PILLAR uses the following third-party service providers ("sub-processors") to deliver the service. This list is maintained as part of our Data Processing Agreement obligations. Customers are notified of material changes to this list.
| Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Supabase, Inc. (via AWS) |
Primary database, authentication, row-level security | All customer data: accounts, contacts, opportunities, scores, credentials (encrypted) | US East (Virginia) | SOC 2 Type II |
| Vercel, Inc. | Application hosting, serverless functions, edge network | Application requests, session data, server-side rendering | US (multi-region) | SOC 2 Type II |
| Cloudflare, Inc. | Marketing site hosting, CDN, DDoS protection | Static marketing content only. No customer data. | Global | SOC 2 Type II ISO 27001 |
| Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Resend, Inc. | Transactional email (notifications, alerts, daily digests) | Recipient email addresses, email content (account names, score summaries) | US | SOC 2 Type II |
| Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Sentry (Functional Software, Inc.) | Error monitoring and application performance | Error stack traces, request metadata. May incidentally include account names or IDs in error context. No credentials or PII by design. | US | SOC 2 Type II |
| PostHog, Inc. | Product analytics (feature usage, user flows within PILLAR) | User interactions within the PILLAR application. Identified by user email for authenticated users. | US | SOC 2 Type II |
| Google LLC (Google Analytics) |
Marketing site analytics | Anonymous page views on pillargtm.com only. No customer data. | US | SOC 2 Type II ISO 27001 |
| Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| GitHub (Microsoft) | Source code repository (private) | Application source code only. No customer data stored in repositories. | US | SOC 2 Type II |
The following services are connected by the customer during onboarding. PILLAR acts as a data processor when reading from these sources. Data flows from the customer's instance of these services into PILLAR's database. PILLAR does not write to these services except for CRM score writeback (health, risk, and priority scores written to customer-controlled fields).
| Integration | Direction | Data Processed | Auth Method |
|---|---|---|---|
| Salesforce | Read + Score Writeback | Accounts, contacts, opportunities, leads | OAuth 2.0 |
| HubSpot | Read + Score Writeback | Companies, contacts, deals | OAuth 2.0 |
| Microsoft Dynamics 365 | Read + Score Writeback | Accounts, contacts, opportunities, leads, cases | OAuth 2.0 |
| Microsoft 365 (Outlook) | Read only | Email headers/snippets, calendar events (no full bodies) | OAuth 2.0 |
| Microsoft Teams | Outbound notifications only | Signal alerts and digest cards sent to customer-configured channels. No customer data read. | OAuth 2.0 / Webhook |
| Google Workspace | Read only | Email headers/snippets, calendar events (no full bodies) | OAuth 2.0 |
| Intercom | Read only | Conversations, tickets, CSAT, contacts, companies | Access Token / OAuth |
| Zendesk | Read only | Tickets, SLA metrics, CSAT scores | API Token |
| Freshdesk | Read only | Tickets, customer satisfaction data | API Key |
| Wootric (InMoment) | Read only | NPS survey responses | Client Credentials |
| Delighted | Read only | NPS/CSAT survey responses | API Key |
| Pendo | Read only | Feature adoption, visitor sessions | API Key |
| Mixpanel | Read only | Events, funnels, cohort retention | API Key + Secret |
| Amplitude | Read only | Behavioral events, user journeys | API Key + Secret |
| Segment | Read only | CDP events forwarded from customer's product | API Token |
| Heap | Read only | Auto-captured product analytics | API Key |
| Mode Analytics | Read only | BI report output (product usage snapshots) | API Key + Secret |
| Starbridge.ai | Read only (webhook) | K-12 district intelligence signals | HMAC Webhook |
Customers choose which integrations to connect. No integration is required. PILLAR only accesses data from services the customer explicitly authorizes.
Change notification: PILLAR will notify customers at least 30 days before adding a new sub-processor that processes customer data. Customers may object to the addition of a new sub-processor by contacting security@pillargtm.com within the notification period.
Last updated: April 2026