aurora uses the service for.
Location: where the service stores or routes data. EU means data stays in the European Economic Area; US means transfer to the United States under Standard Contractual Clauses (SCCs); global means CDN edge or anycast routing.
Data category: the type of personal data the sub-processor receives.
Legal terms: link to the sub-processor's own DPA, SCC, privacy policy, or trust portal.

1. Core infrastructure — both products

These sub-processors are used by every Aurora product (ContentPulse, ClientPulse, Aurora Operator, the KI-Beratung consulting line).

Sub-processor	Purpose	Location	Data category	Legal terms
Supabase Inc.	Database, authentication, row-level security, encrypted vault for OAuth and Operator BYOK credentials	EU (Frankfurt, AWS eu-central-1)	Account profile, app data, hashed credentials, generated content, audit metadata	DPA · Privacy
Vercel Inc.	Application hosting, edge functions, CDN	EU (Frankfurt, fra1) compute · global anycast CDN	HTTP requests, page rendering data, edge logs	DPA · Privacy
Stripe, Inc. / Stripe Payments Europe Ltd.	Payment processing, subscription billing, invoicing, tax calculation	US (SCCs) · EU acquirer (Ireland, Frankfurt)	Billing email, name, payment method last-4, billing address, VAT-ID, invoice line items	DPA · Privacy
Resend Inc. (sub-sub-processor: AWS EMEA SARL / SES eu-west-1)	Transactional email delivery: account notifications, brief sends, white-label client reports, DPA confirmations	EU (Ireland)	Recipient email, sender email, message subject and body, send metadata	DPA · Privacy
Inngest, Inc.	Background job orchestration: signal fan-out, scheduled report builds, Operator skill dispatch, retry queues	US (SCCs)	Job payloads (may include client names, signal references, run identifiers)	DPA · Privacy
Sentry (Functional Software, Inc.)	Error tracking and performance monitoring	US (SCCs)	Stack traces, request URLs, anonymised user identifier, browser/OS metadata	DPA · Privacy
Upstash, Inc.	Distributed rate limiting (Redis) for abuse protection and API throttling	EU (Frankfurt)	Hashed identifiers (IP + user ID + route), counters, TTL timestamps	DPA · Privacy

2. AI / model providers

These sub-processors are used for AI inference. Anthropic is Aurora's default model provider for non-Operator AI features (health scoring, signal classification, content drafting). OpenAI, Google Gemini, and additional Anthropic models are also used as Bring-Your-Own-Key (BYOK) options for Aurora Operator — see §3 below.

Sub-processor	Purpose	Location	Data category	Legal terms
Anthropic PBC (Claude API)	Default LLM for non-Operator AI features: health scoring, signal classification, content drafting, voice-profile generation, recursive-learning agent	US (SCCs)	Prompts (may include client names, message snippets, voice samples); model outputs	Terms · DPA · Trust
OpenAI L.L.C.	Text embeddings (text-embedding-3-small) for semantic signal search; Whisper transcription for Zoom cloud recordings	US (SCCs)	Text snippets for embedding, audio recordings for transcription	DPA · Enterprise privacy
Deepgram, Inc.	Audio and video transcription (ContentPulse primary provider)	US (SCCs)	Audio/video files uploaded by customers for transcription	DPA · Privacy
AssemblyAI, Inc.	Audio transcription (ContentPulse legacy fallback only)	US (SCCs)	Audio files uploaded by customers for transcription	DPA · Privacy

3. Aurora Operator — BYOK sub-processors (customer-selected)

When the agency owner connects Aurora Operator with their own LLM API key (Bring-Your-Own-Key), the chosen provider becomes an additional sub-processor for the duration of Operator skill execution. The customer's choice of provider determines which sub-processor applies. Aurora stores the BYOK credential pgsodium-encrypted on the profiles.operator_credential column; the plaintext key is decrypted just-in-time per invocation and discarded. Raw prompts and raw completions are not retained — only structured skill metadata (skill id, version, timestamps, status, cost, output reference) is logged for billing transparency and audit.

BYOK provider (customer-selected)	Purpose	Location	Data category	Legal terms
Anthropic PBC (Claude Opus / Sonnet / Haiku)	Operator skill LLM execution under customer's own Anthropic API key	US (SCCs)	Prompts and completions assembled at skill-run time	DPA
OpenAI L.L.C. (GPT-5 family)	Operator skill LLM execution under customer's own OpenAI API key	US (SCCs)	Prompts and completions assembled at skill-run time	DPA
Google LLC (Gemini 2.x)	Operator skill LLM execution under customer's own Google API key	US (DPF / SCCs)	Prompts and completions assembled at skill-run time	DPA

4. Aurora-site marketing (helloaurora.ai)

The Aurora marketing site uses a deliberately small set of sub-processors. Self-hosted fonts mean no Google Fonts request; first-party analytics mean no third-party trackers.

Sub-processor	Purpose	Location	Data category	Legal terms
Vercel Inc.	Static site hosting and CDN for helloaurora.ai	EU (Frankfurt) · global anycast CDN	HTTP request logs (anonymised IP)	Privacy
Calendly LLC (KI-Beratung consulting only)	Discovery-call scheduling for the KI-Beratung (German consulting) line	US (SCCs)	Name, email, timezone, scheduled meeting details	DPA · Privacy

5. What is not a sub-processor

The following services often appear when customers compare Aurora to other SaaS, but they are not Aurora sub-processors under GDPR Art. 28:

Customer-connected source connectors — Gmail, Google Calendar, Outlook, Zoom, Slack, HubSpot, Asana, Klaviyo, Mailchimp, Google Analytics 4, Apple Podcasts. These are services the customer connects to ClientPulse or ContentPulse via the customer's own OAuth grant. The controller relationship between the customer and the platform is governed by the customer's own contract with that platform; Aurora processes only the data the customer pulls through into our products.
Aurora Operator BYOK providers when not selected — if a customer does not enable Aurora Operator, or selects only one BYOK provider, the other providers listed in §3 do not receive any of that customer's data.
Google Fonts, Adobe Fonts, Typekit, Font Awesome CDN — Aurora self-hosts every web font on first-party origins, so no font CDN request is made when a visitor loads any Aurora page.
Third-party analytics (Google Analytics, Mixpanel, Segment, Amplitude, etc.) — Aurora does not use third-party web analytics on helloaurora.ai or the product apps. Operational metrics are first-party only.

Notice of changes to this list. When Aurora adds a new sub-processor to any of the tables above, we update the "Last updated" date at the top of this page and the corresponding section of our DPA. Where contractually required (for example under enterprise DPAs or our standard customer DPA at §4 last paragraph), Aurora notifies customers at least 30 days before the new sub-processor begins processing customer personal data, so the customer has an opportunity to object.

If you would like to receive these notifications by email, write to privacy@helloaurora.ai with the subject line "Sub-processor change notifications — opt in" and we will add you to the notice list.

Questions, complaints, or objections about any sub-processor on this list: privacy@helloaurora.ai.

6. Aurora as the controller

Aurora AI Solutions Studio UG, Stuttgart, Germany (Amtsgericht Stuttgart HRB 805284) is the data controller for personal data processed in connection with Aurora products, and the data processor for customer personal data processed under our Data Processing Agreement. See our Impressum for full company details and our Privacy Policy for the rights you have over your data (GDPR Art. 12–22) and how to exercise them.