Last updated: 10 June 2026
Sub-processors
Draft under legal review. This document is a working draft prepared for review by qualified counsel. It is not legal advice and should not be relied on until that review completes.
1. About this list
This page lists the third-party service providers (sub-processors) that onTerms uses to deliver the service at onterms.org. Where onTerms acts as a processor for a business customer under a data processing addendum, or as a controller of personal data described in our Privacy Policy, these providers may process personal data on our behalf within the meaning of Article 28 UK GDPR and Article 28 EU GDPR.
onTerms is a business-to-business service. The personal data involved is primarily business-contact data: party legal names, signatory names, business addresses and business email addresses contained in signed orders, plus account and billing records. See the Privacy Policy for full detail on what we collect and why, and our Terms of Service for the contractual framework.
Operating entity. This list is published by Rated Counsel Limited, trading as onTerms (registered in England and Wales, company number 11812572, registered office 5 Golden Mede, Waddesdon HP18 0NG, United Kingdom).
2. Core sub-processors
The following providers are engaged for every deployment of onTerms. They are bound by data processing terms with onTerms and process personal data only to provide their service to us.
| Sub-processor | What it does for onTerms | Data involved | Region |
|---|---|---|---|
| Vercel Inc. | Hosting and serverless compute for the web application and APIs. Also provides Vercel Web Analytics, which is cookieless and is loaded only after you opt in via the consent banner. | All service traffic passes through Vercel: request metadata (IP address, user agent) and the content of pages and API calls served. Analytics data is aggregated and cookieless, collected only with opt-in consent. | United States (primary region iad1) |
| Neon Inc. | Managed Postgres database, the primary data store for the service. | Account records; signed orders (including party legal names, signatory names, business addresses and business email addresses); signature records; dispute records. | United States (AWS us-east-1) |
| WorkOS Inc. | Authentication via AuthKit: sign-in, session management and organisation membership. | Name, email address, organisation membership, session data. | United States |
| Stripe Inc. (including Stripe Identity) | Payment processing, subscription billing and the customer billing portal. Where identity verification (KYC) is enabled on your plan, verification is performed by Stripe Identity; onTerms stores the verification status only, not your identity documents. | Billing details and payment card data (held by Stripe, not by onTerms); subscription and invoice records; identity verification status. | United States / global |
| Postmark (ActiveCampaign, LLC) | Transactional email delivery, including counterparty signing invitations. | Recipient name and email address; signing invitation links. | United States |
3. Optional services (only when enabled on your plan/deployment)
The following services are built into the platform but are not enabled by default. They process data only if and when the relevant feature is switched on for your plan or deployment.
| Sub-processor | What it does for onTerms | Data involved | Region |
|---|---|---|---|
| Upstash, Inc. | API rate limiting. | Rate-limit counters keyed to hashed identifiers; no personal data beyond those hashed identifiers. | United States |
| Vercel AI Gateway, routing to Anthropic PBC and/or OpenAI, LLC | Model access for Tier 2A AI mediation and award drafting assistance within the dispute tools. This integration is inert until an AI gateway key is configured and is not enabled by default. | Dispute record content submitted for analysis, which may include party names, signatory names and the substance of the dispute. | United States |
4. Services that are not sub-processors
- Squarespace is our domain registrar and DNS provider only. It does not process service data and is not a sub-processor.
- Signing keys are non-custodial. Your signing keys (passkeys, or party-held Ed25519 keys) are generated and held by you or your device platform; no third party processes them on our behalf. onTerms holds one private key of its own, used solely to sign transparency-log tree heads.
- The public transparency log stores cryptographic hashes (content hash and leaf hash), not order bodies, and the public verify endpoint returns inclusion proofs and status, not order content.
5. International transfers
The providers above are established in, or store data in, the United States. Where personal data subject to the UK GDPR or EU GDPR is transferred to them, we rely on the safeguards in each provider’s data processing terms: the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum (or the UK IDTA), and, where the provider holds a current certification, the EU-US Data Privacy Framework and its UK Extension. Details for each provider are set out in our Privacy Policy.
6. Changes to this list
Before engaging a new sub-processor, or materially changing what an existing one does for us, we will:
- update this page; and
- give customers who have a data processing addendum with us notice by email at least 30 days before the new sub-processor begins processing personal data, so they can review and, where their addendum provides for it, object.
We recommend bookmarking this page if you need to track our sub-processor list for your own compliance records.
7. Contact
Questions about this list or our data processing arrangements: hello@ratedcounsel.com.
Last reviewed: 10 June 2026.