Humareso, LLC Last Updated: May 29, 2026 Effective Date: May 29, 2026
Introduction
Humareso, LLC ("Humareso") provides HR platforms and HR outsourcing (HRO) services to client organizations. In delivering these services, Humareso acts as a data processor on behalf of its clients. To operate the platform and fulfill service obligations, Humareso engages certain third-party vendors that may process personal data. These vendors are referred to as sub-processors.
Humareso is responsible for ensuring that each sub-processor provides sufficient guarantees regarding data protection and that sub-processor engagements comply with applicable privacy law, including the EU General Data Protection Regulation (GDPR) where applicable. Humareso enters into data processing agreements with sub-processors and conducts periodic reviews of their data handling practices.
This list is maintained and updated as sub-processor relationships change. Humareso will provide at least 30 days' advance notice of any material changes to this list, including additions, replacements, or removals of sub-processors, except where an immediate change is required for security, legal compliance, or operational continuity. Notice will be provided by updating this page and, where required by the applicable service agreement, by direct notification to affected clients.
Questions about this list may be directed to DPO@humareso.com.
Sub-Processors
Microsoft Corporation
Purpose: Business productivity and communication platform. Humareso's primary business email runs on Microsoft 365 Exchange Online. All client-facing email communications --- including HRO service delivery, leave case correspondence, platform support, onboarding, and general account communications --- are routed through Microsoft. SharePoint and OneDrive are used for document storage and collaboration. Teams is used for internal communications. Personal data contained in email correspondence (including employee names, case references, and HR matters discussed with client contacts) passes through Microsoft infrastructure.
Data categories received: Business contact information; email correspondence with clients and client personnel, which may reference employee names, leave case details, HR matters, and other personal data discussed in the course of service delivery; documents shared via SharePoint or OneDrive in connection with client engagements. Microsoft 365 does not directly access Humareso's platform databases (Engage, Leave, and Portal data is stored in AWS, Heroku, and Vercel infrastructure).
Platforms: All services --- email is used across HRO, Engage, Leave, Portal, and all client communications.
Location: United States (global infrastructure)
Privacy policy: https://privacy.microsoft.com/en-us/privacystatement
HubSpot, Inc.
Purpose: CRM and marketing subscription management.
Data categories received: Email address, name, subscription tier, website engagement events. Does not receive employee records, leave data, or compensation data.
Platforms: Marketing site (humareso.com) only; Hub subscription management.
Location: United States
Privacy policy: https://legal.hubspot.com/privacy-policy
HubSpot Commerce (HubSpot, Inc.)
Purpose: Subscription billing for the Hub platform.
Data categories received: Billing information, subscription status.
Platforms: Hub
Location: United States
Privacy policy: https://legal.hubspot.com/privacy-policy
Amazon Web Services (AWS)
Purpose: Cloud infrastructure; encrypted database and media storage. Primary data store for Engage, Leave, Auth, and Agent.
Data categories received: All platform data in encrypted form.
Platforms: Engage, Portal, Leave, Auth, Agent, Fax, Events
Location: United States
Privacy policy: https://aws.amazon.com/privacy/
Vercel, Inc.
Purpose: Frontend hosting and CDN for all Next.js-based platforms.
Data categories received: Application request data, edge network logs.
Platforms: Engage App, Admin, Portal, Leave, Hub, Auth, Handbook, Verify, Website, Fax
Location: United States (global CDN)
Privacy policy: https://vercel.com/legal/privacy-policy
Heroku (Salesforce, Inc.)
Purpose: Backend application hosting.
Data categories received: Application request data, server-side logs.
Platforms: Engage API, Agent
Location: United States
Privacy policy: https://www.salesforce.com/company/privacy/
Sentry (Functional Software, Inc.)
Purpose: Application error monitoring and logging.
Data categories received: Error stack traces, user session identifiers, platform event logs. Does not receive leave health data, ADA accommodation data, EEO or protected class data, or compensation data.
Platforms: Engage, Admin, Portal, Leave, Hub, Auth, Agent, Fax, Notify, Handbook, Verify
Location: United States
Privacy policy: https://sentry.io/privacy/
Mailgun (Sinch)
Purpose: Transactional email delivery.
Data categories received: Email address and email content for delivery. Does not receive employee records.
Platforms: Engage, Portal, Leave, Agent
Location: United States
Privacy policy: https://www.mailgun.com/privacy-policy/
Twilio Inc.
Purpose: SMS and voice communication delivery for the Agent service.
Data categories received: Phone numbers, message content for HR case communications delivered via SMS or voice.
Platforms: Agent
Location: United States
Privacy policy: https://www.twilio.com/en-us/legal/privacy
Telnyx LLC
Purpose: Fax transmission for HR document delivery.
Data categories received: Fax content transmitted via the Fax service, which may include leave certifications, HR documents, and related sensitive records.
Platforms: Fax
Location: United States
Privacy policy: https://telnyx.com/privacy-policy
Anthropic, PBC
Purpose: AI model provider. Claude assists human administrators across Humareso platforms with drafting, summarization, and analytical tasks in HR workflows, including leave eligibility determinations, case communications, performance summaries, and related HR functions. Humareso transmits only the structured data fields necessary for each specific task. Raw medical documents, uploaded files, and unstructured health records are not transmitted. Anthropic does not retain or use API-submitted data for model training. Humareso may engage successor or alternative AI providers in accordance with the applicable Data Processing Agreement and Sub-Processor notification obligations.
Data categories received: Structured HR data relevant to the specific task requested, which may include employment identifiers (name, job title, department, work state, tenure, employment status); leave case data (case type, reason, dates, hours worked, FTE, employer headcount, program eligibility); performance data (ratings, written feedback text, goal status, behavioral scores); and case or communication context. Raw documents, medical certifications, uploaded files, and unstructured health records are never transmitted.
Platforms: Leave, Engage (including Perform and other AI-assisted features), Portal, and other Humareso platforms where AI-assisted features are enabled.
Location: United States
Privacy policy: https://www.anthropic.com/privacy
Neon, Inc.
Purpose: Database hosting (PostgreSQL) for Hub and Handbook.
Data categories received: Hub subscriber data, content data, Handbook data.
Platforms: Hub, Handbook
Location: United States
Privacy policy: https://neon.tech/privacy-policy
Google Analytics (Google LLC)
Purpose: Website usage analytics. Not used within authenticated platforms.
Data categories received: Anonymized IP address, device type, page views.
Platforms: Marketing site (humareso.com) only
Location: United States (global infrastructure)
Privacy policy: https://policies.google.com/privacy
Google Tag Manager (Google LLC)
Purpose: Tag and tracking script management on the marketing website.
Data categories received: Operates as a tag container; data collected depends on tags deployed.
Platforms: Marketing site (humareso.com) only
Location: United States (global infrastructure)
Privacy policy: https://policies.google.com/privacy
Meta Platforms, Inc. (Facebook Pixel)
Purpose: Advertising effectiveness measurement on the marketing website.
Data categories received: Hashed email address (if provided by visitor), IP address, browser type, engagement events.
Note: This activity may constitute a "sale" or "sharing" of personal information under the California Consumer Privacy Act (CCPA). California residents may opt out via the "Do Not Sell or Share My Personal Information" link on humareso.com.
Platforms: Marketing site (humareso.com) only
Location: United States
Privacy policy: https://www.facebook.com/privacy/policy/
AI Governance and Data Minimization
Humareso applies data minimization principles to AI-assisted processing workflows. Only structured fields reasonably necessary for the requested task are transmitted to AI subprocessors. Uploaded files, raw medical records, and unstructured attachments are excluded from transmission unless expressly disclosed otherwise in applicable service documentation. AI-generated outputs are reviewed by human administrators before being communicated or applied within employment-related workflows.
Note on AI processing. Anthropic does not use data submitted via its API to train or improve its AI models. This applies to all structured data transmitted by any Humareso platform when generating AI-assisted drafts or outputs.
Client-Configured Integrations
Humareso's HRO service agreements allow client organizations to authorize connections to their own HRIS, payroll, and benefits administration platforms (such as ADP, Paylocity, Gusto, Rippling, and similar providers). These integrations are configured at the direction of the client and governed by the client's own agreements with those vendors.
Client-configured integrations are not Humareso sub-processors. Data shared with those platforms flows pursuant to the client's authorization and is subject to the client's own data sharing agreements and privacy obligations. A current list of active integrations for a specific client account is available upon request by contacting DPO@humareso.com.
Contact
For questions about this sub-processor list, data processing practices, or to exercise applicable data rights, contact:
Data Protection Officer Humareso, LLC DPO@humareso.com
Change Log
Version 1.0 --- May 29, 2026 Initial publication of the Humareso sub-processor list.