Trust Centre
Sub-Processor List
Last updated: . The version published here is authoritative.
Statement
OrcaVaults is deployed on Customer hardware in the Customer's physical environment. The software does not transmit Customer data to any external service in the ordinary course of operation.
FlowOrca Ltd engages no Sub-Processors that process Customer Personal Data.
This is a structural feature of OrcaVaults's architecture, not a contingent commercial choice. Adding a Sub-Processor that processes Customer Personal Data would require changing OrcaVaults's air-gapped deployment model, and would be communicated to all Customers in advance under the change-control provisions of the Master Services Agreement.
FlowOrca corporate operations
The following service providers support FlowOrca's corporate operations (billing, communications, marketing-website hosting). None of these providers process Customer Personal Data through OrcaVaults. They are listed for full transparency.
| Provider | Purpose | Location | Data type |
|---|---|---|---|
| Google Workspace | FlowOrca staff email | EU / US | FlowOrca corporate data only |
| Cloudflare Pages | floworca.com static-site hosting | Global CDN | None (static marketing only) |
| Xero | Corporate accounting | EU / US | FlowOrca corporate financial data only |
| Cal.com (or equivalent) | Briefing scheduling | EU / US | Prospect contact details voluntarily submitted |
| HubSpot | Lead capture and CRM | EU / US | Prospect contact details voluntarily submitted |
Change procedure
Customers will receive written notification at least 30 days in advance of any addition of a new Sub-Processor that would process Customer Personal Data through OrcaVaults. Customers may object in writing within the notice period; if no commercial resolution is reached, Customer may terminate the affected Service without penalty.
This list is reviewed at least quarterly. Subscribe to change notifications by emailing privacy@floworca.com.