Sub-Processors
Last updated: 2026-06-09
Ordinary engages the following third-party service providers (“Sub-Processors”)
to process Personal Data on behalf of merchant customers who use the Ordinary
Service. This list is maintained as required by Section 6 of Ordinary’s
Data Processing Agreement.
New Sub-Processors will be listed here at least 30 days before they begin
processing Personal Data. Merchants may object to a new Sub-Processor within
that 30-day window per Section 6.2 of the DPA.
Core infrastructure
| Sub-Processor | Purpose | Data processed | Location |
|---|
| Vercel | Application hosting (Next.js) | All request/response data in transit; logs | USA (primary), global edge |
| Neon | Primary Postgres database (managed) | All application data at rest | USA (AWS us-east-1) |
| Digital Ocean App Platform | Background worker (Graphile) hosting for async tasks (webhook processing, backfills) | Queue payloads; temporarily holds event data in transit | USA (primary region) |
| DigitalOcean Spaces | File storage (admin-files, imported data, temporary export bundles) | Uploaded files, data export JSONs | USA |
Authentication and user management
| Sub-Processor | Purpose | Data processed | Location |
|---|
| Clerk | User authentication, session management, MFA | Authorised-user email, name, password (hashed, stored by Clerk), IP address, user agent, session tokens | USA |
Communications
| Sub-Processor | Purpose | Data processed | Location |
|---|
| Resend | Transactional email delivery (GDPR data-request bundles, system notifications) | Recipient email, subject, body, attachments | USA |
Source-system integrations (data ingestion)
| Sub-Processor | Purpose | Data processed | Location |
|---|
| Shopify | Source of merchant store data (orders, customers, products, webhooks) | OAuth token, store data synced per merchant authorisation | Global (Shopify’s own infrastructure) |
| Meta (Graph API) | Read-only pull of merchant’s own ad campaign performance data | OAuth token, campaign metadata, ad performance metrics (aggregate, no customer data) | USA |
| Google (Analytics Data API, Search Console API, Sheets API) | Read-only pull of merchant’s GA4 / GSC / Sheets data (optional per merchant) | OAuth token, aggregate session / search / spreadsheet data | USA |
| Amazon Ads API | Read-only pull of merchant’s Amazon ad campaign performance (optional per merchant) | OAuth token, campaign metadata, ad performance metrics | USA |
| Amazon Selling Partner API (SP-API) | Read-only pull of merchant’s own Amazon Seller account business data — sales & traffic, financials, inventory, orders (optional per merchant) | OAuth token, aggregate sales / traffic metrics, financial event amounts (settlements / fees / refunds), inventory levels, order records (product / quantity / price; no end-buyer personal data) | USA |
| PostHog | Legacy merchant analytics ingestion for orgs that installed PostHog before Ordinary’s pixel | OAuth token, aggregate session data | USA or EU per merchant’s PostHog region |
| Klaviyo | Read-only pull of merchant’s own email + SMS campaign and flow performance data (optional per merchant) | OAuth token, campaign / flow metadata, send metrics (recipients, opens, clicks, unsubscribes, bounces, attributed revenue) | USA |
These Sub-Processors receive hashed customer identifiers only, forwarded on
the merchant’s explicit instruction via an OAuth-authorised connection to
the merchant’s own ad account. Merchants can disconnect at any time via
Settings → Integrations.
| Sub-Processor | Purpose | Data processed | Location |
|---|
| Meta Conversions API | Server-side purchase event forwarding to merchant’s own Meta ad account | SHA-256 hashed email / phone / first name / last name; purchase amount, currency, timestamp, event ID | USA |
| Google Enhanced Conversions (planned) | Server-side conversion forwarding to merchant’s own Google Ads account | SHA-256 hashed user data; purchase amount, currency, timestamp | USA |
Billing and subscriptions
| Sub-Processor | Purpose | Data processed | Location |
|---|
| Stripe | Subscription billing for Ordinary’s own fees to merchants | Merchant billing contact, payment method (tokenised), subscription state | USA |
Ordinary’s own product analytics (internal)
| Sub-Processor | Purpose | Data processed | Location |
|---|
| PostHog (our instance) | Product analytics on Ordinary’s own application usage by authorised merchant users | Authorised-user events (page views, clicks within Ordinary), pseudonymous user ID | USA |
Note: this is Ordinary’s own product-analytics instance, separate from any
merchant’s PostHog integration. It collects behaviour of merchant
administrators inside the Ordinary dashboard, not their customers’ behaviour
on their storefronts.
Data transfer mechanisms
For transfers of Personal Data from the EEA / UK / Switzerland to the US or
other third countries:
- Where a Sub-Processor is certified under the EU-US Data Privacy
Framework, we rely on that certification.
- Where it isn’t, we rely on the 2021 Standard Contractual Clauses (SCCs),
Module 2 (Controller → Processor) or Module 3 (Processor → Sub-Processor)
as applicable.
Merchants subject to EU/UK/Swiss data-protection law may request a signed
copy of the SCCs via
privacy@tryordinary.com.
Change log
| Date | Change |
|---|
| 2026-04-20 | Initial launch list published |
| 2026-06-09 | Listed the Amazon Selling Partner API (SP-API) as a distinct data-ingestion entry, alongside the existing Amazon Ads API. Same vendor (Amazon) and region (USA); read-only ingest of the merchant’s own Amazon Seller business data (sales & traffic, financials, inventory, orders) with no end-buyer personal data. |
