Legal Registry
Opptify AB — Sub-processor List
Canonical URL: https://opptify.com/legal/sub-processors
Version: 1.0 • Effective Date: 20 October 2025
This page lists the third-party sub-processors Opptify AB engages to help deliver the Opptify SaaS platform. Terms used here have the meanings given in the Data Processing Agreement (DPA).
Change notifications
Opptify will provide prior written notice (normally 30 days) of material changes to this list to Customer admin contacts, consistent with the DPA and ToS. Customers may object on reasonable data-protection grounds within the DPA’s objection window. Questions or objections: info@opptify.com.
Current authorized sub-processors
| Vendor (legal entity) | Purpose / Service | Categories of data processed | Processing location / data transit | Safeguards / notes |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Object/file storage for document uploads; cloud infrastructure services (e.g., backups, storage of attachments). Full text indexing and searching of Customer data | Customer Data including uploaded documents, attachments, related metadata | EU/EEA regions | Encryption in transit/at rest; Opptify enforces EU residency for primary storage; daily backups and PITR handled in EU/EEA |
| Heroku (Salesforce, Inc.) | Application hosting and managed PostgreSQL databases for the Opptify app | Customer Data stored in the application (e.g., user accounts, consultant CVs, profiles, records, logs) | EU region | Encryption in transit/at rest; environment segregation; access controls |
| OpenAI (ChatGPT API) | Reasoning/semantic interpretation & search features limited to the customer’s tenant | Selected text snippets from Customer Data needed to fulfil a feature request; minimal context | USA (via API) | Configured: no model training on Customer Data; not retained beyond transient processing except limited anti-abuse retention by the vendor; SCCs and supplementary measures where applicable |
| Postmark (Active Campaign, LLC) | Transactional email delivery (system notifications, password resets, alerts) | Recipient names, email addresses, message metadata, and limited message content required for delivery | USA | Encryption in transit; delivery/bounce/spam diagnostics may be logged by the vendor for a limited period; SCCs where applicable |
| Cloudflare, Inc. | CDN, WAF, DDoS protection, and DNS for Opptify websites/endpoints | Network/HTTP metadata (e.g., IP addresses, headers), TLS termination data; cached static content | Global network | Threat mitigation and caching only; no storage of application database contents; SCCs where applicable |
| Microsoft Office Web Viewer (Microsoft Corporation) | Online document preview for formats such as DOCX, XLSX, PPTX | Document content transmitted for rendering, including embedded metadata necessary to display the file | EU and/or USA (per vendor routing) | Transient processing/caching for rendering; SCCs where applicable |
| New Relic, Inc. | Ingestion and storage of logs | Logs from the app that can contain personal data. | EU | Encryption in transit and at rest. Data stored for 30 days |
General notes
- Opptify aims to minimize data shared with sub-processors and uses EU/EEA regions whenever supported.
- International transfers (if any) are governed by the DPA (e.g., EU SCCs with supplementary measures).
- Where vendors maintain diagnostic logs (e.g., anti-abuse, deliverability), Opptify configures minimal retention consistent with reliable operations.
- This list may evolve as Opptify improves the Service; prior notice will be provided per the DPA.
Contact: info@opptify.com