Trust | Sub-processors
Our sub-processors.
The vendors we use to deliver OneFinOps. Each has a signed DPA aligned with our customer-facing privacy obligations.
| Sub-processor | Purpose | Region(s) | DPA |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, compute, database | Mumbai (IN), Frankfurt (EU), Singapore, Bahrain (UAE), Virginia (US) | AWS GDPR DPA |
| Cloudflare | CDN, DDoS protection, WAF | Global edge | Cloudflare DPA |
| SendGrid (Twilio) | Transactional email delivery | US (with EU residency option) | Twilio DPA |
| Datadog | Application observability and logging | US-1 / EU-1 per customer region | Datadog DPA |
| Sentry | Error monitoring | US (with EU option) | Sentry DPA |
| Stripe | Subscription billing and payment processing for OneFinOps customers | US / EU / IN per customer billing region | Stripe DPA |
| Razorpay | Indian customer payment processing | India | Razorpay DPA |
| OpenAI / Anthropic | AI inference for optional AI agents (no training on customer data) | US | OpenAI / Anthropic enterprise DPA, zero retention |
| HubSpot | CRM (sales and marketing) | EU / US | HubSpot DPA |
| Slack | Customer support and notifications (opt-in) | US | Slack DPA |
How we manage sub-processors
Each sub-processor is reviewed before onboarding for security posture (SOC 2 / ISO 27001 / equivalent), data residency, breach history and DPA terms. We sign a DPA with every sub-processor that processes customer personal data.
Notification of changes. When we add a new sub-processor that processes customer personal data, we notify customers at least 30 days before the change via email and an update to this page. Customers on Scale tier may object to a new sub-processor; if we cannot accommodate the objection, the customer may terminate without penalty.
AI inference. When customers enable optional AI agents, inference is performed via the listed AI sub-processors with zero data retention agreements in place. Customer data is never used to train any third-party model. Customers on Scale tier may bring their own LLM keys / private endpoints if they prefer.
security@onefinops.com
We will share the relevant DPA, security questionnaire response and risk assessment.