Subprocessors
A subprocessor is a third party we engage to process Customer Data on your behalf while we deliver OnTrackio. This page lists every active subprocessor, what it does, where it processes data, and the transfer mechanism that keeps it GDPR-compliant — the detail your security and procurement teams need to clear us.
:::note Before you begin
- This list is the customer-facing record. The contractually binding version is Annex III of your Data Processing Agreement, and the two are kept in sync.
- A subprocessor only ever receives the minimum data its function needs. None has direct access to your dedicated workspace database.
- "Customer Data" means the asset, user, and licence records in your workspace. Card numbers never touch our infrastructure — Stripe collects them directly in its own iframe. :::
How we tier subprocessors
We classify each vendor by the impact of its failure and whether Customer Data passes through it. The tier drives how often we review it and what attestation we require.
| Tier | Definition | Customer Data |
|---|---|---|
| Critical | Failure breaks the service. Customer Data or platform credentials pass through. | Yes |
| Important | Failure degrades the service but doesn't break it. May handle limited Customer Data. | Limited or opt-in |
| Operational | Failure inconveniences our operations but doesn't affect you directly. | No |
Active subprocessors
Every entry below is current as of the review date in the page header. Each one is bound by a data-protection contract no less protective than our own commitments to you, including GDPR Article 28(3) obligations where it processes Customer Data.
| Subprocessor | Tier | Purpose | Location of processing | GDPR role | Transfer mechanism | Independent attestation |
|---|---|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Critical | Cloud infrastructure — managed Postgres database, S3 document storage, compute, transactional email, secrets and key management, DNS, logging | eu-central-1 (Frankfurt, Germany) | Subprocessor | Within the EEA — no transfer mechanism needed | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1 |
| Stripe Payments Europe Ltd. | Critical | Subscription billing, invoice generation, VAT handling | Ireland, with onward US processing under Stripe's own contract | Subprocessor for billing email; Controller for card data | Adequacy (Ireland); Standard Contractual Clauses for the onward US transfer | PCI DSS Level 1, SOC 1, SOC 2 Type II, ISO 27001 |
| Anthropic, PBC | Important | AI inference for optional AI features, processed only when you enable them and only on the specific content sent | United States | Subprocessor (or Controller-of-record when you bring your own key) | Standard Contractual Clauses (Module 2) plus supplementary measures | SOC 2 Type II |
| Google LLC | Important | Google Workspace sign-in (OAuth 2.0) | Multi-region (Google infrastructure) | Independent Controller for the sign-in event | Not a subprocessor — Google is a Controller for the auth event | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 |
| Microsoft Corporation | Important | Microsoft Entra sign-in (OAuth 2.0) | Multi-region, under EU Data Boundary for EEA tenants | Independent Controller for the sign-in event | Not a subprocessor — Microsoft is a Controller for the auth event | SOC 2 Type II, ISO 27001 |
Google and Microsoft sign-in are listed for completeness. When you authenticate through one, that provider acts as an independent Controller for the login event, not as our subprocessor, so it carries no Article 28 chain to us. You configure these per workspace; if you don't, no data flows to them.
Subprocessors that hold no Customer Data
These vendors support how we build and run the platform, not your data. They are listed for transparency. None processes Customer Data, so none is a GDPR subprocessor.
| Vendor | Tier | Purpose | Customer Data |
|---|---|---|---|
| GitHub, Inc. | Operational | Source code hosting and the deployment pipeline | No |
| Docker, Inc. | Operational | Base container images, pulled only at build time | No |
How AI features are scoped
The only subprocessor that can receive your operational content is the AI provider, and only on your explicit action. The defaults below keep that boundary tight.
| Control | Behaviour |
|---|---|
| Off by default | AI features are opt-in per workspace. With them off, no content leaves for inference. |
| Minimal content | Only the specific text you submit to a feature is sent — not your wider dataset. |
| No model training | The provider's API terms exclude submitted content from training their models. |
| Bring your own key | Supply your own provider API key and the contract for that processing runs directly between you and the provider, with us out of the chain. |
If your policy forbids US transfers for any operational content, leave AI features off, or use the bring-your-own-key option so the transfer is governed by your own agreement with the provider.
US ownership and the CLOUD Act
Amazon Web Services is US-owned, which can raise the US CLOUD Act in a security review. Two facts bound the exposure:
- Residency. Your Customer Data is stored and processed in the EU (Frankfurt) by default. It does not leave the region in the normal course of running the service.
- Encryption. Data is encrypted at rest (AES-256 on the database, SSE-S3 on document storage) and in transit (TLS on every connection), so the stored bytes aren't usable in the clear.
For the full residency model and the roadmap for additional regions, see Data residency.
How you're notified of changes
We give you advance notice before a new subprocessor begins processing Customer Data, so you can review it on data-protection grounds.
| Event | What happens |
|---|---|
| New subprocessor added | At least 30 days' notice before it processes Customer Data, by email to your legal-notices contact and an update to this list. |
| You object on reasonable grounds | Raise it within the 30-day notice window. If we can't agree on a resolution within 30 days, you may terminate the affected order and receive a pro-rata refund for the unused term. |
| Subprocessor removed | This list is updated at the next review. |
The contractual basis for this process is Section 4 of your Data Processing Agreement.
Review cadence
We review this register quarterly — in January, April, July, and October. Each review re-confirms every Critical and Important vendor still holds a current SOC 2 or ISO 27001 report, updates the location and data-exposure entries if our architecture changed, and adds or removes vendors as our dependencies change.