Sub- processors
The third parties OllieSafe engages to deliver the Services. We notify customers at least 30 days in advance of any addition or replacement, and customers may object on reasonable data-protection grounds per the DPA.
As of: May 2026. This list is maintained as the authoritative public sub-processor register and changes only with a corresponding code update plus customer notification per the OllieSafe Data Processing Addendum Section 7.
Notice of change. OllieSafe will provide at least thirty (30) days' advance notice before adding or replacing a sub-processor. Customers who have subscribed to sub-processor change notifications via Ollie@olliesafe.com will receive the notice by email. Customers may object on reasonable data-protection grounds within the notice window; if the parties cannot reach a commercially reasonable resolution, the customer may terminate the affected Services without penalty (DPA Section 7).
Active sub-processors
| Vendor | Service provided | Categories of data Processed | Processing location |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | Primary cloud infrastructure: compute (Cloud Run), managed PostgreSQL (Cloud SQL), object storage (Cloud Storage), networking (VPC, Load Balancer, Cloud Armor WAF), observability (Cloud Logging, Cloud Monitoring), secret storage (Secret Manager), and managed container registry (Artifact Registry). | All Customer Personal Data at rest and in transit within the OllieSafe platform. | us-west1 (United States) |
| Google Cloud Vertex AI / Gemini (Google LLC) | Generative AI inference for chat assistance, document and SDS extraction, photo hazard analysis, voice transcription and extraction, incident triage, citation preparation, compliance check, filing assistant, predictive risk, autopilot, jurisdiction advisory, and embedding generation for retrieval-augmented governance. Inference flows through the OllieSafe LLM facade, which gates kill switches, budgets, PII redaction, and grounding contracts before any call reaches the Vertex AI endpoint. Per the OllieSafe DPA, Google processes inputs and outputs only to provide the service and does not use them to train its foundation models. | Tenant-context prompts after ingestion-time and request-time PII redaction (emails, SSNs, phone numbers, and card-shape digit runs are scrubbed; regulator citation tokens are preserved); regulatory and tenant chunk text used for embedding generation; AI usage telemetry (model, intent, token counts, latency, cost) for governance accounting. | us-west1 (United States) for the enforced gemini-2.5 family and gemini-embedding-001. Preview models on the global Vertex endpoint (e.g. gemini-3.1-pro-preview) are disabled by the residency gate in modelRegistry.js and may not be used for Customer Personal Data Processing. |
| WorkOS, Inc. | User authentication, multi-factor authentication, password reset, session credential issuance, and authentication audit events. | Authentication identifiers (email, tenant association), session credentials, login event records. | United States |
| Firebase Cloud Messaging (Google LLC) | Push notification delivery to enrolled mobile and web devices. | Device push registration tokens and notification payload metadata. | United States (Google-managed regions) |
| Stripe, Inc. | Payment processing for subscription billing, including card tokenization, payment-method storage, invoicing, and subscription lifecycle management. | Billing contact name and email, payment-method tokens (card data is tokenized by Stripe and never reaches OllieSafe), invoice and subscription metadata. | United States |
| Sentry (Functional Software, Inc.) | Application error monitoring, performance telemetry, and release-health tracking for OllieSafe services. Personally identifiable information is redacted at the SDK layer; only operational metadata reaches Sentry. | Stack traces, request metadata (path, status, timing), redacted user/tenant identifiers for error attribution. | United States (us-east region) |
| Resend (Resend, Inc.) | Transactional email delivery, including account verification, password reset, billing notifications, and incident/training notifications generated by the platform. | Recipient email address, sender identity, message subject and body, delivery and bounce status. | United States |
| Cloudflare, Inc. | Authoritative DNS, edge caching for marketing assets, and WAF/bot mitigation for public-facing endpoints. OllieSafe does not use Cloudflare Workers for Customer Personal Data Processing. | Request metadata (IP address, user agent, request path, response status) for the marketing site and public endpoints. | Global edge network with cache and log retention controls set to the United States region where supported |
AI sub-processor notes
OllieSafe uses Google Cloud Vertex AI (Gemini family) for generative AI features. The same OllieSafe LLM facade applies tenant-aware PII redaction and grounding controls to every chat, document, voice, vision, and agent path before the request leaves our control plane. Google's commitments for Vertex AI Generative AI services, including its generative-AI-specific terms and its data-processing obligations, are documented in the Google Cloud Data Processing Addendum and the Google Cloud Service Specific Terms (see the Vertex AI Generative AI services section). The enforced model set is restricted by services/api/src/lib/llm/modelRegistry.js to residency-compliant Vertex regional endpoints in us-west1; the preview Gemini 3.x model on the global endpoint is declared but excluded from the enforced set so the residency gap is explicit.
Affiliates and intra-group processing
OllieSafe Inc. has no subsidiaries that Process Customer Personal Data at this time. If that changes, the affiliate will be added to this list with the same 30-day advance notice discipline as any third-party sub-processor.
Transfer mechanisms
All listed sub-processors Process Customer Personal Data in the United States. Where Customer Personal Data originates in the European Economic Area, the United Kingdom, or Switzerland, the transfer relies on the EU Standard Contractual Clauses (Module 2: controller-to-processor) and the United Kingdom International Data Transfer Addendum as incorporated by the OllieSafe DPA Section 13. Each sub-processor relationship is governed by a written agreement imposing data-protection obligations no less protective than the OllieSafe DPA.
Sub-processors retired since the prior version
None. The next time a sub-processor is removed, the retired vendor and the retirement effective date will appear here for the subsequent six months as a change-record trail.
Subscribe to change notifications
To receive at least 30 days' advance email notice of any sub-processor change, email Ollie@olliesafe.com with subject Subprocessor change notifications. We will add the requested address to the notification distribution.
Contact
Questions about a listed sub-processor, redline requests, or data-protection objections: Ollie@olliesafe.com.
Last updated
May 27, 2026 — added Google Cloud Vertex AI / Gemini sub-processor entry for the generative AI features that route through the OllieSafe LLM facade.