Sub-Processors
Last updated: March 2026
Pressmark uses the following third-party service providers (“sub-processors”) to operate our platform. Each provider processes data under a written Data Processing Agreement that restricts them to processing your data solely on our instructions and in accordance with applicable data protection laws.
To be notified when we add or change a sub-processor, email privacy@getpressmark.com with “Sub-Processor Updates” in the subject line.
AI Service Providers
These providers process your content (voice profiles, research documents, newsletter drafts, audience and industry context) to power Pressmark’s AI features. Pressmark exclusively uses paid commercial API tiers. None of these providers use your data to train their AI models under our commercial agreements.
| Provider | Service | Data Processed | Data Location | Retention | DPA Status |
|---|---|---|---|---|---|
| Anthropic (anthropic.com) | Primary AI engine — Claude models for content generation, voice analysis, and AI co-editing | Voice profiles, research content, newsletter drafts, conversation context | United States | 7 days (API logs), up to 2 years if flagged by safety classifiers | Auto-incorporated via Commercial Terms; includes EU SCCs |
| Google (ai.google.dev) | AI engine — Gemini Flash for real-time AI co-editing and multimodal content processing | Voice profiles, research content, newsletter drafts, transcript content | United States | 55 days (paid tier abuse monitoring) | Google Cloud DPA applies automatically to paid Gemini API; includes EU SCCs |
| OpenAI (openai.com) | Supplementary AI engine — used for specific generation tasks | Voice profiles, research content, newsletter drafts | United States | 30 days (abuse monitoring). Note: OpenAI may process fully de-identified, anonymized, and aggregated information derived from your data to improve their systems. | Auto-incorporated via Services Agreement (effective Jan 1, 2026); includes EU SCCs |
Infrastructure Providers
| Provider | Service | Data Processed | Data Location | DPA Status |
|---|---|---|---|---|
| Railway (railway.app) | API server, background worker service, PostgreSQL database | All user account data, content, AI conversation history, usage logs | United States | Cloud DPA in effect |
| Vercel (vercel.com) | Frontend application hosting and marketing site hosting | Serves application assets; does not persistently store user content | United States (AWS regions) | DPA available via Vercel legal |
Authentication & Payments
| Provider | Service | Data Processed | Data Location | DPA Status |
|---|---|---|---|---|
| Clerk (clerk.com) | User authentication and session management | Email address, name, password hashes (we never see these), OAuth tokens, session tokens | United States | DPA in effect |
| Stripe (stripe.com) | Payment processing and subscription management | Payment card data (we never see or store this), billing address, subscription status | United States (PCI-DSS compliant) | DPA in effect |
Communications
| Provider | Service | Data Processed | Data Location | DPA Status |
|---|---|---|---|---|
| Resend (resend.com) | Transactional email delivery and marketing audience management | Email addresses, subscriber metadata | United States | DPA in effect |
DNS
| Provider | Service | Data Processed | Data Location | DPA Status |
|---|---|---|---|---|
| NameCheap (namecheap.com) | Domain name registration and DNS management | Domain records only (no user personal data) | United States | Standard terms apply |
About Our AI Data Practices
We want to be specific about how your content is handled by our AI providers, because this matters.
No training on your data. All three AI providers contractually commit to not using data submitted through their commercial APIs to train their AI models. This is distinct from their consumer products — Pressmark uses commercial API endpoints with stronger privacy protections.
Temporary retention for safety. AI providers retain API data briefly to detect policy violations (such as harmful content generation). Retention periods range from 7 days (Anthropic) to 55 days (Google). After these windows, your data is automatically deleted from their systems.
One provider may use anonymized data. OpenAI’s agreement permits them to process information derived from your data that has been fully de-identified, anonymized, and aggregated — meaning it can no longer identify you or Pressmark — to improve their systems. This does not include your raw content, identifiable data, or anything that could be traced back to you.
Safety exceptions. If content is flagged by a provider’s safety classifiers as potentially violating their usage policy, it may be retained for longer periods (up to 2 years for Anthropic) for investigation. Additionally, data deletion timelines may be suspended if required by legal processes outside of Pressmark’s or its providers’ direct control.