Legal & Compliance

Sub-Processor Register

A complete list of the third-party sub-processors Obsidia uses to deliver the platform. Customers are notified at least 30 days before any changes to this list.

Last updated 26 May 2026
Sub-processors 7 active
Related Data Processing Addendum →
Related Overseas Disclosure Register (APP 8) →
Active sub-processors

All tiers

Sub-processors marked Standard or Compliance apply only to the respective deployment tier. Where both badges appear, the sub-processor is used on both tiers.

Supabase
Database, authentication & storage infrastructure
Standard
Data processed
All Customer Data — user accounts, conversations, documents, workflow outputs, audit logs
Region
Oceania (Sydney) / ap-southeast-2 region selected. Obsidia does not enable read replicas or replication features that would move data outside Australia. A signed Data Processing Addendum (DPA) is in place with Supabase (executed 23 April 2026). Clause 6.2 of the Supabase DPA contractually commits Supabase to store and primarily process Customer Data in the ap-southeast-2 (Sydney) region as directed. Some processing may occur via Supabase's global operations team for support and monitoring purposes.
Entity
Supabase Inc., USA (underlying infrastructure: AWS ap-southeast-2)
Privilege posture
Privilege-compatibleAll Customer Data stored in-jurisdiction (ap-southeast-2). DPA restricts use to operational purposes only — no training, no analytics. Supabase staff access to content is governed by the executed DPA; Obsidia's no-staff-read invariant applies at the application layer. Privileged content remains in Australian jurisdiction.
SOC 2 Type II
Supabase Privacy Policy →
Netlify
Serverless function hosting & CDN
Standard
Data processed
API request payloads (transient — not persisted by Netlify); function execution logs retained for 7 days (Pro plan)
Region
Function execution: global (auto-routing). Log storage region is not published by Netlify — contact Netlify for data residency confirmation if required
Entity
Netlify Inc., USA
Privilege posture
Privilege-compatibleAPI request payloads are transient and not persisted by Netlify. Function execution logs are error-level only — Obsidia's Sentry scrubbing and function-logging configuration prevents privileged content from appearing in logs. Log storage region is not confirmed; however, no customer content is logged.
SOC 2 Type II
Netlify DPA →
Anthropic API
AI language model inference (Claude)
Standard
Data processed
Conversation messages and document content sent as prompts; Anthropic does not use API customer data for model training per their API usage policy. Includes synthetic health check calls (no user content) made periodically to verify service availability as part of SLA obligations.
Region
USA — data leaves Australia for inference. Refer to Anthropic's API data handling documentation for retention specifics
Entity
Anthropic PBC, USA
Privilege posture
Privilege-compatibleNo model training on API customer data per Anthropic's API usage policy. Content transits to the US for inference and is not retained by Anthropic after the response is returned. Anthropic's terms do not assert ownership over customer content. Narrow operational use only — privilege-compatible.
SOC 2 Type II No model training on customer data
Anthropic Privacy Policy → Vendor risk assessment (on request) → AI model card (on request) →
Voyage AI
Text embedding generation (Standard tier RAG)
Standard
Data processed
Document text chunks (cleartext) sent to the Voyage AI embedding API to generate vector representations for RAG retrieval. Obsidia has enabled the Voyage AI zero-day retention (ZDR) opt-out per installation — customer data is not stored or used for model training after embedding generation is complete.
Region
USA — document text leaves Australia transiently for embedding generation. No data is retained by Voyage AI after processing under the ZDR opt-out.
Entity
Voyage AI Inc., USA
Privilege posture
Privilege-compatibleZero-day retention (ZDR) opt-out in place — document text is not retained by Voyage AI after embedding generation is complete. No model training on customer data. Content transits to the US transiently; no storage of privileged content after processing.
Zero-day retention (ZDR) No model training on customer data
Voyage AI Privacy Policy →
Amazon Web Services (AWS)
Cloud infrastructure — compute, storage, networking, AI inference
Compliance
Data processed
All Customer Data — stored and processed on AWS ECS, Aurora PostgreSQL, S3, and Bedrock
Region
ap-southeast-2 (Sydney) exclusively — no cross-region replication without consent
Entity
Amazon Web Services Australia Pty Ltd
Privilege posture
Onshore — privilege-safeAll data stored and processed in ap-southeast-2 (Sydney). No overseas disclosure. Privileged content never leaves Australian jurisdiction under the Compliance tier. AWS terms do not assert content ownership. AWS Customer Agreement and DPA restrict use to operational purposes.
ISO 27001 SOC 2 Type II IRAP Assessed PCI DSS
AWS Data Privacy →
AWS Bedrock (Claude / Titan)
AI language model inference & embeddings (Compliance tier)
Compliance
Data processed
Conversation prompts and document content for inference; embedding vectors for document retrieval
Region
ap-southeast-2 (Sydney) — inference stays in Australia
Entity
Amazon Web Services Australia Pty Ltd (sub-service of AWS above)
Privilege posture
Onshore — privilege-safeInference stays in ap-southeast-2 (Sydney). No model training on customer data. IRAP assessed. For customers whose matters are in active litigation or who require absolute sovereignty over privileged content, the Compliance tier (AWS Bedrock) ensures privileged content never leaves Australian jurisdiction.
No model training on customer data IRAP Assessed (PROTECTED)
Bedrock Security & Compliance →
Sentry
Application error monitoring & performance tracking
Standard Compliance
Data processed
Error stack traces, bounded error messages (truncated to 500 characters), and safe diagnostic tags (function name, HTTP status, correlation ID). All request bodies, authentication headers, navigation history, and user-supplied content are scrubbed before transmission. Session replay is disabled by default — no screen content is ever captured without explicit opt-in.
Region
USA (Sentry SaaS, US region). No Customer Data or personal information is transmitted — only technical diagnostic data after scrubbing.
Retention
90 days (Sentry default)
Entity
Functional Software Inc. (Sentry), USA
Privilege posture
Scrubbed — privilege-safeNo customer content reaches Sentry. Error events contain only error messages (≤500 chars), stack traces, and safe diagnostic tags. All request bodies, conversation content, document content, and matter identifiers are scrubbed before transmission. Session replay is permanently disabled. The scrubbing implementation is enforced by CI checks. See ADR-005.
SOC 2 Type II
Sentry DPA →
Change history

Sub-processor changelog

All changes to this register are listed here. Customers subscribed to notifications receive 30 days' advance notice of additions and material changes.

26 May 2026
Updated
All processors — privilege posture added. Added a "Privilege posture" field to each sub-processor card documenting how each processor handles legally privileged content, the applicable safeguard (in-jurisdiction, ZDR, scrubbing, or operational-licence restriction), and the privilege-compatibility assessment. This supports the Solicitor-Client Privilege Policy published at obsidia-privilege.html (OBS-261).
18 May 2026
Updated
Voyage AI — ZDR opt-out confirmed. Updated Voyage AI entry to clarify that Obsidia has enabled the zero-day retention (ZDR) opt-out per installation. Customer data is not stored or used for model training after embedding generation. Badge updated from "Opted out of model training" to "Zero-day retention (ZDR)" to accurately reflect the scope of the opt-out.
1 May 2026
Added
Initial register published. All sub-processors listed above added at platform launch.
Notifications

Subscribe to sub-processor changes

Under the Obsidia DPA, customers receive at least 30 days' advance notice before any new sub-processor is added or an existing sub-processor's role materially changes. Subscribe below to receive these notifications by email.