This list is maintained per Article 28 of the GDPR and equivalent provisions in other privacy regimes. It names every third party that may process Ollagraph customer data, what they process, and on what legal basis.
Dodo Payments
Engaged since 2026-05
Purpose
Payment processing, subscription billing, invoicing.
Data processed
Customer name, email, billing address, and a payment-method token. Ollagraph never sees raw card numbers.
Location
Per Dodo’s DPA; US and EU sub-processors.
Transfer basis
Standard Contractual Clauses; DPA available on request.
Cloudflare, Inc.
Engaged since 2025-09
Purpose
DNS, CDN, edge caching, WAF, and the tunnel between the origin and the public API.
Data processed
IP address and HTTP request headers of every API call, transiently. No request bodies are stored by Cloudflare.
Location
Global edge; account headquartered in the United States.
Transfer basis
EU Standard Contractual Clauses; Cloudflare DPA available on request.
Cloudflare Pages
Engaged since 2025-09
Purpose
Hosting for the marketing site (ollagraph.com) and the customer dashboard (app.ollagraph.com).
Data processed
Public marketing pages and the dashboard’s static assets. No customer secrets are deployed to Pages.
Location
Global edge; account headquartered in the United States.
Transfer basis
Same as Cloudflare above; covered by the same DPA.
Resend
Engaged since 2026-06
Purpose
Outbound transactional email (verification, billing receipts, team invitations, security notices).
Data processed
Recipient email and the email body. Ollagraph uses generic templates with no third-party content.
Location
Per Resend’s DPA.
Transfer basis
Standard Contractual Clauses; DPA available on request.
Telemetry (OpenTelemetry)
Engaged since 2026-05
Purpose
Error and performance telemetry for the API.
Data processed
Trace and span metadata, request paths, sanitised user IDs. No request bodies, no API keys, no passwords.
Location
Emitted as OpenTelemetry spans and dropped by default, or forwarded only to a destination you configure. No third-party SaaS receives them by default.
Transfer basis
Not applicable by default — telemetry is dropped unless you configure a forwarder.
Change notifications
When Ollagraph adds, removes, or materially changes the scope of a subprocessor, we update this page and the change appears in the changelog with the date and scope. Customers with executed Data Processing Agreements receive an email notice at least 30 days before a new subprocessor begins processing their data, per Article 28(2) GDPR. To object during the notice window, reply to that notice or email [email protected]; we will work with you to find a path that does not require routing your traffic through the disputed party, up to and including a contract termination with a pro-rated refund.
Data Processing Agreement
A signed DPA is available on request for any paid plan. Email [email protected] with your company details and we will return a signed copy within two business days.
Data residency for enterprise
The list above reflects the default deployment. Enterprise customers with regional-residency requirements can ask for a custom deployment that constrains processing to a specific jurisdiction. Talk to us at [email protected].
What is not on this list
Services that do not process customer data are intentionally excluded. That includes our internal source-code hosting, build-pipeline monitoring, and tools that operate only on Ollagraph staff information. They are listed in our internal compliance documentation and are available under NDA.
This is a draft. Please consult counsel before relying on it for contractual purposes.