Subprocessors
The third-party service providers that handle data on Oryn’s behalf, with each vendor’s purpose, region, DPA link, and sub-processor disclosure.
Oryn relies on a small set of third-party service providers (subprocessors) to deliver the platform. Every subprocessor on this page has a Data Processing Agreement (DPA) in force with Oryn — either as a separately-executed countersigned agreement or via the vendor’s standing public DPA incorporated by reference into their commercial terms. The badge in the DPA column shows which pattern applies per vendor.
This page is the public projection of Oryn’s internal subprocessor inventory. The two are reconciled on every change.
Production subprocessors
| Vendor | Purpose | Region | Data categories | DPA | Sub-processors | Retention (vendor side) |
|---|---|---|---|---|---|---|
| Railway | Application hosting (API + web), managed Postgres, managed Redis, build pipeline. | US (GCP us-west2) | All production data at rest (encrypted volumes) and in transit between services. | View DPA ↗ Executed | Google Cloud Platform Vendor sub-processor list ↗ | Rolling backups: PITR 7 days, daily snapshots 30 days. Hard-delete per Oryn's retention job. |
| Netlify | Marketing site hosting + DNS for the Oryn brand surface. | US (multi-region edge) | Public marketing content; aggregate visitor analytics only (no client data). | View DPA ↗ Executed | AWS, Cloudflare Vendor sub-processor list ↗ | Edge logs 30 days; analytics 90 days. |
| Auth0 (Okta) | Identity provider — authentication, multi-factor authentication (Guardian), password reset, M2M API. | US (Auth0 US tenant) | Email, hashed password (Auth0-side bcrypt/argon2 — Oryn never sees the plaintext or hash), Auth0 sub, MFA factor metadata, login events. | View DPA ↗ Executed | AWS Vendor sub-processor list ↗ | User lifecycle: deletion via Management API on hard-delete of the corresponding User row. |
| Stripe | Firm subscription billing. | US (Stripe, Inc.) | Firm billing contact, card last-4, BIN, billing address. | View DPA ↗ Executed | AWS, Cloudflare, Fastly Vendor sub-processor list ↗ | Stripe retains per PCI/AML requirements (≥7 years). PCI DSS Level 1. |
| LawPay / AffiniPay | Client payment processing — operating + IOLTA trust accounts. | US | Client name, email, amount, invoice reference, payment-method last-4. | View DPA ↗ Executed | Chase Paymentech, Fifth Third Bank | LawPay retains 7 years (IOLTA compliance). SOC 1 Type II + PCI DSS Level 1. |
| Anthropic (Claude API) | Runtime LLM inference — portal AI assistant, document drafting, hearing-prep synthesis, intake summaries. | US (AWS us-east-1, us-west-2) | Conversation content with personally-identifying patterns (SSN, DOB, driver's license, email, phone, payment-card numbers) stripped before being sent. System prompts and attorney authorship instructions accompany the request. | View DPA ↗ By reference | AWS Vendor sub-processor list ↗ | Anthropic Commercial Terms + DPA (incorporated by reference under §C of the Commercial Terms; GDPR Art. 28 controller-processor). API logs retained 30 days on Anthropic side; zero-day retention available on enterprise tier — to be requested at confirmation. |
| Sentry | Application error monitoring. | US | Stack traces, request metadata, redacted breadcrumbs (PII redaction list applied to event scrubbers). | View DPA ↗ Executed | AWS Vendor sub-processor list ↗ | Default retention 90 days; configurable. |
| AWS Simple Email Service (SES) | Transactional email delivery — reminders, case updates, message notifications, invite emails. | US (us-east-1) | Recipient name, recipient email, subject, body. | View DPA ↗ By reference | None disclosed Vendor sub-processor list ↗ | AWS Service Terms §1.14.1 incorporates the AWS GDPR DPA. Standard SES delivery logs (configurable retention). |
| AWS Textract | Cloud OCR for low-confidence pages and phone-photo inputs in the document-intake pipeline. | US (us-east-1) | Page-image bytes (rasterized PDF pages). May contain client identifiers, signatures, sensitive case content. PII redaction is not applied because Textract IS the OCR — the rasterized image is the input. | View DPA ↗ By reference | None disclosed Vendor sub-processor list ↗ | AWS Service Terms §1.14.1 incorporates the AWS GDPR DPA. AWS is contractually opted out from using Oryn's inputs for service improvement via an AWS Organizations AI Services Opt-Out Policy attached at the organization root — Textract does not retain page-image bytes for model improvement. |
Sub-processor change policy
Oryn commits to the following process whenever the subprocessor inventory changes:
- Notification. The Firm Administrator is notified in the in-app admin dashboard when Oryn’s vendor set changes. A companion email is sent to the firm’s billing contact.
- Notice window. At least 30 days advance notice before a new subprocessor receives production traffic.
- Objection window. Each Firm Administrator has 30 days from notification to object. Objection options: (a) cease using the feature(s) that depend on the new subprocessor; or (b) terminate the agreement under its standard terms. Where Oryn cannot offer an equivalent feature without the new subprocessor, termination is the only recourse.
- Emergency substitutions. Vendor outage or force majeure may require Oryn to substitute a subprocessor without the 30-day notice. The Firm Administrator is notified within 7 days post-hoc, and the standard objection window (30 days from notice) still applies.
Build-time tooling and self-hosted runtime (not subprocessors)
The following tools are used by Oryn’s engineering team during build and development, or run inside Oryn’s own infrastructure without sending data to a third party. They do not process customer data on a third-party service. Listed here for transparency:
- GitHub — source code hosting and CI for Oryn’s engineering team. No customer data ever flows to GitHub.
- Anthropic Claude Code (build-time only) — coding assistant used by engineering. Build-time only; no production data flows through it.
- Self-hosted OCR pipeline — Tesseract, OCRmyPDF, and pdfplumber run inside Oryn’s own infrastructure on Railway. The AWS Textract subprocessor row above covers the cloud-OCR fallback path; this bullet covers the in-house default path.
Questions about this page
For sub-processor inquiries, including objections to a planned subprocessor change or requests for additional disclosure, contact the Oryn security team at security@decoded-systems.com.
For the underlying contractual obligations Oryn has accepted from each subprocessor, see the linked DPAs above. For Oryn’s own DPA with Customer firms, see the Data Processing Addendum.