OpenTrace Subprocessor List¶
Last updated: April 30, 2026 · Effective date: April 30, 2026
1. Purpose of this list¶
This list identifies the third parties ("Subprocessors") that OpenTrace, Inc. ("OpenTrace") engages to assist in providing the OpenTrace hosted Service. It is published at docs.opentrace.com/subprocessor-list/ and is incorporated by reference into the OpenTrace Terms of Service and Data Processing Addendum (DPA).
OpenTrace publishes this list to give Customers visibility into who has access to Customer Data, what they do with it, where they process it, and what cross-border transfer mechanism applies. OpenTrace will provide notice of any new Subprocessor before that Subprocessor begins processing Customer Data, by updating this list and, where Customer has provided an email address for such notifications, by email.
2. Current Subprocessors¶
The following Subprocessors are engaged as of the Effective Date of this list. Categories of personal data are described at the level relevant to a privacy assessment; specific records and fields are processed only as necessary to deliver the function described.
Google Cloud Platform and Neo4j AuraDB are the Subprocessors used to store Customer Data as part of the core Service data layer (including Connected Data, Derived Artifacts, queries, prompts, Outputs, saved chat history, account data, and integration credentials). Stripe stores billing contact data and tokenizes payment card data for paid Service Plans, but does not have access to other Customer Data. The remaining Subprocessors process operational, telemetry, diagnostic, or interface-observation data only and are not intended to contain Customer Data, but diagnostic tools — in particular Sentry session replay — may incidentally capture rendered Customer Data visible in the web interface, subject to the masking, retention, and disablement controls described in Section 2.6 of the OpenTrace Privacy Statement.
| Subprocessor | Role / Purpose | Categories of personal data processed | Processing location(s) | Cross-border transfer mechanism |
| Google Cloud Platform (including Firebase) | Cloud hosting; application infrastructure; database services | Customer Data, including Connected Data, Derived Artifacts, queries, prompts, Outputs, saved chat history, account data, integration credentials, application logs, and operational telemetry | United States; other Google Cloud regions as configured by OpenTrace | EU SCCs (Module 2) where applicable; UK IDTA / Addendum |
| Google Analytics (Google LLC) | Web analytics for opentrace.com | Device and connection data, page views, referrer, anonymised IP, usage events | United States | EU SCCs (Module 2); UK IDTA / Addendum |
| Sentry (Functional Software, Inc.) | Error monitoring, crash reporting, and session replay | Diagnostic context (URL, request parameters, stack traces) which may incidentally include identifiers, subject to scrubbing rules; session replay recordings that may capture rendered UI content including Connected Data, Derived Artifacts, queries, query results, and chat content, subject to masking and filtering as described in the Privacy Statement | United States; EU region available | EU SCCs (Module 2); UK IDTA / Addendum |
| LaunchDarkly, Inc. | Feature flag management and progressive delivery | Account identifier, environment metadata, feature flag evaluation context | United States | EU SCCs (Module 2); UK IDTA / Addendum |
| Clerk, Inc. | Identity, authentication, and session management | Identity and contact data, authentication credentials (hashed), session tokens | United States | EU SCCs (Module 2); UK IDTA / Addendum |
| Grafana Cloud (Grafana Labs, Inc.) | Observability, metrics, logs, and tracing for Service operations | Operational telemetry, performance metrics, application logs | United States; EU region available | EU SCCs (Module 2); UK IDTA / Addendum |
| Neo4j, Inc. (Neo4j AuraDB) | Managed graph database | Derived Artifacts (knowledge graph) and structural representations of Connected Data, including identifiers such as function and variable names, log patterns, and similar metadata | United States; other AuraDB regions as configured by OpenTrace | EU SCCs (Module 2); UK IDTA / Addendum |
| Stripe, Inc. (and Stripe Payments Europe Limited for EU customers) | Payment processing for paid Service Plans | Billing contact data (name, billing address, email, tax identifiers); payment card data is collected and tokenized by Stripe directly and is not stored by OpenTrace | United States; Ireland | EU SCCs (Module 2); UK IDTA / Addendum |
3. AI / model providers¶
As of the Effective Date of this list, OpenTrace does not engage any third-party large language model provider, embedding model provider, or other machine learning service as a Subprocessor, and OpenTrace's server-side infrastructure does not transmit Customer Code, Connected Data, Derived Artifacts, query content, or Outputs to any such service. This reflects the commitment in Section 4.6 of the OpenTrace Terms of Service. OpenTrace anticipates introducing functionality in which the Service will make LLM calls on Customer's behalf from Service infrastructure, using either OpenTrace's own contracts with an LLM provider or Customer-supplied API keys. Before such functionality applies to Customer's configuration, OpenTrace will update this list where applicable and obtain Customer's prior opt-in consent in accordance with the Terms of Service.
4. Customer-supplied AI provider keys¶
OpenTrace's open-source command-line tools and the OpenTrace web interface running in Customer's browser may permit Customer to configure direct connections to AI providers (for example, Anthropic, OpenAI, Google) using Customer-supplied API keys. Where Customer uses this configuration, the AI provider is not engaged by OpenTrace as a Subprocessor: the network call to the AI provider is initiated from Customer's environment (the local component or the browser) and is not proxied through OpenTrace's server. Customer's relationship with the AI provider is governed by Customer's agreement with that provider. Responses received from the AI provider may be processed and stored by the Service when integrated with Service features such as saved chat history; where stored on Service infrastructure, those responses are treated as Customer Data and are processed by the Subprocessors listed above. Customer-supplied AI providers are intentionally not listed above because OpenTrace does not engage them as Subprocessors.
5. Affiliates¶
OpenTrace may use its own Affiliates (entities under common control) to provide internal support, security, and operational services. Affiliates are bound by confidentiality and data protection terms no less protective than those that apply to third-party Subprocessors. As of the Effective Date, OpenTrace has no Affiliates engaged in this capacity.
6. Notice of changes¶
OpenTrace will provide notice of any new Subprocessor, or any change in the role of an existing Subprocessor that materially expands the categories of Customer Data processed, before that change takes effect. To subscribe to email notifications, contact privacy@opentrace.com. Customer's right to object to a new Subprocessor and the consequences of objection are set out in the OpenTrace DPA.
7. Contact¶
Questions about this list, the role of a particular Subprocessor, or the cross-border transfer mechanism applicable to your data may be sent to:
OpenTrace, Inc.
14205 N Mo Pac Expy, Ste 570, PMB 640435
Austin, Texas 78728-6529, USA
Email: privacy@opentrace.com
— End of Subprocessor List —