Outset — Sub-processors
Last updated: 2026-05-26
This page lists every sub-processor Outset Pty Ltd uses to provide the platform, along with the data they receive, the region they operate in, and the contractual protection that applies.
A "sub-processor" is any third party that processes personal information on Outset's behalf — i.e., on behalf of the law firm that is the data controller.
We commit to giving law firms 30 days' notice before adding or materially changing a sub-processor that touches personal information. Notice goes via the firm's primary admin contact and this page is updated at the same time.
Core infrastructure (every firm)
| Sub-processor | Service | Region | Data | Safeguard |
|---|---|---|---|---|
| Amazon Web Services (AWS) — Compute | ECS Fargate (API + workers) | Sydney (ap-southeast-2) | All platform data in memory during processing | AWS Customer Agreement + DPA; SOC 2 Type II |
| AWS — Storage | RDS Postgres | Sydney | Enquiries, sessions, settings, encrypted PII | KMS at-rest + AES-256-GCM column-level |
| AWS — KMS | Key management for EBS volumes | Sydney | Encryption keys (not data) | Customer-managed CMKs, IAM-scoped |
| AWS — Bedrock | Claude inference (matter detection + extraction) | Sydney | Call notes, widget answers (in-flight only) | Zero Data Retention contract — no training, no retention |
| AWS — SES | Email delivery (verification codes, follow-ups) | Sydney | Recipient email + message body | TLS in transit; content destroyed after delivery |
| AWS — CloudWatch | Logs, metrics, alarms | Sydney | Structured application logs (no PII in log bodies — see PII redactor) | KMS-encrypted log groups; IAM-restricted access |
| AWS — CloudFront | CDN for the widget + dashboard | Sydney edge | Static assets (no PII) | TLS 1.2+ |
| Clerk | Authentication & SSO for law-firm staff | US (control plane) / AU edges | Staff email, name, org membership | Clerk SOC 2 Type II; staff PII only (not client PII) |
Optional sub-processors (when the firm enables them)
| Sub-processor | Service | Region | When | Safeguard |
|---|---|---|---|---|
| Twilio | SMS delivery (verification codes) | AU carriers via Twilio | Firm enables SMS verification | Carrier-billed AU paths; SMS content destroyed after delivery |
| Cal.com | Booking link generation | Firm's own self-hosted Cal.com or Cal.com SaaS | Firm uses Cal.com as their calendar provider | DPA between firm and Cal.com directly |
| LEAP / Smokeball / Actionstep / Clio | Practice Management System | Per-vendor (see vendor's data residency) | Firm has connected a PMS | Firm's existing agreement with the PMS vendor |
| Microsoft Graph (365 / Bookings) | Calendar integration | Microsoft AU region (if firm tenant is AU) | Firm uses Microsoft 365 calendar | Firm's existing Microsoft tenant agreement |
| Google Workspace | Calendar integration | Per Google Workspace agreement | Firm uses Google Calendar | Firm's existing Workspace agreement |
| Inngest | Workflow / cron / follow-up scheduler | Sydney (Inngest Cloud) — see vendor docs | Used by every deployment | Inngest DPA; payload contents are IDs only, no PII bodies |
| PostHog (optional) | Product analytics on the dashboard | Self-hosted in Sydney, OR PostHog Cloud EU if the firm permits | Firm sets VITE_POSTHOG_KEY | Firm-controlled opt-in; events do not carry client PII |
Explicitly NOT used
We have considered and declined the following common SaaS dependencies to avoid cross-border data flow:
- Sentry / Datadog / New Relic — error tracking. We use CloudWatch (Sydney) only. Exception bodies are structured JSON and do not carry PII fields (see the PII redactor + the AllExceptionsFilter logging shape).
- Anthropic API direct in production. The codebase supports Anthropic direct for local development convenience, but
NODE_ENV=productionhard-forces Bedrock-via-IAM at the resolver level and ignores anyANTHROPIC_API_KEYthat happens to be in the prod env. Seeapps/api/src/modules/inference/inference.service.ts.
Change notification
If you are a law firm and want to be notified about sub-processor changes:
- Make sure your primary admin contact in Settings → Firm profile is up to date.
- Watch this page (it's also in the GitHub repo at
docs/SUBPROCESSORS.md) — material changes show in the commit history with at least 30 days' lead time before they go into effect. - You can object to a sub-processor change in writing within the 30-day notice window. If we cannot accommodate the objection, you may terminate the affected service for the relevant sub-processor.