Skip to main content
Orvica is currently invite-only. Join the waitlist to request access.
Legal · Subprocessors

Subprocessors

Version 1.0 · Effective 2026-05-18

Orvica uses the following third-party service providers (subprocessors) to deliver our services. We provide notice of material subprocessor changes and allow customers to object where required by applicable law or written agreement.

VendorPurposeData categoriesLocationAgreementsHow to disconnect
SupabaseHosting · Postgres database · authAccount, workspace, product dataUS (AWS us-east)DPA + GDPR SCCsTied to account deletion (Settings → Delete account).
VercelEdge runtime · web hostingRequest metadata, deployment logsUS + global edgeDPA + GDPR SCCsInfrastructure-only; logs scrubbed quarterly and on account deletion.
StripePayments · Connect KYBBilling + payment + KYB dataUSDPA + GDPR SCCsCancel subscription in Settings → Subscription (Stripe Customer Portal).
PlaidLedgerOne bank linking (optional)Bank account + transaction dataUSDPA + GLBA termsLedgerOne → Settings → Connected Services → Disconnect Plaid. Imported data deletable on request.
TwilioSMS deliveryPhone numbers + message contentUSDPA · HIPAA BAA eligibleSettings → Notifications → uncheck SMS categories, or remove phone number.
ResendTransactional emailEmail + recipient metadataUSDPASettings → Notifications → opt out of non-essential email categories. Security emails are mandatory while the account is active.
SentryError monitoringError logs (PII scrubbed)USDPA + GDPR SCCsInternal monitoring — no per-user opt-out. Logs scrubbed within 90 days.
PostHogProduct analyticsAnonymized event + user identifiersUSDPA + GDPR SCCsDNT browser signal honored; explicit Privacy → Analytics opt-out planned.
AnthropicAI features (gated, opt-in)AI prompts + outputs (PHI only after BAA)USDPA · BAA pending for Helix PHIAI features are opt-in per surface. Helix AI is BAA-gated and returns 503 until the BAA is signed.

Notice of changes

We will provide notice of material subprocessor changes through this page and (for enterprise customers under DPA) by direct email at least 30 days before the change takes effect, unless an emergency security or legal need requires sooner action.

Objection rights

Enterprise customers may object to new subprocessors on reasonable data-protection grounds within the notice period by emailing privacy@orvica.co. If we cannot accommodate the objection, the customer may terminate the affected service with pro-rated refund.

Audit reports

SOC 2, ISO 27001, and similar attestations from these vendors are available on request from each vendor's trust center. We do not republish vendor audit reports here.