Subprocessors
oklido uses third-party services (subprocessors) to provide our service. All subprocessors are bound by data processing agreements and meet our security standards.
Current Subprocessors
Infrastructure
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, database, email | EU (London, eu-west-2) | SOC 2, ISO 27001, GDPR |
| Vercel | Frontend hosting, CDN | Global (EU primary) | SOC 2, GDPR |
Authentication & Identity
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| Auth0 (Okta) | User authentication, SSO, MFA | EU | SOC 2, ISO 27001, GDPR |
Payments
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| Stripe | Payment processing, billing | EU | PCI DSS Level 1, SOC 2, GDPR |
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| Amazon SES | Transactional email | EU (London) | SOC 2, ISO 27001, GDPR |
Monitoring & Analytics
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| AWS CloudWatch | Application monitoring, logging | EU (London) | SOC 2, ISO 27001 |
Data Processing Details
What Data Each Subprocessor Receives
| Subprocessor | Data Processed |
|---|---|
| AWS | All data (encrypted) |
| Vercel | Web traffic, anonymous usage |
| Auth0 | Email, name, authentication events |
| Stripe | Billing information, payment methods |
| Amazon SES | Email addresses, notification content |
Data Protection Measures
All subprocessors:
- Have signed Data Processing Agreements
- Meet our security requirements
- Are regularly reviewed
- Support GDPR requirements
Subprocessor Changes
Notification
We notify customers of subprocessor changes:
- New subprocessor: 30 days advance notice
- Changed purpose: 30 days advance notice
- Removed subprocessor: No notice required
How We Notify
- Email to account administrators
- Update to this page
- Changelog entry
Objections
If you object to a new subprocessor:
- Contact privacy@oklido.com within 30 days
- We'll discuss your concerns
- If unresolved, you may terminate your subscription
Due Diligence
How We Evaluate Subprocessors
Before engaging a subprocessor:
- Security assessment - Review their security practices
- Compliance verification - Check certifications
- DPA execution - Sign data processing agreement
- Ongoing monitoring - Regular reviews
What We Require
All subprocessors must:
- Implement appropriate security measures
- Process data only as instructed
- Assist with data subject requests
- Notify us of security incidents
- Delete data when no longer needed
International Transfers
Current Status
All primary data processing occurs in the UK/EU.
Safeguards for Non-EU Processing
When data is processed outside the UK/EU:
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreement
- Adequacy decisions where applicable
Subprocessors Outside EU
| Subprocessor | Location | Safeguard |
|---|---|---|
| Auth0 (backup) | US | SCCs |
| Stripe | US | SCCs |
| Vercel | US (CDN nodes) | SCCs |
Primary data always remains in the UK/EU.
Subscribe to Changes
To receive notifications about subprocessor changes:
- Ensure you're an account administrator
- Notifications sent automatically to admin email
- Or check this page periodically
Changelog
January 2026
- Initial subprocessor list published
Questions
For subprocessor questions:
- Email: privacy@oklido.com
Last updated: January 2026