> Source: https://tryordinary.com/sub-processors/ # Sub-Processors **Last updated:** 2026-06-09 Ordinary engages the following third-party service providers (“Sub-Processors”) to process Personal Data on behalf of merchant customers who use the Ordinary Service. This list is maintained as required by Section 6 of Ordinary’s [Data Processing Agreement](/docs/DATA_PROCESSING_AGREEMENT.md). New Sub-Processors will be listed here at least 30 days before they begin processing Personal Data. Merchants may object to a new Sub-Processor within that 30-day window per Section 6.2 of the DPA. ## Core infrastructure Sub-Processor | Purpose | Data processed | Location | **Vercel** | Application hosting (Next.js) | All request/response data in transit; logs | USA (primary), global edge | **Neon** | Primary Postgres database (managed) | All application data at rest | USA (AWS us-east-1) | **Digital Ocean App Platform** | Background worker (Graphile) hosting for async tasks (webhook processing, backfills) | Queue payloads; temporarily holds event data in transit | USA (primary region) | **DigitalOcean Spaces** | File storage (admin-files, imported data, temporary export bundles) | Uploaded files, data export JSONs | USA | ## Authentication and user management Sub-Processor | Purpose | Data processed | Location | **Clerk** | User authentication, session management, MFA | Authorised-user email, name, password (hashed, stored by Clerk), IP address, user agent, session tokens | USA | ## Communications Sub-Processor | Purpose | Data processed | Location | **Resend** | Transactional email delivery (GDPR data-request bundles, system notifications) | Recipient email, subject, body, attachments | USA | ## Source-system integrations (data ingestion) Sub-Processor | Purpose | Data processed | Location | **Shopify** | Source of merchant store data (orders, customers, products, webhooks) | OAuth token, store data synced per merchant authorisation | Global (Shopify’s own infrastructure) | **Meta (Graph API)** | Read-only pull of merchant’s own ad campaign performance data | OAuth token, campaign metadata, ad performance metrics (aggregate, no customer data) | USA | **Google (Analytics Data API, Search Console API, Sheets API)** | Read-only pull of merchant’s GA4 / GSC / Sheets data (optional per merchant) | OAuth token, aggregate session / search / spreadsheet data | USA | **Amazon Ads API** | Read-only pull of merchant’s Amazon ad campaign performance (optional per merchant) | OAuth token, campaign metadata, ad performance metrics | USA | **Amazon Selling Partner API (SP-API)** | Read-only pull of merchant’s own Amazon Seller account business data — sales & traffic, financials, inventory, orders (optional per merchant) | OAuth token, aggregate sales / traffic metrics, financial event amounts (settlements / fees / refunds), inventory levels, order records (product / quantity / price; no end-buyer personal data) | USA | **PostHog** | Legacy merchant analytics ingestion for orgs that installed PostHog before Ordinary’s pixel | OAuth token, aggregate session data | USA or EU per merchant’s PostHog region | **Klaviyo** | Read-only pull of merchant’s own email + SMS campaign and flow performance data (optional per merchant) | OAuth token, campaign / flow metadata, send metrics (recipients, opens, clicks, unsubscribes, bounces, attributed revenue) | USA | ## Ad-platform forwarding (outbound, at merchant instruction) These Sub-Processors receive hashed customer identifiers only, forwarded on the merchant’s explicit instruction via an OAuth-authorised connection to the merchant’s own ad account. Merchants can disconnect at any time via Settings → Integrations. Sub-Processor | Purpose | Data processed | Location | **Meta Conversions API** | Server-side purchase event forwarding to merchant’s own Meta ad account | SHA-256 hashed email / phone / first name / last name; purchase amount, currency, timestamp, event ID | USA | **Google Enhanced Conversions** *(planned)* | Server-side conversion forwarding to merchant’s own Google Ads account | SHA-256 hashed user data; purchase amount, currency, timestamp | USA | ## Billing and subscriptions Sub-Processor | Purpose | Data processed | Location | **Stripe** | Subscription billing for Ordinary’s own fees to merchants | Merchant billing contact, payment method (tokenised), subscription state | USA | ## Ordinary’s own product analytics (internal) Sub-Processor | Purpose | Data processed | Location | **PostHog (our instance)** | Product analytics on Ordinary’s own application usage by authorised merchant users | Authorised-user events (page views, clicks within Ordinary), pseudonymous user ID | USA | Note: this is Ordinary’s own product-analytics instance, separate from any merchant’s PostHog integration. It collects behaviour of merchant administrators inside the Ordinary dashboard, not their customers’ behaviour on their storefronts. ## Data transfer mechanisms For transfers of Personal Data from the EEA / UK / Switzerland to the US or other third countries: - Where a Sub-Processor is certified under the EU-US Data Privacy Framework, we rely on that certification. - Where it isn’t, we rely on the 2021 Standard Contractual Clauses (SCCs), Module 2 (Controller → Processor) or Module 3 (Processor → Sub-Processor) as applicable. Merchants subject to EU/UK/Swiss data-protection law may request a signed copy of the SCCs via [privacy@tryordinary.com](mailto:privacy@tryordinary.com). ## Change log Date | Change | 2026-04-20 | Initial launch list published | 2026-06-09 | Listed the Amazon Selling Partner API (SP-API) as a distinct data-ingestion entry, alongside the existing Amazon Ads API. Same vendor (Amazon) and region (USA); read-only ingest of the merchant’s own Amazon Seller business data (sales & traffic, financials, inventory, orders) with no end-buyer personal data. |