2026

Subprocessors


O2X Human Performance engages certain third-party service providers ("Subprocessors") to process personal information or consumer health data on behalf of O2X in connection with the delivery of the O2X Offerings. O2X enters into written agreements with each Subprocessor that require the Subprocessor to implement appropriate security and privacy safeguards and to limit its use of personal data to the purposes specified in the agreement.

The following table identifies all current Subprocessors authorized to process data on behalf of O2X.

Subprocessor Service Description Categories of Data Processed Country of Processing BAA Status
Amazon Web Services, Inc. Cloud infrastructure hosting, compute, storage, database, and networking services for the O2X platform Consumer health data, user account information, platform usage data United States BAA Executed (February 2026)
Rippling, Inc. Human resources management, payroll processing, benefits administration, employee onboarding, and compliance management Employee personally identifiable information United States BAA Executed (February 2026)
Google Cloud Workspaces (Docs, Sheets, Slides, Forms) Consumer health data United States BAA Executed (June 2026)


If O2X adds a new Subprocessor or materially changes the scope of an existing Subprocessor's access to personal data, this list will be updated. Customers who have entered into a Data Processing Agreement with O2X will receive advance written notice of Subprocessor changes as described in that agreement.For questions regarding O2X's use of Subprocessors, please contact us at info@o2x.com.

Vendor Lifecycle Management

Vendor Risk Classification

Each Subprocessor listed above is assigned a risk level based on the sensitivity and volume of data processed, the criticality of the service to O2X operations, and the potential impact of a service failure or data breach. Risk levels are defined as follows:High: The Subprocessor stores or has access to sensitive data (including consumer health data or employee PII) and a failure of this vendor would have critical impact on O2X business operations or regulatory compliance.Moderate: The Subprocessor has limited access to non-sensitive operational data and a failure would not critically impact O2X business operations.Low: The Subprocessor does not store or access personal data and a failure would have minimal operational impact.Both Amazon Web Services, Inc. and Rippling, Inc. are classified as High risk due to their access to consumer health data and employee PII, respectively.

Annual Review and Ongoing Monitoring

O2X reviews each Subprocessor relationship at least annually. The annual review includes verification of current compliance certifications (such as SOC 2, ISO 27001, or HIPAA eligibility), confirmation that Business Associate Agreements remain in force and reflect the current scope of data processing, and assessment of any security incidents or material changes reported by the Subprocessor during the review period. The VP of Engineering is responsible for conducting and documenting each annual review.

Subprocessor Offboarding

When a Subprocessor relationship is terminated or a Subprocessor is removed from this list, O2X will ensure that all personal data and electronic protected health information held by the Subprocessor is returned or securely destroyed in accordance with the terms of the applicable Business Associate Agreement or Data Processing Agreement. O2X will update this list to reflect the removal, and customers with executed Data Processing Agreements will be notified as described in the O2X Platform Terms (Section 4.5).

Let's get started

Improving the lives of tactical athletes through world class human performance programs.

Contact Us