Sub-processor List
Last Updated: July 1, 2026
Org Chart Studio engages the following third-party sub-processors to operate the service. Each processor receives only the personal data necessary for its specific purpose. We maintain data processing agreements (DPAs) with each sub-processor and require them to implement appropriate technical and organisational security measures.
For EU/EEA and UK transfers, we rely on the EU-US Data Privacy Framework (Art. 45 adequacy) where the recipient holds a valid DPF certification, and on Standard Contractual Clauses (EU SCCs 2021/914 + UK IDTA/Addendum, supplemented by a transfer impact assessment) where SCCs are the operative instrument.
We will notify customers of material changes to this list (additions or replacements of sub-processors) with at least 14 days' notice where required under our customer DPA.
Active sub-processors
Neon, Inc.
- Purpose
- Primary PostgreSQL database — stores all app-user, payer, and chart employee data
- Data categories
- All PII categories: identity/contact (email, name, avatar), auth tokens, account/role, behavioral analytics, billing identifiers, org-chart employee data (names, titles, departments, reporting lines)
- Region
- AWS us-east-1 (United States)
- Transfer basis
- EU-US Data Privacy Framework (DPF) + EU SCCs 2021/914 + UK IDTA/Addendum
- Privacy policy
- https://neon.tech/privacy-policy
- Notes
- Primary data store; CLOUD Act reach persists regardless of region.
Vercel, Inc.
- Purpose
- Application hosting, edge delivery, serverless functions — all PII transits Vercel
- Data categories
- All PII categories in transit: request/response bodies including export buffers, auth tokens in headers, analytics payloads
- Region
- US (default iad1; region not currently pinned — see D5)
- Transfer basis
- EU-US DPF + EU SCCs 2021/914 + UK IDTA/Addendum
- Privacy policy
- https://vercel.com/legal/privacy-policy
- Notes
- Region pinning to fra1 is planned (D5) for EU accounts.
Stytch (Twilio, Inc.)
- Purpose
- User authentication, magic-link delivery, OAuth (Google), session management
- Data categories
- Identity/contact: email, name, OAuth profile data; auth: session tokens, provider IDs
- Region
- United States
- Transfer basis
- EU-US DPF (Twilio, Inc. participant #5394)
- Privacy policy
- https://stytch.com/legal/privacy
- Notes
- DPF basis confirmed for Twilio/Stytch. SCC fallback DPA execution pending confirmation.
Stripe, Inc.
- Purpose
- Payment processing for export passes — card checkout AND programmatic (x402) USDC settlement, which runs entirely through Stripe (deposit-mode crypto payments; no external facilitator)
- Data categories
- Billing identifiers (Stripe customer ID, subscription ID); Stripe holds payment card data on its own servers — OCS does not receive or store card numbers. For x402 USDC payments, Stripe mints a per-payment crypto deposit address and detects the on-chain deposit; the payer's public wallet address may be surfaced to Stripe on the charge (pseudonymous, not stored by OCS). OCS stores checkout metadata (session ID, amount, currency, UTM attribution) in its own database.
- Region
- United States
- Transfer basis
- EU-US DPF + EU SCCs 2021/914
- Privacy policy
- https://stripe.com/privacy
Google LLC (Google Analytics + Google Tag Manager)
- Purpose
- Web analytics, traffic measurement, tag management — consent-gated (analytics purpose); loads only after user accepts the analytics consent purpose
- Data categories
- Online identifiers: IP address (anonymized per GA4 configuration), Google Analytics client ID, GA session ID, device/browser identifiers, behavioral telemetry (pages visited, events), referrer
- Region
- United States (Google LLC US entity processes EU data)
- Transfer basis
- EU-US DPF (Google LLC participant #5780) + EU SCCs
- Privacy policy
- https://policies.google.com/privacy
- Notes
- Disclosed in privacy policy §4.6 and §8. Not loaded until analytics consent is accepted.
LogRocket, Inc.
- Purpose
- Session replay for UX debugging — consent-gated (session replay purpose); loads only after user accepts the session-replay consent purpose
- Data categories
- Session replay data: user ID, email, display name sent via identify(); DOM interactions, mouse/keyboard events. Chart node text (employee names, titles, departments) is masked by configuration. Chart-API response bodies are excluded from network capture.
- Region
- United States
- Transfer basis
- EU-US DPF + EU SCCs
- Privacy policy
- https://logrocket.com/privacy/
- Notes
- PII masking configured in logrocket-privacy-config.ts. Request-body sanitizer is a known open item (ROADMAP D-track).
Planned sub-processors (not yet active)
The following sub-processors are planned but not yet receiving personal data. This list will be updated and the active table above will be amended before any data flows to these services.
Tinybird (Tinybird Analytics S.L.)
- Purpose
- Behavioral event stream / product analytics pipeline (F1 — not yet live)
- Region
- EU region (live since 2026-07-01)
- Notes
- Will be added before real events flow (D1 gate: TIA + executed SCC/Addendum required first).
SendGrid (Twilio) and/or Email Octopus
- Purpose
- Transactional and marketing email (F12 — not yet procured)
- Region
- TBD at procurement
- Notes
- DPA/SCC review required at procurement. Sub-processor list will be updated before first send.
Questions and requests
If you have questions about our sub-processors or wish to object to the engagement of a new sub-processor (under your DPA rights), please contact us at hello@orgchartstudio.com.
This list is maintained under GDPR Art. 28(2) and reflects the sub-processors engaged as of the date above. Source: [`legal/ROPA.md`](../../../../legal/ROPA.md) (locality map).