Sub-processors

Your list depends on your configuration

Because Orimora is self-hosted, you choose which external services it talks to. This page lists every service a deployment can use and what each one processes. Your actual sub-processor list is the subset you have configured. Keep your own copy in sync and attach it as Annex II of your DPA.

The zero-sub-processor baseline

A deployment that uses self-run PostgreSQL, self-run object storage (e.g. MinIO), self-run SMTP, with AI features disabled, no external SSO, and no off-site backup sends personal data to no third party at all. Everything stays on infrastructure you control. Each managed service you opt into below adds one row to your sub-processor list.

Services a deployment may use

Service category	Typical providers (you choose)	Purpose	Personal data processed	How to avoid it
Database hosting	Self-run PostgreSQL, or managed (RDS, Cloud SQL, …)	Primary data store (required)	All account & content data	Self-run PostgreSQL
Object storage	Self-run MinIO, AWS S3, Cloudflare R2, …	Attachments & uploaded images	File contents + uploader identity	Self-run MinIO, or don’t allow uploads
Email delivery (SMTP)	Self-run Postfix, Postmark, Amazon SES, …	Magic-link login, invites, notifications	Recipient email address + message content	Self-run SMTP
Off-site backup target	Any S3 bucket / rclone remote	Encrypted off-site backup copies	age-encrypted DB dump (provider sees ciphertext)	Leave BACKUP_RCLONE_REMOTE unset
Identity provider (SSO)	Okta, Entra ID, Google, Keycloak, any OIDC/SAML IdP	Authentication (optional)	Email, name, group/role claims	Use magic-link / passkeys only
AI / LLM provider (text)	OpenAI, Anthropic, Google (Gemini), OpenRouter, or self-hosted (Ollama, or any custom OpenAI-compatible endpoint)	AI assistant / text features (optional)	Document content & prompts you submit to the assistant	Disable AI, or use a self-hosted model
AI image generation	OpenAI (Images), Replicate	AI image generation in the editor (optional)	The text prompts you submit for image generation	Disable AI image generation (don’t configure an image provider)
Web-push service	Browser vendor push (Apple, Google FCM, Mozilla)	Browser push notifications (optional)	Push subscription endpoint (no message content)	Don’t enable push notifications
Error tracking	Your configured Sentry-compatible endpoint	Error diagnostics (optional)	Error context, may include user/correlation IDs	Leave error tracking unconfigured
Audit-log export (SIEM)	Any HTTP/syslog sink you point it at (Splunk, Datadog, Elastic, self-run syslog, …)	Stream the audit log to your SIEM (optional)	Audit events: actor ID, IP address, user-agent, correlation ID, action + resource IDs (no document titles/content)	Leave AUDIT_EXPORT_* unset (default), or use a self-run/local sink

Note

claude.ai / MCP clients are not sub-processors. When a user connects an MCP client (e.g. Claude) to your instance, that client is acting for the user and pulls data out on their instruction — it is a data recipient the user chose, not a processor you engaged.

Keeping your list accurate

• Treat this page as the menu; your Annex II is the subset you actually configured.
• Re-check it whenever you change SMTP_*, S3_*, BACKUP_RCLONE_REMOTE, AUDIT_EXPORT_*, SSO providers, AI settings, or push — see Configuration.
• Record, for each sub-processor you use: legal entity, processing location (and the transfer mechanism if outside the EEA), and purpose. International transfer: a cloud SIEM (e.g. Datadog/Splunk US regions) or any sink hosted outside the EEA receives audit metadata — document the transfer mechanism (SCCs/adequacy) before enabling AUDIT_EXPORT_HTTP_URL.
• Notify your controllers before adding or replacing a sub-processor, per §6 of the DPA template.