Subprocessor list
Last updated: 2026-05-19
Effective date: 2026-05-19
Customer-facing URL: https://qortara.com/legal/subprocessors
MythologIQ Labs LLC ("we", "us", "our") engages the third-party providers listed below to process personal data on behalf of our customers in connection with the Qortara service ("Service"). Each subprocessor is bound by a written data-processing agreement with us that imposes data-protection obligations no less protective than those we owe to controller customers under the Data processing agreement at https://qortara.com/legal/dpa.
1. Current subprocessors
| Provider | Purpose | Data categories processed | Processing location | Compliance posture |
|---|---|---|---|---|
| Microsoft Azure (Microsoft Corporation) | Hosting and infrastructure: compute (Container Apps, App Services), data stores (PostgreSQL Flexible Server, Cosmos DB), storage (Blob Storage), identity (Entra ID, Azure AD B2C), messaging (Service Bus), secrets (Key Vault), networking (Front Door, APIM), observability (Application Insights, Log Analytics) | All Service data, including account identifiers, authentication identifiers, audit events, policy decisions, trust attestations, usage telemetry, support communications routed through Service surfaces | Customer-selected Azure region: US Central (default); US East/West, EU North/West for Pro and above; custom regions for Enterprise | ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, HIPAA-eligible, EU Standard Contractual Clauses, EU-US Data Privacy Framework, FedRAMP High |
| Stripe, Inc. | Payment processing and subscription management for direct (non-Marketplace) signups | Email, name, billing address, payment-instrument tokens, transaction history, IP address, device fingerprint | United States, with global processing as needed | PCI-DSS Level 1, SOC 1/2, ISO 27001, EU Standard Contractual Clauses, EU-US Data Privacy Framework |
| Microsoft (Azure Marketplace) | Subscription fulfilment, billing, and metering for customers who purchase through Azure Marketplace; identity flow-through under Microsoft AI Cloud Partner Program | Azure subscription ID, tenant ID, purchaser email and name, plan identifier, subscription status, usage records | Microsoft's commerce systems (US-anchored, with regional replicas) | Same as Microsoft Azure entry above; subject to Microsoft AI Cloud Partner Program terms |
| Twilio SendGrid (Twilio Inc.) | Transactional email delivery: account-activation emails, billing receipts, security notifications, password resets, support correspondence | Recipient email address, recipient name, message content, delivery status metadata | United States | SOC 2 Type II, ISO 27001, EU Standard Contractual Clauses, EU-US Data Privacy Framework, HIPAA-eligible BAA available |
| GitHub Inc. (Microsoft subsidiary) | Source-code hosting and container-image registry; CI/CD pipelines that build and ship the Service | Service source code (no customer personal data routinely processed); build logs may incidentally contain test fixtures | United States | SOC 1/2 Type II, ISO 27001, EU Standard Contractual Clauses; inherits Microsoft compliance posture |
2. Notes on Marketplace-fulfilled subscriptions
Customers who purchase the Service through Azure Marketplace are additionally subject to processing by Microsoft under the Microsoft AI Cloud Partner Program. The 30-day data-retention TTL described in the Privacy policy at https://qortara.com/legal/privacy §7.1 applies to such subscriptions on cancellation.
3. Notes on Trust Federation
When a customer enables Trust Federation, signed attestations may be exchanged with other Qortara customers' tenants that the customer has authorized as federation peers. Those peers act as independent controllers of the personal data contained in the attestations they receive; they are not Qortara subprocessors. The customer is responsible for the legal basis of any cross-organization sharing it configures.
4. Changes to this list
We will give controllers at least 30 days' advance notice before adding a new subprocessor by updating this page and, on request, by email to the controller contact on file. Controllers under the Data processing agreement may object on reasonable grounds related to data protection within that notice period by writing to privacy@qortara.com. The objection procedure is described in the Data processing agreement §5.
5. Subscribe to subprocessor change notifications
To receive email notification when this page is updated, write to privacy@qortara.com with subject line "Subscribe: subprocessor updates" and the controller contact email for your tenant.
6. Contact
- Subprocessor questions:
privacy@qortara.com - Legal:
legal@qortara.com