Sub-processor Register
Third-party sub-processors that process personal data on behalf of NextSDS — ID.AM-4
Last verified: 2026-06-23 | Owner: CTO | Review cycle: Quarterly
NextSDS engages the sub-processors below to deliver its services. A Data Processing Agreement (DPA) is in place with each, incorporating Standard Contractual Clauses (SCCs) where personal data is transferred outside the EEA. Primary data storage and AI processing take place within the EU.
| Sub-processor | Purpose | Hosting region | DPA |
|---|
| Supabase | Primary database, authentication, file storage | EU (AWS eu-central-1, Frankfurt) | Yes |
| Vercel | Frontend hosting, serverless functions, CDN | Global edge network | Yes |
| Cloudflare | Edge compute, WAF, DDoS protection, CDN | Global edge network | Yes |
| Modal | Serverless compute for backend workloads | EU | Yes |
| Qdrant | Vector database for search and retrieval | EU (GCP managed cloud) | Yes |
| Upstash | Redis cache, rate limiting, queues | EU | Yes |
| Sub-processor | Purpose | Hosting region | DPA |
|---|
| Mistral | OCR and document extraction from SDS documents | EU | Yes |
| OpenRouter | LLM inference and structured data extraction | EU endpoints | Yes |
AI is used solely for document extraction (OCR and structured data extraction). Downstream quality scoring, hazard and regulatory classification, and enrichment are deterministic rules and code, not AI. Document content is not used for model training and is not retained by the AI providers: no-training routing and Zero Data Retention are enabled.
| Sub-processor | Purpose | Hosting region | DPA |
|---|
| Resend | Transactional email (authentication emails) | EU (Ireland) | Yes |
| Trigger.dev | Background job processing | EU | Yes |
| Sub-processor | Purpose | Hosting region | DPA |
|---|
| PostHog | Product analytics (EU instance) | EU | In process |
| OpenPanel | Product analytics | EU | Yes |
| Sub-processor | Purpose | Hosting region | DPA |
|---|
| GitHub (Microsoft) | Source control and CI/CD | Global | Yes |
| Sub-processor | Purpose | Hosting region | DPA |
|---|
| AWS | Underlying infrastructure for Supabase | EU (eu-central-1) | Yes |
| Google Cloud | Underlying infrastructure for Qdrant | EU | Yes |
- Uptime monitoring (Better Stack) is not listed as a sub-processor: it processes service availability metadata only, not customer personal data.
- DPA mechanisms: Supabase, Resend, and OpenPanel are signed. The remaining DPAs are incorporated by reference into the respective service agreements. The PostHog DPA is in process.
- Residency: all sub-processors are EU-hosted except the Vercel and Cloudflare global edge networks. SCCs apply to transfers outside the EEA.
| Dimension | Level | Rationale |
|---|
| Confidentiality | Low | Intended for sharing with customers and prospects; no sensitive internal detail |
| Integrity | High | Must reflect the actual set of sub-processors and DPA status |
| Availability | Moderate | Required for customer due diligence and audits |