ISMS Compliance

Sub-processor Register

Third-party sub-processors that process personal data on behalf of NextSDS — ID.AM-4

Last verified: 2026-06-23 | Owner: CTO | Review cycle: Quarterly

NextSDS engages the sub-processors below to deliver its services. A Data Processing Agreement (DPA) is in place with each, incorporating Standard Contractual Clauses (SCCs) where personal data is transferred outside the EEA. Primary data storage and AI processing take place within the EU.

Infrastructure and hosting

Sub-processorPurposeHosting regionDPA
SupabasePrimary database, authentication, file storageEU (AWS eu-central-1, Frankfurt)Yes
VercelFrontend hosting, serverless functions, CDNGlobal edge networkYes
CloudflareEdge compute, WAF, DDoS protection, CDNGlobal edge networkYes
ModalServerless compute for backend workloadsEUYes
QdrantVector database for search and retrievalEU (GCP managed cloud)Yes
UpstashRedis cache, rate limiting, queuesEUYes

AI and document processing

Sub-processorPurposeHosting regionDPA
MistralOCR and document extraction from SDS documentsEUYes
OpenRouterLLM inference and structured data extractionEU endpointsYes

AI is used solely for document extraction (OCR and structured data extraction). Downstream quality scoring, hazard and regulatory classification, and enrichment are deterministic rules and code, not AI. Document content is not used for model training and is not retained by the AI providers: no-training routing and Zero Data Retention are enabled.

Communications and operations

Sub-processorPurposeHosting regionDPA
ResendTransactional email (authentication emails)EU (Ireland)Yes
Trigger.devBackground job processingEUYes

Analytics

Sub-processorPurposeHosting regionDPA
PostHogProduct analytics (EU instance)EUIn process
OpenPanelProduct analyticsEUYes

Development and source control

Sub-processorPurposeHosting regionDPA
GitHub (Microsoft)Source control and CI/CDGlobalYes

Underlying infrastructure

Sub-processorPurposeHosting regionDPA
AWSUnderlying infrastructure for SupabaseEU (eu-central-1)Yes
Google CloudUnderlying infrastructure for QdrantEUYes

Notes

  • Uptime monitoring (Better Stack) is not listed as a sub-processor: it processes service availability metadata only, not customer personal data.
  • DPA mechanisms: Supabase, Resend, and OpenPanel are signed. The remaining DPAs are incorporated by reference into the respective service agreements. The PostHog DPA is in process.
  • Residency: all sub-processors are EU-hosted except the Vercel and Cloudflare global edge networks. SCCs apply to transfers outside the EEA.

Classification

DimensionLevelRationale
ConfidentialityLowIntended for sharing with customers and prospects; no sensitive internal detail
IntegrityHighMust reflect the actual set of sub-processors and DPA status
AvailabilityModerateRequired for customer due diligence and audits