Sub-processors
To provide OWL we rely on a small number of third-party service providers ("sub-processors"). This page lists each one, what it does, and what data it receives. Because OWL is end-to-end encrypted, your file and message contents stay encrypted throughout — no sub-processor ever receives readable content.
1. Infrastructure
| Sub-processor | Purpose | Data it receives | Location |
|---|---|---|---|
| Amazon Web Services (Lightsail) | Server hosting & storage | All stored data — encrypted content remains encrypted; plus account metadata and logs | United States |
2. Payments
You only interact with a payment processor if you buy a paid product or subscription. Card details are entered on the processor's own hosted page and never touch our servers.
| Sub-processor | Purpose | Data it receives | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, and card details you enter on their page | United States / global |
| PayPal | Payment processing | Name, email, and payment details you enter on their page | United States / global |
3. AI assistant (optional)
These apply only if you use OWL's optional AI features (the QUAIL assistant or AI-assisted modeling). When the model is not self-hosted, the relayed content goes to a third-party AI provider. We do not send your account identity, and we require that your prompts and images are not used to train models.
| Sub-processor | Purpose | Data it receives | Location |
|---|---|---|---|
| Third-party AI provider (when not self-hosted; subject to change) | Generate AI assistant responses | Your prompt text and any screenshots you submit — no account identity; no training use | Varies by provider |
4. Connected cloud accounts (optional, user-initiated)
These apply only if you choose to import files from a third-party cloud. The connection happens between your browser/app and the provider; OAuth tokens are encrypted to your own key before any storage.
| Sub-processor | Purpose | Data it receives | Location |
|---|---|---|---|
| Dropbox | Cloud import you initiate | OAuth consent and the files you explicitly select | United States / global |
| Microsoft (OneDrive) | Cloud import you initiate | OAuth consent and the files you explicitly select | United States / global |
| Google (Drive) | Cloud import you initiate | OAuth consent and the files you explicitly select | United States / global |
5. Email
We send transactional and opt-in email (verification, password resets, receipts, and any digests you enable) from our own server. We do not route your email address or message content through a third-party email-delivery provider.
6. Changes to this list
We keep this page current as our providers change. For material changes to sub-processors that handle personal data, we update this page; enterprise customers who require advance notice of sub-processor changes can request it via security@ndevr.org.