Octonity
Legal

Subprocessors

The third parties that process personal data on Octonity's behalf, what they do, and the safeguards that apply.

Last updated: July 3, 2026

Octonity engages a small set of vetted subprocessors to operate the Service. Each is bound by a data processing agreement (DPA) that reflects Article 28 GDPR requirements. Where a subprocessor is located outside the EU/EEA, transfers are protected either by an adequacy decision or by the European Commission’s Standard Contractual Clauses (SCC), together with additional technical and contractual measures where appropriate.

We will notify workspace owners at least 30 days before adding or replacing a subprocessor that materially changes where or how your data is processed, unless an urgent security or legal reason requires a faster switch (in which case notice follows as soon as reasonably practicable). To object to a new subprocessor, email privacy@octonity.com within 30 days of the notice.

SubprocessorPurposeLocationPersonal dataSafeguards
Microsoft Ireland Operations Ltd. (Azure)Application hosting, database, object storage, managed identityEU (West Europe: NL · North Europe: IE)All customer + user + Content dataEU-based; DPA in place; encryption at rest (AES-256) + in transit (TLS 1.2+)
Microsoft Ireland Operations Ltd. (Azure OpenAI)AI moderation classifier + AI Studio (Ads / Product / Edit) + caption auto-tagEU (Sweden Central)Content passed to AI features at your request (captions, images, comments during moderation)Enterprise data-protection commitment (no training on customer data, no cross-customer sharing, no human review by default)
Stripe Payments Europe Ltd.Subscription billing, invoicing, Stripe Connect creator payoutsEU (IE) + US (fallback)Name, email, billing address, VAT ID, card last-4, IP, transaction metadataDPA + EU Standard Contractual Clauses for any US transfer
Resend, Inc.Transactional email delivery (receipts, password reset, notifications)USRecipient email, name, message body of transactional emailsDPA + SCC + email content is generated per-recipient (not stored long-term at Resend)
PostHog Inc. (US Cloud)Product analytics (marketing site + app opt-in)USAnonymised event + page view data; IP (masked); user agent — only after analytics-cookie opt-inDPA + SCC + cookieless memory-only persistence + opt-in gate via cookie banner
Meta Platforms Ireland Ltd.Instagram + Facebook OAuth, publishing, insights, inbox webhookEU (IE) + US (backend)Access token, connected account ID, published post metadata, incoming comment/DM contentMeta's Data Processing Terms — user connects account via OAuth and can revoke any time
LinkedIn Ireland Unlimited CompanyLinkedIn OAuth, company-page publishingEU (IE) + US (backend)Access token, organisation ID, published post metadataLinkedIn Marketing Developer Platform Terms — user connects via OAuth
TikTok Technology Ltd.TikTok Content Posting API — video upload + publishEU (IE) + third countries per TikTok's infrastructureAccess token, account ID, published video metadataTikTok Developer Terms of Service + SCC where applicable
Google Ireland Ltd. (YouTube Data API)YouTube OAuth, video upload, insightsEU (IE) + US (backend)Access token, channel ID, uploaded video metadataGoogle API Services User Data Policy + SCC
X Corp. (formerly Twitter)X API v2 — OAuth, post publish, engagement fetchUSAccess token, account ID, published post metadataX Developer Agreement + SCC for cross-border transfer
Cloudflare, Inc.DNS + edge-network routing for octonity.com propertiesEU + Global CDNIP address, request metadata (no request body inspection)DPA + SCC + EU-DPF certification

Not subprocessors

The following third parties may receive data at your explicit instruction but are not subprocessors under Article 28 GDPR because you are their direct controller:

  • Any social network you connect via OAuth (Instagram, Facebook, LinkedIn, TikTok, YouTube, X). You establish the relationship directly; Octonity relays your published content to them under the token you granted.
  • Any Stripe Connect creator whose account is credited via a Marketplace payout — the creator becomes the recipient, not a processor.

Contact

For a copy of any DPA or SCC set, or to object to a new subprocessor, email privacy@octonity.com.