Compliance

Sub-processors

Last updated: May 2026

These are the third-party vendors with potential access to customer data on hosted Octopus. Self-hosted Octopus has none of these by default — your data stays within your own infrastructure unless you explicitly configure an integration that needs an external vendor (e.g. Slack notifications or a non-self-hosted LLM provider).

Required status:

  • always — needed for the hosted service to function at all
  • conditional — only when the customer uses the feature
  • self-host-only — only when the customer deploys the self-hosted version

Current sub-processors

VendorPurposeRequiredLocation
AWS (us-east-1)Hosted infrastructure: web application, API, PostgreSQL, Qdrant, object storagealwaysUnited States
AnthropicClaude LLM for code review and Q&AconditionalUnited States
OpenAIGPT/Codex LLM for code review, plus OpenAI embeddings for vector indexingconditionalUnited States
Google (AI Studio)Gemini LLM for code reviewconditionalUnited States
CohereRerank API for retrieval result rerankingconditionalCanada
ResendTransactional email (welcome, daily summary, security notifications)alwaysUnited States
StripePayment processing for paid plansconditionalUnited States
Cloudflare R2Object storage for organisation avatarsalwaysMulti-region
GitHubRepository hosting, webhooks, OAuth, GitHub App installationconditionalUnited States
GitLabRepository hosting (Cloud or self-managed), webhooks, OAuthconditionalVaries (customer-controlled for self-managed)
BitbucketRepository hosting, webhooks, OAuthconditionalVaries
SlackSlack integration — posting review notifications, answering Q&A from SlackconditionalUnited States
LinearCreate issues from review findingsconditionalUnited States
PubbyReal-time messaging (WebSocket pub/sub) for live chat streaming and the Live Activity dashboardconditionalUnited States
Atlassian (Jira)Create issues from review findingsconditionalVaries

Change notifications

We notify customers of additions or material changes to this list via email and a CHANGELOG entry at least 30 days before the change takes effect, unless the change is required for security or a vendor outage.

Data residency

Hosted Octopus runs in AWS us-east-1. We do not currently offer regional residency options. Self-host if your compliance requirements mandate data residency in a specific region.