Subprocessor List

Name: Porcia
Price: 15 USD
Availability: InStock
Rating: 4.8 (50 reviews)
Author: Porcia

Last Updated: March 2, 2026
Version: 1.0

1. Introduction

This page lists all third-party service providers ("Subprocessors") that Arunkumar Chaubey, an individual resident of India, doing business as "Porcia" ("we", "us", or "our") uses to process Customer Data.

As described in our Data Processing Addendum, we engage Subprocessors to help provide the Porcia Service. All Subprocessors are contractually bound to protect your data and comply with applicable data protection laws.

Contact Us:

2. Current Subprocessors

2.1 Infrastructure & Hosting

Amazon Web Services (AWS)

Purpose: Cloud hosting and infrastructure

Data Processed: All Customer Data (emails, SSO data, contracts, usage data, account information)

Location: United States (primary)

Data Protection:

Encryption in transit (TLS 1.2+)
Encryption at rest (AES-256)
Access controls and monitoring

Privacy Policy: AWS Privacy Notice

DPA: AWS Customer Agreement includes GDPR-compliant DPA

2.2 AI & Machine Learning

Microsoft Azure OpenAI

Purpose: AI-powered analysis and automation features (via Azure AI Foundry)

Data Processed:

Email content and metadata
Contract documents
Vendor information
User prompts and instructions

Location: United States

Data Protection:

No training on customer data
Encryption in transit and at rest
30-day abuse monitoring retention (then deleted)
Access controls

Privacy Policy: Azure OpenAI Data Privacy

DPA: Microsoft Customer Agreement includes GDPR-compliant DPA

Pinecone

Purpose: Vector database for vendor intelligence and semantic search

Data Processed:

Vendor embeddings (vector representations)
Product information
Public vendor data
No customer PII or sensitive data

Location: United States

Data Protection:

Encryption in transit (TLS 1.2+)
Encryption at rest (AES-256)
Access controls
API authentication

Privacy Policy: Pinecone Privacy Policy

DPA: Available upon request

2.3 Email Services

Brevo (formerly Sendinblue)

Purpose: Transactional email delivery (account notifications, password resets, invitations, alerts)

Data Processed:

Recipient email addresses
Recipient names
Email content (transactional messages only)
Email delivery status

Location: European Union / United States

Data Protection:

Encryption in transit (TLS)
GDPR-compliant data handling
EU data residency options

Privacy Policy: Brevo Privacy Policy

DPA: Available in Brevo account settings

Amazon SES

Purpose: Backup email delivery (fallback if Brevo is unavailable)

Data Processed:

Recipient email addresses
Recipient names
Email content (transactional messages)

Location: United States

Data Protection:

Encryption in transit (TLS)
Access controls
Audit logging

Privacy Policy: AWS Privacy Notice

DPA: AWS Customer Agreement includes GDPR-compliant DPA

2.4 Payment Processing

Dodo Payments

Purpose: Subscription billing, payment processing, invoice generation

Data Processed:

Billing name and address
Payment method information (tokenized)
Transaction history
Subscription status
Invoice records

Location: United States (Delaware)

Office: 8 The Green, STE A, Dover, County of Kent, Delaware, 19901, United States

Data Protection:

PCI-DSS compliant tokenization
Porcia never stores raw payment card data
Encryption in transit and at rest
Fraud detection and prevention

Privacy Policy: Dodo Payments Privacy Policy (if available)

DPA: Available through Dodo Payments

Note: Porcia does NOT store credit card numbers, CVVs, or raw payment credentials. All sensitive payment data is handled exclusively by Dodo Payments in a PCI-compliant environment.

2.5 Analytics & Monitoring

PostHog

Purpose: Product analytics, feature usage tracking, user behavior analysis

Data Processed:

User actions (page views, button clicks, feature usage)
Session data (duration, frequency)
Device and browser information
User ID and email (for identification)
IP address (can be anonymized)

Location: United States / European Union (customer choice)

Data Protection:

Data residency options (US or EU)
IP anonymization available
User opt-out supported
Encryption in transit and at rest

Privacy Policy: PostHog Privacy Policy

DPA: Available upon request

User Control: Users can opt out of analytics cookies via cookie preferences.

Sentry

Purpose: Error tracking, performance monitoring, debugging

Data Processed:

Error messages and stack traces
User context (user ID, email)
Device and browser information
IP address
Request URLs and parameters

Location: United States

Data Protection:

Data scrubbing (removes sensitive data from errors)
IP anonymization options
Encryption in transit and at rest
Access controls

Privacy Policy: Sentry Privacy Policy

DPA: Available in Sentry account settings

Data Minimization: We configure Sentry to scrub sensitive data (passwords, tokens, PII) from error reports.

2.6 Authentication & Identity

Google OAuth

Purpose: Gmail integration, Google Workspace SSO integration

Data Processed:

OAuth access and refresh tokens
User profile information (name, email, photo)
Gmail messages (when email integration is enabled)
Google Workspace directory data (when SSO is enabled)

Location: United States

Data Protection:

OAuth 2.0 secure authentication
Limited Use compliance
Encryption in transit and at rest
Token revocation support

Privacy Policy: Google Privacy Policy

API Compliance: Full compliance with Google API Services User Data Policy

Microsoft OAuth

Purpose: Outlook integration, Azure AD (Microsoft Entra ID) SSO integration

Data Processed:

OAuth access and refresh tokens
User profile information (name, email, photo)
Outlook messages (when email integration is enabled)
Azure AD directory data (when SSO is enabled)

Location: United States

Data Protection:

OAuth 2.0 secure authentication
Encryption in transit and at rest
Token revocation support
Microsoft Graph API compliance

Privacy Policy: Microsoft Privacy Statement

Okta

Purpose: Okta SSO integration

Data Processed:

OAuth access and refresh tokens
User profile information
Application assignments
Login activity

Location: United States

Data Protection:

OAuth 2.0 secure authentication
Encryption in transit and at rest
Token revocation support

Privacy Policy: Okta Privacy Policy

DPA: Available through Okta

3. Subprocessor Locations

Subprocessor	Primary Location	Data Residency Options
AWS	United States	Multiple regions available
Azure OpenAI	United States	Azure regions
Pinecone	United States	US only
Brevo	EU / United States	EU or US
Amazon SES	United States	Multiple regions
Dodo Payments	Varies	Varies by customer location
PostHog	United States / EU	US or EU (customer choice)
Sentry	United States	US only
Google	United States	Global infrastructure
Microsoft	United States	Global infrastructure
Okta	United States	Global infrastructure

Note: For EU/EEA/UK customers, data transfers to the United States are protected by Standard Contractual Clauses (SCCs) and supplementary measures as described in our Data Processing Addendum.

4. Data Protection Measures

All Subprocessors are required to:

Sign Data Processing Agreements (DPAs) with GDPR-compliant terms
Implement appropriate technical and organizational security measures
Encrypt data in transit (TLS 1.2+) and at rest (AES-256)
Maintain access controls and authentication
Provide breach notification within required timeframes
Support data subject rights (access, deletion, portability)
Allow audits and compliance reviews
Delete data upon termination or instruction

5. Changes to Subprocessors

5.1 Notification

We will notify customers at least 30 days before:

Adding a new Subprocessor
Replacing an existing Subprocessor
Materially changing how a Subprocessor processes data

Notification Methods:

Email to account administrator
Update to this page (with change log)
In-app notification

5.2 Objection Rights

If you object to a new or replacement Subprocessor:

You must notify us within 30 days of our notification
You must provide reasonable grounds for objection (e.g., Subprocessor does not meet your data protection requirements)
We will work with you to address concerns
If no resolution is reached, you may terminate the Service without penalty

To object: Email legal@porcia.org with your concerns.

5.3 Change Log

Date	Change	Subprocessor	Reason
March 2, 2026	Initial list	All	Initial launch

6. Subprocessor Audits

6.1 Our Due Diligence

Before engaging a Subprocessor, we:

Review security practices and policies
Assess data protection compliance (GDPR, CCPA)
Evaluate encryption and access controls
Review incident response capabilities
Negotiate Data Processing Agreements

6.2 Ongoing Monitoring

We continuously monitor Subprocessors for:

Security incidents and breaches
Changes to data handling practices
Service reliability and performance

6.3 Customer Audits

Customers may request:

Copies of Subprocessor DPAs
Subprocessor audit reports (subject to confidentiality)

To request: Email legal@porcia.org

7. Subprocessor Incidents

If a Subprocessor experiences a data breach or security incident:

Subprocessor notifies Porcia (per DPA terms)
Porcia investigates and assesses impact
Porcia notifies affected customers within 72 hours
Porcia assists customers with breach response
Porcia works with Subprocessor to remediate

Incident Notification: security@porcia.org

8. Removing Subprocessors

We may remove or replace Subprocessors to:

Improve service quality
Reduce costs
Enhance security
Comply with legal requirements

Removal or replacement will be communicated per Section 5 (Changes to Subprocessors).

9. Questions and Contact

Questions about Subprocessors?

Legal/DPA Questions: legal@porcia.org
Privacy Questions: privacy@porcia.org
Security Questions: security@porcia.org
General: hello@porcia.org

Arunkumar Chaubey
Doing business as Porcia
C/13 Mangalmurti Society, Ghatkopar West
Mumbai, Maharashtra, India
Phone: +91 8097907763

10. Additional Resources

Version History:

v1.0 (March 2, 2026) - Initial release

Last Reviewed: March 2, 2026
Next Review: June 2, 2026