OFAC · UN · EU · UK sanctions screenedZero-retention AIGDPR · CCPA program

Legal · Sub-processors

Sub-processors

Every third party OilFlow Network shares Customer Data with, why, where they operate, and how they're contractually bound.

Schedule 3 · live · Self-attested

This is OilFlow Network’s standard form. Counsel review is in progress; this document is published self-attested so procurement teams can begin their review without waiting on us. Custom redlines are accepted in pilot agreements. Negotiated changes for executed contracts override anything written here. For the executed paper, contact legal@oilflow.us.

Sub-processors

Last verified against code: 2026-04-26 (series-a/tier-1 T1.10) Refresh trigger: any new entry in .env.example for an external service.

The "sub-processor" definition follows the GDPR Article 28 sense: any third party that processes personal data of a member, lead, or deal counterparty on behalf of OilFlow Network.

#VendorRegionData processedPurposeContract type
1Anthropic, PBCUS (us-east-1)Member application text (email, company name, beneficial owner names — minimised via shared/piiscrubber.py:anonymizefor_verification before send), match scoring inputs (anonymised supply/demand pairs), market intel raw HTMLClaude API for KYC risk assessment, deal scoring, intel synthesisAnthropic Commercial Terms; Zero-day data retention enabled
2Supabase, Inc.US (Vercel ↔ Supabase US East)Members, leads, supply/demand listings, matches, deal documents, error/audit logsPrimary database, auth, storage, realtime subscriptionsSupabase MSA; SOC 2 Type 2 attestation on file
3Stripe, Inc.USPayment method, billing address, transaction amounts, customer emailSubscription billing + invoice paymentsStripe Services Agreement; PCI-DSS Level 1 certified
4DocuSign, Inc.USMember name + email + company; signed PDF of NCNDA, LOI, ICPO, SCO, FCO, IMFPA, SPA contractsE-signature, including HMAC-verified Connect webhooksDocuSign MSA; FedRAMP-authorized
5Resend, Inc.USRecipient email, message body (transactional + outreach)Transactional email (member confirmations, reset links) and outreach campaignsResend ToS; SPF/DKIM/DMARC configured per-sending-domain
6Vercel, Inc.Global edge networkFrontend HTTP traffic (no DB writes), session cookiesNext.js hosting + edge runtimeVercel Enterprise terms; SOC 2 Type 2
7Hostinger International Ltd.EU (Lithuania) → VPS in chosen regionAgent process logs, daemon stdout/stderrKVM2 VPS hosting the agent fleet (oilflow-daemon)Hostinger Business; no member PII processed beyond what's in error_log (PII-scrubbed)
8Sentry, Inc.USStack traces from agents + frontend (PII scrubbed via shared/logger.py:scrubpii)Crash reportingSentry MSA; PII scrubbing in before_send hook
9Telegram Messenger LLPGlobal (operator-only chat)Operator alert messages — names hashed/truncated to 8 chars before sendOperator-only ops alerts (no member-facing communication)Telegram Bot API ToS
10OpenSanctions / OFAC / UN / EU / UKPublic datasetsMember name + company + country (sent to public APIs)Sanctions screeningPublic-data APIs; no PII retention by these providers
11OpenCorporatesUKCompany name + countryCompany-registration verificationOpenCorporates API ToS
12Apollo.io / Hunter.ioUSLead company + contact name (sent to public lookup APIs)Lead enrichmentPer-API ToS; opt-out honored on leads.unsubscribed
13TradingEconomics / EIA / MarineTrafficUS / GlobalNone (read-only public data)Market intel data sourcesPublic-data APIs
14GitHubUSRepository contents + commit metadataSource-of-truth for code; private repoGitHub Enterprise terms
15CloudflareGlobal edgeDNS, WAF, DDoS mitigationEdge securityCloudflare Enterprise terms

Data flow simplification

`` [Member browser] │ (HTTPS) ▼ [Vercel edge — Next.js] ──→ [Supabase Postgres + Auth + Storage] │ (HTTPS) ▲ │ │ ▼ │ (HTTPS) [Resend] (transactional email) │ [Stripe] (payment) │ [DocuSign] (e-signature) │ │ [oilflow-daemon on Hostinger VPS] ─────┘ │ ├─→ [Anthropic Claude API] ├─→ [OpenSanctions / OFAC / UN / EU / UK] ├─→ [OpenCorporates / Apollo / Hunter] ├─→ [TradingEconomics / EIA / MarineTraffic] └─→ [Telegram Bot API] (operator alerts) ``

Adding a new sub-processor

Engineering checklist:

  1. Add the env var to .env.example with a comment naming the service.
  2. Add a row to the table above, including data class processed and

contract type.

  1. If the service processes PII, add the relevant API key to

SENSITIVEKEYS in shared/logger.py so the scrubber catches it in error_log payloads.

  1. If the service has a webhook, add HMAC verification + idempotency

dedup table (mirror processedwebhooks / processeddocusign_envelopes).

  1. Update data-retention.md with the retention period for any data

the new sub-processor stores on our behalf.

  1. Note the addition in the changelog at the bottom of this file.

Changelog

  • 2026-04-26: First version (series-a/tier-1 T1.10). Verified

against .env.example and code at commit time.

DPAMSASLAAUPSub-processorsSecurityPrivacyTerms