Last updated: July 3, 2026
Octonity engages a small set of vetted subprocessors to operate the Service. Each is bound by a data processing agreement (DPA) that reflects Article 28 GDPR requirements. Where a subprocessor is located outside the EU/EEA, transfers are protected either by an adequacy decision or by the European Commission’s Standard Contractual Clauses (SCC), together with additional technical and contractual measures where appropriate.
We will notify workspace owners at least 30 days before adding or replacing a subprocessor that materially changes where or how your data is processed, unless an urgent security or legal reason requires a faster switch (in which case notice follows as soon as reasonably practicable). To object to a new subprocessor, email privacy@octonity.com within 30 days of the notice.
| Subprocessor | Purpose | Location | Personal data | Safeguards |
|---|---|---|---|---|
| Microsoft Ireland Operations Ltd. (Azure) | Application hosting, database, object storage, managed identity | EU (West Europe: NL · North Europe: IE) | All customer + user + Content data | EU-based; DPA in place; encryption at rest (AES-256) + in transit (TLS 1.2+) |
| Microsoft Ireland Operations Ltd. (Azure OpenAI) | AI moderation classifier + AI Studio (Ads / Product / Edit) + caption auto-tag | EU (Sweden Central) | Content passed to AI features at your request (captions, images, comments during moderation) | Enterprise data-protection commitment (no training on customer data, no cross-customer sharing, no human review by default) |
| Stripe Payments Europe Ltd. | Subscription billing, invoicing, Stripe Connect creator payouts | EU (IE) + US (fallback) | Name, email, billing address, VAT ID, card last-4, IP, transaction metadata | DPA + EU Standard Contractual Clauses for any US transfer |
| Resend, Inc. | Transactional email delivery (receipts, password reset, notifications) | US | Recipient email, name, message body of transactional emails | DPA + SCC + email content is generated per-recipient (not stored long-term at Resend) |
| PostHog Inc. (US Cloud) | Product analytics (marketing site + app opt-in) | US | Anonymised event + page view data; IP (masked); user agent — only after analytics-cookie opt-in | DPA + SCC + cookieless memory-only persistence + opt-in gate via cookie banner |
| Meta Platforms Ireland Ltd. | Instagram + Facebook OAuth, publishing, insights, inbox webhook | EU (IE) + US (backend) | Access token, connected account ID, published post metadata, incoming comment/DM content | Meta's Data Processing Terms — user connects account via OAuth and can revoke any time |
| LinkedIn Ireland Unlimited Company | LinkedIn OAuth, company-page publishing | EU (IE) + US (backend) | Access token, organisation ID, published post metadata | LinkedIn Marketing Developer Platform Terms — user connects via OAuth |
| TikTok Technology Ltd. | TikTok Content Posting API — video upload + publish | EU (IE) + third countries per TikTok's infrastructure | Access token, account ID, published video metadata | TikTok Developer Terms of Service + SCC where applicable |
| Google Ireland Ltd. (YouTube Data API) | YouTube OAuth, video upload, insights | EU (IE) + US (backend) | Access token, channel ID, uploaded video metadata | Google API Services User Data Policy + SCC |
| X Corp. (formerly Twitter) | X API v2 — OAuth, post publish, engagement fetch | US | Access token, account ID, published post metadata | X Developer Agreement + SCC for cross-border transfer |
| Cloudflare, Inc. | DNS + edge-network routing for octonity.com properties | EU + Global CDN | IP address, request metadata (no request body inspection) | DPA + SCC + EU-DPF certification |
Not subprocessors
The following third parties may receive data at your explicit instruction but are not subprocessors under Article 28 GDPR because you are their direct controller:
- Any social network you connect via OAuth (Instagram, Facebook, LinkedIn, TikTok, YouTube, X). You establish the relationship directly; Octonity relays your published content to them under the token you granted.
- Any Stripe Connect creator whose account is credited via a Marketplace payout — the creator becomes the recipient, not a processor.
Contact
For a copy of any DPA or SCC set, or to object to a new subprocessor, email privacy@octonity.com.
