Trust Center / Subprocessors

Subprocessors

Saga PM engages a small set of third-party service providers to operate the platform. Each subprocessor below has executed a Data Processing Agreement with us and is bound by data-protection obligations no less protective than those we owe you.

Last updated: May 7, 2026

Active subprocessors

DigitalOcean, LLC

United States (NYC3 region)

Required

Purpose: Cloud infrastructure — compute (Kubernetes), managed PostgreSQL, object storage (Spaces) for attachments.
Data processed: All workspace content and account data hosted on DigitalOcean infrastructure.

Vendor DPA →

Cloudflare, Inc.

Global edge

Required

Purpose: DNS resolution for sagapm.io and subdomains. DNS-only — Cloudflare does not proxy or terminate TLS for the application.
Data processed: Domain lookup metadata only.

Vendor DPA →

Postmark (ActiveCampaign LLC)

United States

Required

Purpose: Transactional email delivery — invitations, password resets, in-app notifications, billing receipts.
Data processed: Recipient email addresses, names, and email message contents.

Vendor DPA →

Stripe, Inc.

United States

Required

Purpose: Subscription billing and payment processing.
Data processed: Billing contact information, subscription metadata, and payment method details. Card details are entered directly into Stripe-hosted forms — Saga PM never sees raw card data.

Vendor DPA →

Anthropic, PBC

United States

Optional

Purpose: Embedding generation for semantic search across goals, projects, records, and ideas.
Data processed: Entity titles and descriptions sent for embedding. Anthropic does not retain or train on customer data per our agreement.

Optional — semantic search is opt-in per workspace. Workspaces that have not enabled the feature do not transmit data to Anthropic.

Vendor DPA →

Internal infrastructure

The following components are operated by Saga PM itself on top of DigitalOcean infrastructure. Because data never leaves the DigitalOcean environment, these are not separate subprocessors — but procurement teams routinely ask, so we list them for transparency.

Ory Kratos

Identity and authentication (password, TOTP, WebAuthn / passkeys, OIDC SSO).

Self-hosted on Saga PM infrastructure. Identity data resides in our managed PostgreSQL alongside other workspace data.

NATS JetStream

Internal event bus for asynchronous processing (notifications, embeddings, outbox).

Self-hosted on Saga PM infrastructure. Event payloads transit but do not persist outside the database.

River

Job queue for retryable background tasks (scheduled notifications, billing webhooks).

Self-hosted on Saga PM infrastructure. Backed by the same managed PostgreSQL database.

Notification of changes

When we engage a new subprocessor or remove an existing one, we update this page and notify subscribed customers at least 30 days in advance, except where the change is immediately necessary to maintain service availability or security.

To subscribe to subprocessor change notifications, email [email protected] with your workspace name and a contact address. Customers can object to a new subprocessor on reasonable data-protection grounds within the notice period; if a resolution cannot be reached, the affected customer may terminate the relevant portion of their agreement.

Questions?

Subprocessor-specific questions, redlines on our DPA, or data-residency requests: [email protected].