Trust Center · Sub-processors
Sub-processors
OST uses a small number of trusted third-party providers to deliver client engagements. Each is evaluated for security, privacy, and compliance posture. Engagement-specific sub-processor lists are documented in your DPA.
Last reviewed: TBD · Pending legal review · OpenSource Technologies, Inc., a Pennsylvania corporation
Section 01
What a sub-processor is
A sub-processor is a third-party service provider OST relies on to deliver our services. Common categories include cloud infrastructure (where engagement platforms run), email and communications (where engagement notifications flow), monitoring and observability (where platform health is tracked), and similar operational tooling.
Each sub-processor is evaluated for:
- Security posture (encryption, access controls, audit cadence)
- Privacy and data protection practices
- Geographic location and data residency
- Compliance certifications (SOC 2, ISO 27001, GDPR mechanisms)
- Operational reliability
Section 02
Current sub-processors (general list)
This is OST's general sub-processor inventory across active engagements. Your specific engagement may use a subset of these or include engagement-specific providers; the authoritative list for your engagement is in your Data Processing Agreement.
| Provider | Category | Purpose | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Hosting for engagement platforms (compute, storage, networking, database services) | US, EU, others per engagement |
| Cloudflare | CDN & edge security | Content delivery, DDoS protection, edge caching for some engagements | Global edge |
| SendGrid (Twilio) | Email delivery | Transactional emails (notifications, password resets, receipts) for engagements that require them | US, EU per configuration |
| Stripe / PayPal / Authorize.Net | Payment processing | PCI-compliant payment processing for e-commerce engagements (which one applies depends on your engagement) | US, EU per engagement |
| Google Workspace | Internal communications | OST's internal email and document collaboration. Not used for client data storage. | US |
| GitHub / GitLab | Source code hosting | Engagement source code repositories (per engagement preference) | US, EU per engagement |
| Datadog / New Relic | Monitoring & observability | Performance monitoring, log aggregation, alerting for OST-operated infrastructure | US, EU per engagement |
| OpenAI / Anthropic / others | AI / LLM providers | Used for AI-feature engagements where the contract authorizes. See AI Policy for data-handling specifics. | US, EU per provider |
Section 03
How we evaluate sub-processors
OST evaluates sub-processors before adding them and reviews them periodically thereafter.
- Initial evaluation: Security questionnaire, certification review (SOC 2, ISO 27001, etc.), data processing agreement review, geography and residency assessment
- Ongoing review: Annual re-evaluation of major sub-processors; immediate review if a security or privacy incident affects them
- Engagement-level approval: For engagements with strict requirements, the sub-processor list is reviewed and approved at contract signing and again before any addition
- Notice of changes: Active client engagements are notified of material changes to sub-processors used for their engagement, per the Data Processing Agreement
Section 04
Engagement-specific sub-processor lists
The list above is OST's general inventory. Your engagement may:
- Use a subset of these (smaller engagements often use only AWS and one or two others)
- Include client-directed providers (your CRM, your CDN, your specific email provider)
- Exclude certain categories (some engagements run without third-party AI providers)
Your authoritative sub-processor list is in your Data Processing Agreement. Material changes are communicated per contract terms.
To request your engagement-specific list, use the contact form (Government / SLED / RFP procurement inquiry) or your OST engagement lead.
Section 05
Data subject rights and sub-processors
When data subject rights requests (access, deletion, correction) require action from sub-processors, OST coordinates the request across the relevant providers.
For most rights requests, OST handles fulfillment directly. For requests that require sub-processor action (for example, deleting backup copies held by a hosting provider), OST initiates the request with the sub-processor and tracks completion per the agreed timeline.
For more on rights, see Privacy Policy: Your rights.