Subprocessors

1. Scope

This page covers subprocessors used by RANKTYPE LLC (“RANKTYPE”) for:

• Operating the website at https://ranktype.com (the “Site”).
• Receiving, storing, and responding to inquiries submitted through the Site.
• Conducting discovery calls and early-stage prospect communications.
• Day-to-day business operations that may incidentally touch prospect or client personal data (productivity, email, accounting, professional services).

This page does not cover:

• Engagement-specific subprocessors used while delivering services under an MSA or SOW — those are listed in the applicable SOW or DPA because they vary by engagement (for example, specific ad platforms, analytics stacks, creative-review tools, or reporting warehouses).
• Client-owned vendors (ad accounts, analytics, CDP, ESP, and similar) where RANKTYPE acts under the client’s instructions and within the client’s own contractual relationships with those vendors.

A “subprocessor” here means any third party that processes personal data on RANKTYPE’s behalf in the course of providing a service to RANKTYPE.

2. How to Read This Page

For each subprocessor we publish:

• Service / purpose — what the vendor does for us.
• Data types — categories of personal data the vendor may handle on our behalf.
• Processing location — country or region where personal data is hosted or processed.
• Transfer mechanism — legal basis for any transfer of EEA / UK / Swiss personal data outside of that region (for example, Standard Contractual Clauses, UK IDTA, EU-U.S. Data Privacy Framework).
• DPA in place — whether we have executed a Data Processing Agreement with the vendor.
• Sub-subprocessors — link to the vendor’s public sub-subprocessor list, where available.

3. Active Subprocessors

3.1 Website Infrastructure

3.2 Email, Calendar, and Productivity

3.3 Spam and Abuse Protection

3.4 Professional and Financial Services

We disclose the categories below rather than individual firm names. Each provider is engaged under a professional-services engagement letter, account agreement, or equivalent instrument that imposes confidentiality obligations consistent with applicable law.

• Accounting firm — bookkeeping and tax preparation. Data: client contact and invoice records; limited financial transaction data. Location: United States.
• External legal counsel — legal advice. Data: as required to provide advice, under attorney-client privilege. Location: United States.
• Banking and payments partner — business banking and client invoicing. Data: account and transaction data; counterparty names. Location: United States; regulated financial institution under applicable banking and privacy laws.

A client with an executed DPA may request the specific firm names under NDA by emailing privacy@ranktype.com.

4. Sub-subprocessors

Each direct subprocessor above relies on its own chain of sub-subprocessors (for example, the cloud region on which a SaaS provider itself runs). Rather than duplicate every chain, we rely on each direct subprocessor’s public sub-subprocessor list, linked in each vendor card in Section 3.

We audit those chains during vendor selection and at least annually thereafter. Where a vendor does not publish a sub-subprocessor list, we do not adopt the vendor.

5. International Transfers and Transfer Impact Assessments

Because most of our subprocessors are based in the United States (or, in the case of CookieYes, India), personal data originating in the EEA, United Kingdom, or Switzerland is transferred outside of that region.

For every cross-border transfer we:

1. Rely on an appropriate Article 46 transfer tool — typically the European Commission’s Standard Contractual Clauses (Module 3, processor-to-processor, where applicable), the UK International Data Transfer Addendum for UK transfers, and the EU-U.S. Data Privacy Framework where the recipient is self-certified.
2. Conduct a Transfer Impact Assessment (TIA) documenting the legal environment of the destination country, the categories of data transferred, the safeguards applied, and any residual risk.
3. Apply supplementary measures where appropriate, which may include encryption in transit, encryption at rest, pseudonymization, strict access controls, and contractual commitments to challenge or notify affected data subjects of government access requests.
4. Re-assess annually and on any material legal change (for example, a new adequacy decision or the invalidation of an existing transfer tool).

5.1 Specific Note on India (CookieYes)

CookieYes Ltd. is headquartered in India, and some of its infrastructure is operated from India. India has adopted the Digital Personal Data Protection Act, 2023, but India does not currently benefit from a European Commission adequacy decision.

For transfers to CookieYes we rely on EU Standard Contractual Clauses executed under CookieYes’ DPA, coupled with the following supplementary measures: consent records are stored in an EU region; IP addresses are truncated before persistence; data is encrypted in transit and at rest; and access is restricted to authorized personnel. A documented Transfer Impact Assessment is on file and available to enterprise customers under NDA on request.

6. Notification of Changes

We will update this page whenever we add, replace, or remove a subprocessor.

6.1 Advance Notice for New or Replaced Subprocessors

For any customer with an executed DPA, we will provide at least 30 days’ advance notice before a new subprocessor processes personal data on our behalf, or before we replace an existing subprocessor. Advance notice will include:

• The name and legal entity of the new subprocessor.
• The service provided and the purpose.
• The categories of personal data to be processed.
• The country or region of processing.
• The transfer mechanism, if applicable.
• A link to the vendor’s DPA and sub-subprocessor list.

6.2 Shorter Notice

We may give shorter notice — but never less than what is contractually required — where the change is necessary to maintain service continuity or to address a security incident. In that case, we will explain the reason in the notification.

6.3 How to Subscribe to Change Notifications

To receive change notifications by email, send a message with the subject line “Subscribe: Subprocessors” to privacy@ranktype.com. Subscribers receive an email whenever this page changes. You can unsubscribe at any time by replying with “Unsubscribe.”

Customers with an active DPA are automatically subscribed.

7. Right to Object

Customers with an executed DPA may object to the addition or replacement of a subprocessor on reasonable data-protection grounds within the 30-day advance-notice window.

If you object, we will work with you in good faith to address the concern, including by:

• Providing additional information or assurances from the new vendor.
• Proposing supplementary measures (such as encryption, pseudonymization, or restricted data flows).
• Proposing an alternative vendor where one exists.

If no mutually acceptable resolution is reached within 30 days of the objection, either party may, as its sole remedy, terminate the affected services without penalty and receive a pro-rata refund of any prepaid fees for the terminated services.

Website visitors and prospects who do not have a DPA may raise concerns at privacy@ranktype.com and we will respond in good faith, subject to our obligations to other customers and to applicable law.

8. Data Processing Agreements

RANKTYPE has executed a Data Processing Agreement (or equivalent data-protection addendum) with every subprocessor listed in Section 3. Each DPA addresses, at minimum:

• Scope, subject matter, duration, and nature of processing.
• Categories of data subjects and personal data.
• Obligation to process only on documented instructions.
• Confidentiality of personnel.
• Technical and organizational security measures.
• Use of further sub-processors subject to notice and objection rights.
• Cooperation with data subject requests.
• Breach notification.
• Return or deletion of personal data at end of service.
• Audit rights.
• Approved transfer tool(s) for international transfers.

Customers can request a copy of RANKTYPE’s own customer-facing DPA by emailing privacy@ranktype.com. Vendor-facing DPAs are RANKTYPE’s confidential business records and are typically not shared, but we are happy to confirm executed status on request.

9. Contact

Questions about this page, requests for a DPA, requests to receive change notifications, and data-protection inquiries should be directed to:

10. Change Log

Future entries will be appended at the top when the list changes.

• 2026-04-18 — Published expanded subprocessor list with named vendors (Railway, Cloudflare, CookieYes, Google Workspace, Resend, Google reCAPTCHA), 30-day notice commitment, subscribe-for-notifications mechanism, right-to-object clause, transfer-impact assessment summary, and change log. Rationale: align with enterprise DPA expectations and GDPR Article 28.
• 2026-01-01 — Initial publication of the subprocessors page with Railway, Cloudflare, and CookieYes.