Subprocessors
The third-party services that process Customer Personal Data on OriginPSA’s behalf. Document last revised: May 6, 2026.
Per Section 2.6 of our Data Processing Addendum, OriginPSA gives at least ten (10) business days’ advance notice before adding or replacing a subprocessor. Customers may subscribe to update notifications by emailing legal@originpsa.com.
Default Subprocessors
These subprocessors apply to every customer of the OriginPSA service. The full list of third parties to which any Customer Personal Data flows in the default product configuration:
| Subprocessor | Purpose | Data | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management, and the customer billing portal. | Customer billing contact (name, email, company), subscription state, invoice records, payment outcomes. No card numbers ever touch OriginPSA infrastructure. | United States |
| Cloudflare, Inc. | Bot mitigation (Cloudflare Turnstile) on registration, login, and contact forms. | IP address and a per-request bot-score signal. No account contents. | United States (global edge) |
| SMTP2GO Limited | Outbound transactional email delivery (welcome emails, password resets, invoice notifications, support ticket replies, data-rights confirmations, cancellation emails). | Recipient email address, sender display name, message subject and body content, delivery metadata (timestamps, bounce/open status). | United States data centers (company headquartered in New Zealand) |
| Termly, Inc. | Cookie consent management, consent-record storage, and hosting of the published Privacy Policy and Cookie Policy. | Visitor consent choices, IP address, browser/user agent, session ID. | United States |
Optional Subprocessors (customer-enabled)
The following subprocessors only receive Customer Personal Data if Customer enables and configures the corresponding integration in the OriginPSA platform. They are not engaged in the default configuration.
| Subprocessor | Purpose | Data | Location |
|---|---|---|---|
| Anthropic, PBC (Claude API) | AI assistant within the platform (ticket suggestions, summarization). | Ticket content and other text the customer chooses to send to the AI assistant. | United States |
| NinjaOne, LLC | Optional RMM integration (device inventory, alerts, patch management). | Device data and alert events from the customer's NinjaOne tenant, when the customer enables and configures the integration. | United States |
| RingCentral, Inc. | Optional telephony/SMS integration (call logs, voicemail). | Call records, SMS records, and voicemail metadata from the customer's RingCentral tenant, when the customer enables and configures the integration. | United States |
Planned, Not Yet Active
The following processing activities are described in our Privacy Policy as practices we may engage in, but are not currently in operation. The relevant subprocessor will be added to the active list above — and the change announced under the DPA notification window — before any of these activities begin.
- Customer support call recording — voice recording of calls between customers and OriginPSA support staff for quality assurance and training. We do not currently operate a customer-facing phone line. The phone/recording/transcription provider will be named here when this feature is enabled.
Self-Hosted Infrastructure (not subprocessors)
The following systems are operated on infrastructure that OriginPSA owns and manages, not by third-party processors. They are listed here for transparency but do not appear in the subprocessor list above.
- Application servers, database (MySQL), and read replicas — operated on Provider-managed virtual machines.
- Object storage (file uploads, ticket attachments) — operated on Provider-managed S3-compatible storage (SeaweedFS).
- Secrets management — credentials and encryption keys are held in a Provider-managed Infisical instance.
- Hypervisor — Proxmox VE on Provider-owned hardware.
Adding a new subprocessor or replacing an existing one is a notifiable event under the DPA. Notifications are emailed to the address on file for each customer’s account owner and posted to this page.