Security

Subprocessors

Third-party services that process data on behalf of Orion.

Privacy Policy|Back to homepage

Orion Subprocessor List

Last Updated: January 2026 Operated by Cognitive Edge LLC

This page lists the third-party subprocessors that Orion engages to provide our coaching platform services. All subprocessors are bound by Data Processing Agreements (DPAs) that include Standard Contractual Clauses where applicable.

Change Notification

We will provide 30 days advance notice before engaging any new subprocessor. To receive notifications, contact ernesto.humpierres@executivesignal.ai.

If you object to a new subprocessor, you may submit a written objection within 30 days of notification. We will work with you to address concerns or, if we cannot reach a resolution, you may terminate affected services.

Current Subprocessors

Infrastructure & Hosting

| Subprocessor | Purpose | Data Location | Website | |--------------|---------|---------------|---------| | Supabase | Database, authentication, and backend services | United States (AWS) | supabase.com | | Render | Frontend and backend application hosting | United States | render.com |

AI Services

| Subprocessor | Purpose | Data Location | Website | |--------------|---------|---------------|---------| | OpenAI | AI coaching chat and natural language processing | United States | openai.com | | Mem0 | AI memory layer for personalized coaching context | United States | mem0.ai |

Subprocessor Details

Supabase

Purpose: Supabase provides our core database infrastructure, user authentication, and real-time data synchronization.

Data Processed: Account information, coaching session data, user preferences, and platform usage data.

Security: SOC 2 Type II certified. Data encrypted at rest (AES-256) and in transit (TLS). Row-level security enforced.

More Info: Supabase Security

Render

Purpose: Render hosts our web application frontend and backend API services.

Data Processed: Application requests, session data in transit, and server logs (including IP addresses).

Security: SOC 2 Type II certified. All data encrypted in transit. Automatic security updates.

More Info: Render Security

OpenAI

Purpose: OpenAI provides the large language model (LLM) that powers our AI coaching chat feature.

Data Processed: Coaching conversation messages sent to the AI for generating responses.

Key Protections:

  • No training on your data: OpenAI is contractually prohibited from using API data to train their models
  • Data retention: Data retained for up to 30 days for abuse monitoring, then deleted
  • Data Processing Agreement: Signed DPA in place

More Info: OpenAI Enterprise Privacy | OpenAI DPA

Mem0

Purpose: Mem0 provides the memory layer that enables our AI to remember context from previous coaching conversations, delivering more personalized interactions.

Data Processed: Extracted conversation context, user preferences, and coaching themes.

Key Protections:

  • SOC 2 compliant
  • Supports data export and deletion

More Info: Mem0

Data Flow Overview

┌─────────────────────────────────────────────────────────────┐
│                        USER                                  │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                    RENDER (Hosting)                          │
│              Frontend & Backend Application                  │
└─────────────────────────────────────────────────────────────┘
                              │
              ┌───────────────┼───────────────┐
              ▼               ▼               ▼
┌─────────────────┐  ┌─────────────┐  ┌─────────────┐
│    SUPABASE     │  │   OPENAI    │  │    MEM0     │
│    Database     │  │   AI Chat   │  │   Memory    │
│ Authentication  │  │  Responses  │  │   Layer     │
└─────────────────┘  └─────────────┘  └─────────────┘

Data Processing Agreements

All subprocessors listed above have signed Data Processing Agreements that include:

  • Obligations to process data only on our documented instructions
  • Confidentiality commitments for personnel processing data
  • Appropriate technical and organizational security measures
  • Restrictions on sub-subprocessor engagement
  • Cooperation with data subject rights requests
  • Data deletion upon termination of services

AI Provider Commitments

Our AI providers (OpenAI, Mem0) are contractually prohibited from:

  • Using your data to train their AI models
  • Retaining data beyond what is necessary for processing
  • Sharing data with third parties except as required by law

Data sent to AI providers is processed transiently to generate responses and is not used to improve their general-purpose models.

Contact

For questions about our subprocessors or to request our Data Processing Agreement, contact:

ernesto.humpierres@executivesignal.ai

Change Log

| Date | Change | |------|--------| | January 2026 | Initial subprocessor list published |

This list is reviewed quarterly and updated as our infrastructure evolves.