A complete list of every third-party service we use to deliver OKRs Tool. All vendors are bound by signed Data Processing Agreements (DPAs) and meet GDPR-aligned data protection standards.
We work with a small, vetted group of sub-processors to help deliver OKRs Tool securely, reliably, and in compliance with global data protection laws. Each vendor below has a defined role, a specific category of data they handle, and is contractually bound to confidentiality and data protection standards consistent with our Privacy Policy.
We notify customers of material changes to this list with reasonable advance notice. If you would like to be notified of changes, email dpo@okrstool.com.
OKRs Tool is currently transitioning from V1 (our original platform) to V2 (the next-generation product). Some sub-processors below are tagged (V1) or (V2) to reflect which platform they serve. Both platforms operate in parallel during the migration. Customer data on each platform is processed only by that platform's listed sub-processors.
| Vendor | Category | Purpose & data handled |
|---|---|---|
| Supabase Supabase privacy | Database & auth (V2) | Primary database, authentication, and file storage for OKRs Tool V2. Stores authenticated customer data — account info, OKRs, key results, check-ins, and workspace content. Hosted on SOC 2 Type II audited infrastructure; data encrypted at rest. EU region. |
| Cloudflare Cloudflare privacy | App hosting & edge (V2) | Hosts and serves the OKRs Tool V2 application (Cloudflare Workers), and provides CDN, DDoS mitigation, and web application firewall (WAF) across the V2 app, knowledge base, and supporting sites. Processes request traffic in transit; no customer data stored at rest. |
| Amazon Web Services AWS privacy | Infrastructure | Underlying cloud infrastructure on which our database and platform providers operate. Customer data is stored encrypted at rest. Regions: EU (Ireland), US (Virginia), Asia (Singapore). |
| Lovable Lovable privacy | Development platform (V2) | Development platform used to build and maintain OKRs Tool V2. The development environment has administrative access to the V2 production database for engineering, maintenance, and support tasks, which can include viewing or deleting customer records. Access is limited to authorized engineering use and governed by our internal access controls. |
| Bubble Bubble security | Application platform (V1) | Application platform powering OKRs Tool V1. Runs on AWS infrastructure with SOC 2 Type II audit. Stores authenticated user data (account info, OKRs, workspace content) for customers on the V1 platform during our migration to V2. |
| Webflow Webflow privacy | Marketing site | Marketing website and blog hosting. Used for non-authenticated content only. No customer data is stored on Webflow. |
| Weglot Weglot privacy | Product translation | Provides machine and human-reviewed translation of product UI strings into supported languages (currently English, German and Spanish). Processes only public-facing UI text and translation memory. No customer OKR content, account data, or personal data is sent to Weglot. |
| Stripe Stripe privacy | Payments | Payment processing and subscription billing. Handles transactions, subscription management, and billing data (name, email, billing address). PCI DSS compliant. |
| SendGrid (Twilio) Twilio privacy | Email delivery (V1) | Transactional and notification email delivery for OKRs Tool V1 — invites, check-in reminders, password resets, billing notifications. Email addresses only. |
| Resend Resend privacy | Email delivery (V2) | Transactional and notification email delivery for OKRs Tool V2 — invites, check-in reminders, password resets, billing notifications. Email addresses and message content only. |
| Anthropic Anthropic privacy | AI features (V2) | Powers AI features in OKRs Tool V2 — OKR insights, alignment diagnostics, drafting and coaching suggestions, and the MCP server. OKR content may be sent to generate these outputs. Data is not used to train models and is not shared across accounts. |
| OpenAI OpenAI privacy | AI features (V1) | Used to generate OKR examples, drafts, and coaching suggestions on OKRs Tool V1. Only used for users who opt in to AI features. Data is not shared across accounts and is not used to train models. |
| Slack Slack privacy | Optional integration | Customer-enabled integration for OKR check-in notifications and reminders. Only used for teams that connect their Slack workspace. Data shared is limited to notifications configured by the user or admin. |
| Google (Calendar & Sheets) Google privacy | Optional integration | Customer-enabled integrations for Calendar and Sheets. OKRs Tool does not store Google user data — see our Google User Data section for full details. |
| Google Analytics 4 Google privacy | Analytics | Website and app usage analytics. IP anonymization and region-specific consent controls enabled. |
| Cookiebot Cookiebot privacy | Consent management | Manages cookie consent banners and tracks opt-in preferences for analytics on the marketing website. |
| Hotjar Hotjar privacy | Analytics | Behavior analytics and user experience tracking on the marketing website. IP anonymization and data minimization enabled. |
| Datadog Datadog privacy | Monitoring | Application performance monitoring and error tracking. Captures system telemetry only — no customer OKR content. |
If you require a signed Data Processing Agreement (DPA) for your records or your own compliance program, we're happy to share ours. Email dpo@okrstool.com with your request and we'll send it over within 1 business day.
Questions about sub-processors or our data practices?
Email dpo@okrstool.com or info@okrstool.com.