SubprocessorsLast updated April 1, 2026

The vendors we trust with your data.

OnePointe relies on a deliberately small set of subprocessors to deliver the Service. This page lists every third party that processes Institution or Subject data on our behalf, what they do, where they sit, and the security commitments they're held to. We notify Institution administrators at least 30 days before any addition to this list.

At a glance

All hosted in the U.S.

Every subprocessor stores and processes data in U.S. regions only. No cross-border transfer.

Contractually bound

Each is held to security and privacy commitments at least as strong as ours via signed DPA.

30-day advance notice

We notify Institution administrators before any addition or material change. You can object.

Audited annually

We review each subprocessor's SOC 2, ISO 27001, or equivalent attestations every 12 months.

1. What is a subprocessor

A subprocessor is a third party that processes Institution or Subject data on OnePointe's behalf to help us deliver the Service. Examples include the cloud provider that hosts our infrastructure, the email service that delivers transactional notifications, and the monitoring tools that help us detect and resolve incidents.

Subprocessors are distinct from the broader category of vendors we work with. A vendor that does not access Institution or Subject data — for example, a billing platform that processes only company-level invoicing — is not a subprocessor and is not listed here.

Plain-language commitment: Every entity on the list below has signed a Data Processing Addendum binding them to confidentiality, security, breach notification, audit, and deletion obligations consistent with our agreement with your Institution.

2. Current subprocessors

The following subprocessors are currently authorized to process data on behalf of OnePointe.

Amazon Web Services

Primary cloud infrastructure: compute, storage, encryption key management, networking, and database hosting.

SOC 2 Type II ISO 27001 ISO 27017 ISO 27018 FedRAMP

Entity: Amazon Web Services, Inc.
Data accessed: Encrypted Institution and Subject data at rest and in transit; operational metadata.
Region: us-east-1, us-west-2 (United States)
In use since: Company founding (2023)
DPA: AWS Service Terms & signed DPA

Postmark

Transactional email delivery for account notifications, case updates, and report distribution to verified Institution Users.

SOC 2 Type II GDPR CCPA

Entity: Wildbit, LLC (operator of Postmark)
Data accessed: Recipient email address, subject line, message body for transactional notifications. No marketing email.
Region: United States
In use since: Company founding (2023)
DPA: Wildbit DPA, signed

Datadog

Application performance monitoring, error tracking, and infrastructure observability. Used to detect and triage incidents.

SOC 2 Type II ISO 27001 HIPAA-eligible

Entity: Datadog, Inc.
Data accessed: Application logs and metrics with PII redacted at the SDK layer; infrastructure telemetry. No Subject case content.
Region: US1 (United States)
In use since: Company founding (2023)
DPA: Datadog DPA, signed

If your Institution requires sub-processor disclosure for any vendor not listed here, please contact us. We're happy to confirm in writing that a particular vendor is or is not in our processing chain.

3. Our commitments

Before authorizing a subprocessor, OnePointe:

Reviews their security posture — current SOC 2, ISO 27001, or equivalent attestation; encryption controls; access management; incident response capabilities.
Executes a Data Processing Addendum binding them to confidentiality, purpose limitation, breach notification, audit cooperation, and data deletion obligations consistent with our commitments to Institutions.
Limits the data they can access to the minimum necessary to perform their function. Where possible, data is pseudonymized or redacted before it reaches the subprocessor.
Re-reviews annually — we re-examine each subprocessor's certifications, sub-processor lists, and any material incidents within the prior 12 months.

If a subprocessor materially fails to meet its obligations, OnePointe will, where feasible, transition the relevant function to an alternative provider and notify affected Institutions.

4. Notification of changes

We notify designated Institution administrators at least 30 days before:

Adding a new subprocessor that will process Institution or Subject data;
Materially expanding the categories of data an existing subprocessor accesses;
Replacing a subprocessor with a different vendor for the same function.

Notification is sent by email to the privacy and security contacts on file for each Institution and posted to this page. The change log below records every change with effective date.

Right to object: Institutions have the right to object to a new subprocessor on reasonable grounds related to data protection. If we are unable to address the objection, the Institution may terminate the affected portion of the Service without penalty per the terms of its agreement.

To update the subprocessor notification recipients for your Institution, contact your account manager or email privacy@onepointe.ai.

5. Change log

All additions, removals, and material changes to the subprocessor list are recorded here.

No changes since launch The current subprocessor roster has been in place since OnePointe's founding. The next entry will appear here at least 30 days before it takes effect.

A signed PDF version of the current subprocessor list, suitable for procurement records, is available on request — email privacy@onepointe.ai.

6. Questions

For questions about this list, the underlying contracts, or our review process:

Privacy & subprocessor inquiries: privacy@onepointe.ai
General contact: hello@onepointe.ai
Mailing address: OnePointe Technologies, Inc., 830 NE Holladay St, Portland, OR 97232

This page is referenced from our Privacy Policy and the Data Processing Addendum that accompanies every Institution agreement.