// legal

Subprocessors.

The complete list of third-party vendors that process personal data on OpsTicket’s behalf. Per our DPA, we give 30 days’ notice before adding a sub-processor and a 15-day window to object. Subscribe to changes by emailing [email protected] with subject “Subprocessor notification.”

effective · May 17, 2026

last updated · May 17, 2026

v. 2026.05

§ 01

Notice policy.

// plain languageWe give 30 days’ notice before adding a sub-processor that touches your data. You can object within 15 days. If we can’t resolve it, you can leave.

OpsTicket maintains this page as the canonical list of sub-processors referenced in our Data Processing Agreement, §05. We update it whenever we add, remove, or materially change a vendor’s role.

Material changes are announced at least 30 days in advance to enterprise customers via email and to anyone subscribed to the subprocessor-notification list. Recruiter and enterprise customers may object on reasonable grounds during the notice period and, if we cannot resolve the objection, terminate the affected order with refund of pre-paid, unused fees.

“Sub-processor” here means any third party that accesses personal data in the course of providing services to OpsTicket. Vendors that we use but that do not touch personal data (source-code hosting, design tools, accounting software for our own books) are not listed.

§ 02

Infrastructure & edge.

// plain languageCloudflare sits in front of the application; Railway runs the backend. Both are the lifeblood of the request path.

VendorRoleLocationData accessedPosture

Cloudflare

Cloudflare, Inc.

Edge network, CDN, DDoS protection, WAF, DNS. Front-of-house for every request.

Global edge

Connection metadata, IP, user-agent. TLS-terminated request bodies in flight.

ISO 27001 · FedRAMP Moderate (select services) · independent service-org attestation

Railway

Railway Corp.

Backend application hosting for the OpsTicket API and worker services.

US-East

Application runtime, in-memory data, environment variables.

Independent service-org attestation in progress · GDPR DPA available

§ 03

Data & storage.

// plain languageSupabase is where customer rows, auth, and session artifacts live.

VendorRoleLocationData accessedPosture

Supabase

Supabase Inc.

Managed Postgres for all customer data, plus auth and object storage.

US-East

All persisted customer data, auth tokens, session metadata, session artifacts.

ISO 27001 in progress · GDPR DPA · HIPAA BAA available on Pro+

§ 04

AI processing.

// plain languageAnthropic does the scoring. Customer data is never used to train Anthropic models.

VendorRoleLocationData accessedPosture

Anthropic

Anthropic, PBC

AI scoring of scenario submissions, AI-generated debrief notes, skill-gap analysis.

US (Anthropic infra)

Assessment transcript content sent for scoring. Not used to train Anthropic models.

Independent service-org attestation · enterprise zero-data-retention agreement available

§ 05

Billing & payments.

// plain languageRecruiter side only. Candidates never pay, so we never have candidate payment data.

VendorRoleLocationData accessedPosture

Stripe

Stripe Payments Europe Ltd. / Stripe, Inc.

Recruiter billing, invoicing, tax collection. PCI scope offload.

Ireland

USA

Recruiter org name, billing contact, payment method (tokenized, held by Stripe).

PCI DSS Level 1 · ISO 27001 · GDPR · independent service-org attestation

§ 06

Communications.

// plain languageTransactional email for sign-in links, billing receipts, and security notices; chat for support.

VendorRoleLocationData accessedPosture

SendGrid

Twilio Inc.

Transactional email: magic-link sign-in, account notices, billing receipts.

Recipient email, subject line, message body for transactional sends.

ISO 27001 · independent service-org attestation

Crisp

Crisp IM SAS

In-app chat widget for support conversations.

EU (Paris)

Chat messages, support contact info. Loads when the bubble opens.

GDPR · ISO 27001 in progress

§ 07

Authentication.

// plain languageOAuth providers used for sign-in only. We never request additional scopes.

VendorRoleLocationData accessedPosture

Google

Google LLC

OAuth (sign-in) only.

Global

OAuth flow returns email + name; no further data shared.

ISO 27001 / 27017 / 27018 · FedRAMP High (Workspace)

GitHub

GitHub, Inc.

OAuth (sign-in) only.

Global

OAuth flow returns email + handle.

ISO 27001 · independent service-org attestation · FedRAMP Moderate

§ 08

Operations & analytics.

// plain languageVendors that touch personal data incidentally: error traces, anonymized session events. Session artifacts are never written to these systems.

VendorRoleLocationData accessedPosture

PostHog

PostHog Inc.

Product analytics: session events, feature flags. Opt-out in Settings.

US (self-hosted option)

Session events, feature-flag evaluations, anonymized user IDs.

ISO 27001 · GDPR · HIPAA on Enterprise plan

Sentry

Functional Software, Inc.

Error monitoring on frontend and backend.

Error stack traces, browser + request metadata, anonymized user IDs (PII scrubbed in beforeSend).

ISO 27001 · independent service-org attestation · GDPR

§ 09

Change history.

// plain languageEvery addition, removal, or material change in the last 12 months. Anything older is in the archive: write to legal@.

May 17, 2026

added

Subprocessor list restructured into category sections (Infrastructure, Data, AI, Billing, Communications, Authentication, Operations) with vendor-entity disclosures and editorial table treatment.

May 11, 2026

baseline

Initial public list published with 11 subprocessors (Cloudflare, Railway, Supabase, Stripe, Anthropic, SendGrid, PostHog, Sentry, Google OAuth, GitHub OAuth, Crisp).

For changes prior to May 2026, request the full archive from [email protected].

// questions

Talk to a human about this.

Reach our legal team directly. We answer within five business days. For data-subject requests (access, deletion, portability), reference your account email in the subject line.

[email protected]