LEGAL ยท SUB-PROCESSORS
OnGravy sub-processors
Last updated: May 3, 2026 ยท Updated quarterly
๐ฎ๐ณ OnGravy uses these third-party services to deliver the platform. Most data stays in India (Mumbai region). Cross-border transfers are minimised + flagged below. Notified 30 days in advance of any addition.
Per Section 8(7) of the Digital Personal Data Protection Act 2023 + Section 9 of OnGravy's Data Processing Agreement, customers (Data Fiduciaries) are notified of all sub-processors. New additions trigger a 30-day notice + the right to object. Object via privacy@ongravy.in.
| Vendor | Purpose | Data accessed | Region | Certifications | Since |
|---|---|---|---|---|---|
| Supabase | Primary database + authentication + file storage | All customer data โ invoices, journals, employees, KYC documents | India (ap-south-1, Mumbai) | SOC 2 Type 2, HIPAA-eligible, ISO 27001 | 2025-04-01 |
| Vercel | Application hosting + edge function execution + asset CDN | Request payloads + response payloads in transit (not stored) | Mumbai (primary), Singapore (overflow) | SOC 2 Type 2, ISO 27001, GDPR-compliant | 2025-04-01 |
| Razorpay | Subscription billing + payment processing | Card details, UPI IDs, billing addresses (PCI-DSS scoped โ OnGravy never touches raw card data) | India | PCI-DSS Level 1, ISO 27001 | 2025-04-01 |
| AWS S3 (via Supabase) | Encrypted object storage for user-uploaded documents (bills, bank statements, contracts) | Document files only โ server-side encrypted with AES-256 | India (ap-south-1, Mumbai) | SOC 2, ISO 27001, HIPAA-eligible | 2025-04-01 |
| Resend | Transactional email delivery (OTPs, receipts, compliance reminders) | Email addresses + email body content | United States + EU (depending on customer route) | SOC 2 Type 2, GDPR-compliant | 2025-04-01 |
| Meta WhatsApp Business API | WhatsApp message delivery + receipt of customer-sent bills/photos | Phone numbers + message bodies + media uploaded by users | India + global (Meta's infrastructure) | ISO 27001, SOC 2 | 2025-04-01 |
| Anthropic (Claude) | AI processing โ bill OCR, journal-entry suggestions, AI advisor responses | Anonymised invoice text + bill images for the duration of the inference (no training) | United States โ Anthropic does NOT train on inference data per their commercial terms | SOC 2 Type 2 | 2025-08-01 |
| OpenAI | AI fallback โ bill OCR + transcription when Claude unavailable | Same as Anthropic; opt-out of training data sharing enabled | United States | SOC 2 Type 2 | 2025-08-01 |
| AWS Textract (via integration layer) | Image-to-text extraction for low-confidence bills | Bill images for the duration of OCR processing only | India (ap-south-1, Mumbai) | SOC 2, PCI-DSS, HIPAA-eligible | 2025-08-01 |
| Sentry | Error tracking + crash reporting | Stack traces, request URLs, sanitised request bodies (PII auto-scrubbed) | United States | SOC 2 Type 2, ISO 27001, GDPR-compliant | 2025-04-01 |
How OnGravy minimises sub-processor risk
- Encryption in transit (TLS 1.2+) and at rest (AES-256) on every sub-processor
- Indian data primarily stored in Mumbai region (ap-south-1) โ cross-border transfers limited to AI inference and email delivery
- Anthropic + OpenAI: opt-out of training data sharing exercised; data not retained beyond inference
- Sub-processor changes follow the 30-day notice in our DPA โ customers can object
- Annual security review of every sub-processor
- Incident notification within 72 hours per DPDP Act Section 8(6)
Questions about sub-processors or data residency: privacy@ongravy.in