Trust Center
Third parties that process data to deliver ORA services.
Last updated: April 25, 2026
This list discloses third-party service providers (sub-processors) that process personal data on 3D3D’s behalf to deliver ORA services. This list is maintained for GDPR Article 28 compliance and is provided for transparency.
We provide 30 days prior notice of new sub-processors via email. You may object to new sub-processors by contacting [email protected] within 10 days of notice.
| Sub-Processor | Service | Data Processed | Location | Transfer Basis |
|---|---|---|---|---|
| Cloud model endpoint (only if you enable one — none by default) | AI model inference — processes requests only when you configure a cloud lane | Prompts, agent requests, context sent to your configured model endpoint | Global (US-based data centers) | The provider’s terms; Standard Contractual Clauses where applicable |
| Cloudflare, Inc. | Web infrastructure, CDN, DDoS protection, privacy-respecting analytics | IP addresses (anonymized for analytics), server logs (72-hour retention), no cookies | Global (EU data centers available) | EU Standard Contractual Clauses; US adequacy framework |
| Payment Processor (TBD at launch) | Subscription billing and payment processing | Payment card data (not stored by 3D3D; PCI-DSS compliant processor), billing address | US/EU depending on provider | Standard Contractual Clauses; adequacy decisions as applicable |
| MCP Memory Service (self-hosted by default) | Agent memory storage and retrieval | Agent memory entries stored by your configured MCP endpoint | Your configured location (local by default) | Under your control — not a 3D3D sub-processor when self-hosted |
We notify customers by email at least 30 days before adding a new sub-processor. Changes to sub-processor terms are communicated as they occur. Last updated: April 25, 2026.