Subprocessors
Version 1.0 · Effective 2026-05-18
Orvica uses the following third-party service providers (subprocessors) to deliver our services. We provide notice of material subprocessor changes and allow customers to object where required by applicable law or written agreement.
| Vendor | Purpose | Data categories | Location | Agreements | How to disconnect |
|---|---|---|---|---|---|
| Supabase | Hosting · Postgres database · auth | Account, workspace, product data | US (AWS us-east) | DPA + GDPR SCCs | Tied to account deletion (Settings → Delete account). |
| Vercel | Edge runtime · web hosting | Request metadata, deployment logs | US + global edge | DPA + GDPR SCCs | Infrastructure-only; logs scrubbed quarterly and on account deletion. |
| Stripe | Payments · Connect KYB | Billing + payment + KYB data | US | DPA + GDPR SCCs | Cancel subscription in Settings → Subscription (Stripe Customer Portal). |
| Plaid | LedgerOne bank linking (optional) | Bank account + transaction data | US | DPA + GLBA terms | LedgerOne → Settings → Connected Services → Disconnect Plaid. Imported data deletable on request. |
| Twilio | SMS delivery | Phone numbers + message content | US | DPA · HIPAA BAA eligible | Settings → Notifications → uncheck SMS categories, or remove phone number. |
| Resend | Transactional email | Email + recipient metadata | US | DPA | Settings → Notifications → opt out of non-essential email categories. Security emails are mandatory while the account is active. |
| Sentry | Error monitoring | Error logs (PII scrubbed) | US | DPA + GDPR SCCs | Internal monitoring — no per-user opt-out. Logs scrubbed within 90 days. |
| PostHog | Product analytics | Anonymized event + user identifiers | US | DPA + GDPR SCCs | DNT browser signal honored; explicit Privacy → Analytics opt-out planned. |
| Anthropic | AI features (gated, opt-in) | AI prompts + outputs (PHI only after BAA) | US | DPA · BAA pending for Helix PHI | AI features are opt-in per surface. Helix AI is BAA-gated and returns 503 until the BAA is signed. |
Notice of changes
We will provide notice of material subprocessor changes through this page and (for enterprise customers under DPA) by direct email at least 30 days before the change takes effect, unless an emergency security or legal need requires sooner action.
Objection rights
Enterprise customers may object to new subprocessors on reasonable data-protection grounds within the notice period by emailing privacy@orvica.co. If we cannot accommodate the objection, the customer may terminate the affected service with pro-rated refund.
Audit reports
SOC 2, ISO 27001, and similar attestations from these vendors are available on request from each vendor's trust center. We do not republish vendor audit reports here.