Last updated: 12.08 2025
We work with a small, trusted group of sub-processors to help deliver OKRs Tool securely, reliably, and in compliance with global data protection laws. All vendors are subject to GDPR-level privacy standards and governed by signed Data Processing Agreements (DPAs).
Infrastructure & Hosting
Amazon Web Services (AWS) – Cloud hosting, database storage, and application infrastructure
→ Regions: EU (Ireland), US (Virginia), Asia (Singapore)
Application Platform
Bubble.io – Application logic and database hosting for the OKRs Tool web app
→ Runs on AWS infrastructure and complies with industry security standards
→ Bubble security overview
Website CMS
Webflow – Marketing website and blog hosting
→ Used for non-authenticated content only (i.e. no customer data stored)
Payments & Billing
Stripe – Payment processing and subscription billing
→ Handles payment transactions, subscription management, and related billing information (e.g., name, email, billing address)
→ Complies with PCI DSS security standards and global privacy regulations
→ Stripe privacy policy
Email Delivery
SendGrid (Twilio) – Transactional and notification email delivery
→ Used for invites, check-ins, password resets, etc.
Integrations & Messaging
Slack – Customer-enabled integration for OKR check-ins, reminders, and updates
→ Only used for teams that connect their Slack workspace
→ Data shared is limited to messages configured by the user or admin
Analytics & Tracking
Google Analytics 4 (GA4) – Website and app usage analytics
→ IP anonymization and region-specific consent controls enabled
Cookiebot – Manages cookie consent and tracks opt-in preferences for analytics
Hotjar – Behavior analytics and user experience tracking
→ Used to understand how users interact with our website and app interface
→ IP anonymization and data minimization enabled
AI-Powered Features
OpenAI – Used to generate OKR examples, drafts, and coaching suggestions
→ Only used for users who opt in to AI features
→ Data is not shared across accounts or used to train public models
Compliance & Privacy Notes
- All sub-processors are contractually required to adhere to GDPR-compliant data protection practices
- Where vendors operate outside the EEA, we implement appropriate safeguards (e.g. SCCs or adequacy decisions)
- No sub-processor has independent access to customer data beyond what is required to deliver their service
Need Our Signed Data Processing Agreement (DPA)?
Email us at info@okrstool.com to request our standard DPA or ask questions about our data practices.