Legal · Transparency
Subprocessors
Last updated: May 12, 2026
Onplana engages the third-party service providers below to operate the platform. This list satisfies the transparency requirement of GDPR Art. 28(2). For the full data-processing terms applicable to your organisation, refer to the Onplana Data Processing Agreement, which is part of your Master Services Agreement and authorises the list below.
Two categories: Core subprocessors are always engaged whenever Onplana operates; customer content flows through them by default. Optional / integration subprocessors are engaged only when a customer organisation explicitly enables that integration (e.g. connecting Google Drive, Box, or Microsoft Teams). No data flows to those vendors absent the connect step.
Material changes to this list — adding, removing, or changing the region of a subprocessor — will be notified in advance per the DPA. Subscribe to changes by emailing privacy@onplana.com with the subject subprocessor-notify.
Core subprocessors
| Subprocessor | Purpose | Data category | Region | DPA |
|---|---|---|---|---|
| Microsoft Azure | Application hosting (Container Apps), database (Postgres Flexible Server), cache (Redis), object storage (Blob), Key Vault, networking. | All customer content + account data | Azure West US (United States). Daily encrypted backups + 7-day point-in-time restore retained by Azure Postgres Flexible Server; no cross-region replica today. | DPA → |
| Stripe, Inc. | Billing, subscription management, payment processing. | Billing email, billing address, payment-method token (full card data never touches Onplana — collected directly by Stripe Elements). | United States (Stripe is the controller for payment-card data). | DPA → |
| Anthropic, PBC | Claude API — AI features (risk detection, plan generation, status reports, in-app chat). | Project text, task descriptions, and any free-text passed to AI tools. Per Anthropic policy, API inputs are not used for training and are not stored after the request completes. | United States. | DPA → |
| Microsoft Azure OpenAI Service | GPT-4 family — same AI features as Anthropic above. Per-deployment admin choice between Anthropic + Azure OpenAI. | Same as Anthropic. Azure OpenAI processes data inside the customer Azure tenant; no data is shared with OpenAI Inc. nor used for training. | Same Azure region as the hosting tenant. | DPA → |
| Sentry (Functional Software, Inc.) | Error monitoring (stack traces + request metadata on uncaught backend exceptions). | Stack traces, request method + path, IP address. Personal data is scrubbed via Sentry data-scrubber rules; payload bodies are not sent. | United States (default Sentry SaaS region). | DPA → |
| Azure Communication Services | Transactional email (invitations, password resets, notification digests, billing receipts). | Recipient email address + email content composed by Onplana on behalf of the customer. | Same Azure region as the hosting tenant. | DPA → |
| hCaptcha (Intuition Machines, Inc.) | Anti-bot challenge on sign-up + freebie marketing tool gates. | Browser fingerprint, IP address, challenge-solve token. Not linked to a user account. | Global edge. | DPA → |
Optional / integration subprocessors
Engaged only when a customer organisation has explicitly connected the corresponding integration via Settings → Integrations.
| Subprocessor | Purpose | Data category | Region | DPA |
|---|---|---|---|---|
| Google LLC | Google OAuth (consumer sign-in) + Google Workspace integration (Drive file-attach when an organisation explicitly connects Google Drive). | OAuth identity (email + verified flag + sub) at sign-in. With Drive connected: file metadata + content of files the user explicitly attaches. | Global (Google Cloud). | DPA → |
| Microsoft Corporation (consumer + Microsoft 365 / Teams) | Microsoft OAuth sign-in + Microsoft Teams notification integration (when an org installs the Teams app). | OAuth identity (email, verified flag, sub). Teams: channel + message content for connected channels. | Microsoft Cloud (region depends on tenant). | DPA → |
| Box, Inc. | Box file-attach integration (when an organisation explicitly connects Box). | OAuth tokens + metadata + file content of attached files only. | United States. | DPA → |
| Dropbox, Inc. | Dropbox file-attach integration (when an organisation explicitly connects Dropbox). | OAuth tokens + metadata + file content of attached files only. | United States. | DPA → |
Questions
See also Privacy Policy and Security. For data-residency, transfer mechanism (Standard Contractual Clauses), or DPIA questions, email privacy@onplana.com.