DRAFT — sub-processor list is accurate at the time of writing. Email [email protected] if you need a current attestation.
Legal

Sub-processors.

Third-party services we use to operate the API. Each sees only the data needed for its specific role.

None of these sub-processors see your full crawl results.

Current sub-processors

Cloudflare

Region: global anycast. Edge TLS termination, anycast routing, DDoS protection, and email-routing for outbound transactional messages. Sees: request headers, URL paths, source IP addresses for any client calling api.crawlcrawl.com or crawlcrawl.com; outbound email envelopes for transactional messages. Does not see: bearer tokens decrypted (pass-through to origin), request bodies, response bodies.

Web infrastructure provider

Region: United States. Participates in serving the /v1/cloud/* endpoint family when a crawl request requires routing across our global network. Sees: the URL you ask to fetch and the response returned by that URL. Does not see: your crawlcrawl API key (we authenticate with our own credentials). The current provider's identity is disclosed to paying customers under our DPA on request to [email protected].

mailsetu.com

Region: India. SMTP relay for transactional email (signup welcome, key rotation notices, quota warnings, billing receipts). Sees: your account email address and the body of transactional messages we send to you. Does not see: any crawl data, API keys, or webhook payloads.

Adding a sub-processor

We notify all paying customers by email at least 30 days in advance of adding a new sub-processor, with the new sub-processor's name, region, and role. You may object in writing within those 30 days; if we cannot resolve the objection, you may terminate your plan with a prorated refund.

Last updated 2026-05-13.