Subprocessor Disclosure

Subprocessors

The third-party services we rely on to operate SupportStudioK12. This page is the canonical reference cited in our DPA Exhibit H — we update it here when subprocessors change, not via a separate notification process.

Platform subprocessors

Vendors we directly contract with. District data may flow through these as part of normal platform operation.

Hetzner Cloud Infrastructure

Primary application hosting. Application servers, PostgreSQL database, Redis cache.
Data processed: All tenant data at rest · Region: Ashburn, Virginia, USA · Encryption: At rest and in transit · Website: hetzner.com

Cloudflare Infrastructure

DNS, DDoS mitigation, TLS termination via Cloudflare Tunnel, and object storage (R2) for file attachments and encrypted nightly backups.
Data processed: TLS in-flight traffic; file attachments and backups at rest in R2 · Region: Global network; R2 stored in USA · Encryption: At rest (R2) and in transit · Website: cloudflare.com

Postmark (ActiveCampaign)

Platform transactional email — signup verification, super-admin sign-in magic links, account-level notifications. Not used for tenant-scoped ticket notifications.
Data processed: Platform-level email metadata (recipient address, subject, timestamp, delivery status). No student data. · Region: USA · Website: postmarkapp.com

OpenAI AI (platform default)

Default LLM provider for AI features (ticket troubleshooting, KB suggestions, change risk assessment, exec summaries). Districts can replace this with their own OpenAI, Gemini, or Azure OpenAI key via Admin → Integrations → AI Provider — in which case AI calls route through the district's account instead.
Data processed: Ticket subject/description, KB content, and similar tenant text at inference time. No training on our data — OpenAI's Enterprise API terms apply. · Region: USA · Encryption: In transit; OpenAI retains zero-day logging for abuse monitoring only · Website: openai.com

Stripe Billing

Subscription billing and payment processing. Districts interact with Stripe directly through Checkout and the Customer Portal — payment card details never touch our servers.
Data processed: Billing contact, payment card (by Stripe, not us), subscription lifecycle events. No student data. · Region: USA · Compliance: PCI DSS Level 1 · Website: stripe.com

District-configured integrations

Vendors the district contracts with directly. They are not our subprocessors — the district retains the data-controller relationship — but we disclose them here for completeness so your DPA reviewer has a full picture.

Microsoft (Entra ID + Graph API) District's own tenant

SSO, user sync, and email notifications run through the district's own Microsoft 365 tenant with the district's app registration. We authenticate as the district's app, we never see the district's admin credentials.
Data processed: User directory (name, email, department, office location, extension attributes), sent/received ticket email. · Controlled by: The district.

Google Workspace District's own tenant

Alternative SSO path for Google-Workspace-only districts. Same model as Microsoft — OAuth 2.0 authorization code flow against the district's own OAuth client.
Data processed: User email + profile info on sign-in, hosted-domain check. · Controlled by: The district.

Twilio District's own account

SMS-to-ticket intake. Districts register their own Twilio account and A2P 10DLC campaign. We receive the webhook; Twilio is the district's carrier, not ours.
Data processed: SMS message content and sender phone number when users text the support number. · Controlled by: The district.

Mosyle / Microsoft Intune / Jamf / FileWave MDM — read-only

Optional read-only device sync from the district's MDM. We pull device info (serial, model, OS, last check-in) to show in ticket context. We never push commands or changes to devices.
Data processed: Device inventory metadata. No user-level device data beyond assignment. · Controlled by: The district.

SIS OneRoster endpoints District's own SIS

Optional read-only roster sync from the district's SIS (PowerSchool, Infinite Campus, Skyward, ClassLink Roster Server). We pull schools + users only — demographics, classes, and enrollments are intentionally skipped.
Data processed: School roster, user directory. · Controlled by: The district.

Change notifications

We'll update this page when we add or remove a subprocessor. Districts with a signed DPA on file are additionally notified by email at 30 days before any material change (new subprocessor gaining access to tenant data, or region change). You can always email us to ask when this page last changed.

Last updated: April 19, 2026

← DPA overview  ·  Service Level Agreement →  ·  Back to SupportStudioK12