Sub-processor List

Last Updated: July 1, 2026

Org Chart Studio engages the following third-party sub-processors to operate the service. Each processor receives only the personal data necessary for its specific purpose. We maintain data processing agreements (DPAs) with each sub-processor and require them to implement appropriate technical and organisational security measures.

For EU/EEA and UK transfers, we rely on the EU-US Data Privacy Framework (Art. 45 adequacy) where the recipient holds a valid DPF certification, and on Standard Contractual Clauses (EU SCCs 2021/914 + UK IDTA/Addendum, supplemented by a transfer impact assessment) where SCCs are the operative instrument.

We will notify customers of material changes to this list (additions or replacements of sub-processors) with at least 14 days' notice where required under our customer DPA.

Active sub-processors

Neon, Inc.

Purpose
Primary PostgreSQL database — stores all app-user, payer, and chart employee data
Data categories
All PII categories: identity/contact (email, name, avatar), auth tokens, account/role, behavioral analytics, billing identifiers, org-chart employee data (names, titles, departments, reporting lines)
Region
AWS us-east-1 (United States)
Transfer basis
EU-US Data Privacy Framework (DPF) + EU SCCs 2021/914 + UK IDTA/Addendum
Privacy policy
https://neon.tech/privacy-policy
Notes
Primary data store; CLOUD Act reach persists regardless of region.

Vercel, Inc.

Purpose
Application hosting, edge delivery, serverless functions — all PII transits Vercel
Data categories
All PII categories in transit: request/response bodies including export buffers, auth tokens in headers, analytics payloads
Region
US (default iad1; region not currently pinned — see D5)
Transfer basis
EU-US DPF + EU SCCs 2021/914 + UK IDTA/Addendum
Privacy policy
https://vercel.com/legal/privacy-policy
Notes
Region pinning to fra1 is planned (D5) for EU accounts.

Stytch (Twilio, Inc.)

Purpose
User authentication, magic-link delivery, OAuth (Google), session management
Data categories
Identity/contact: email, name, OAuth profile data; auth: session tokens, provider IDs
Region
United States
Transfer basis
EU-US DPF (Twilio, Inc. participant #5394)
Privacy policy
https://stytch.com/legal/privacy
Notes
DPF basis confirmed for Twilio/Stytch. SCC fallback DPA execution pending confirmation.

Stripe, Inc.

Purpose
Payment processing for export passes — card checkout AND programmatic (x402) USDC settlement, which runs entirely through Stripe (deposit-mode crypto payments; no external facilitator)
Data categories
Billing identifiers (Stripe customer ID, subscription ID); Stripe holds payment card data on its own servers — OCS does not receive or store card numbers. For x402 USDC payments, Stripe mints a per-payment crypto deposit address and detects the on-chain deposit; the payer's public wallet address may be surfaced to Stripe on the charge (pseudonymous, not stored by OCS). OCS stores checkout metadata (session ID, amount, currency, UTM attribution) in its own database.
Region
United States
Transfer basis
EU-US DPF + EU SCCs 2021/914
Privacy policy
https://stripe.com/privacy

Google LLC (Google Analytics + Google Tag Manager)

Purpose
Web analytics, traffic measurement, tag management — consent-gated (analytics purpose); loads only after user accepts the analytics consent purpose
Data categories
Online identifiers: IP address (anonymized per GA4 configuration), Google Analytics client ID, GA session ID, device/browser identifiers, behavioral telemetry (pages visited, events), referrer
Region
United States (Google LLC US entity processes EU data)
Transfer basis
EU-US DPF (Google LLC participant #5780) + EU SCCs
Privacy policy
https://policies.google.com/privacy
Notes
Disclosed in privacy policy §4.6 and §8. Not loaded until analytics consent is accepted.

LogRocket, Inc.

Purpose
Session replay for UX debugging — consent-gated (session replay purpose); loads only after user accepts the session-replay consent purpose
Data categories
Session replay data: user ID, email, display name sent via identify(); DOM interactions, mouse/keyboard events. Chart node text (employee names, titles, departments) is masked by configuration. Chart-API response bodies are excluded from network capture.
Region
United States
Transfer basis
EU-US DPF + EU SCCs
Privacy policy
https://logrocket.com/privacy/
Notes
PII masking configured in logrocket-privacy-config.ts. Request-body sanitizer is a known open item (ROADMAP D-track).

Planned sub-processors (not yet active)

The following sub-processors are planned but not yet receiving personal data. This list will be updated and the active table above will be amended before any data flows to these services.

Tinybird (Tinybird Analytics S.L.)

Purpose
Behavioral event stream / product analytics pipeline (F1 — not yet live)
Region
EU region (live since 2026-07-01)
Notes
Will be added before real events flow (D1 gate: TIA + executed SCC/Addendum required first).

SendGrid (Twilio) and/or Email Octopus

Purpose
Transactional and marketing email (F12 — not yet procured)
Region
TBD at procurement
Notes
DPA/SCC review required at procurement. Sub-processor list will be updated before first send.

Questions and requests

If you have questions about our sub-processors or wish to object to the engagement of a new sub-processor (under your DPA rights), please contact us at hello@orgchartstudio.com.

This list is maintained under GDPR Art. 28(2) and reflects the sub-processors engaged as of the date above. Source: [`legal/ROPA.md`](../../../../legal/ROPA.md) (locality map).