Sub-processors

Version 1.0 — Last updated: May 2026

The following sub-processors are engaged by NexCyberEU to deliver the platform. Each is bound by a written agreement that includes the GDPR Article 28(3) obligations. Material changes are notified to customers under DPA §4 with a 30-day advance notice. See our Data Processing Agreement and Privacy Policy for the full data protection framework.

Hetzner

Hetzner Online GmbH (Germany)

DPA / policy ↗

Purpose: Primary database hosting (PostgreSQL self-hosted) and application infrastructure for the production backend.
Data categories: Tenant accounts, assessment data, evidence file metadata, audit logs.
Hosting region: EU — Falkenstein and Nuremberg (Germany).
Transfer mechanism: Intra-EU processing; no third-country transfer.

Vercel

Vercel Inc. (United States)

DPA / policy ↗

Purpose: Hosting and global edge delivery of the NexCyberEU web application (frontend).
Data categories: Request metadata (IP, user-agent, timing) for routing and caching. No persistent storage of personal data at this layer.
Hosting region: Edge network including EU points of presence; control plane in the US.
Transfer mechanism: EU Standard Contractual Clauses (2021) + EU-US Data Privacy Framework (where applicable).

Fly.io

Fly.io Inc. (United States)

DPA / policy ↗

Purpose: Backend API runtime hosting (FastAPI services) in EU regions.
Data categories: Application logs, ephemeral request data. Persistent customer data is stored in Hetzner-hosted PostgreSQL, not on Fly.
Hosting region: EU — primary region cdg (Paris, France).
Transfer mechanism: Standard Contractual Clauses; primary processing in EU region.

Cloudflare

Cloudflare Inc. (United States)

DPA / policy ↗

Purpose: DNS, CDN, DDoS protection, secure tunnel (Cloudflare Tunnel) for repository access, TLS termination on the public edge.
Data categories: Connection metadata (IP, user-agent, route). No persistent customer payload.
Hosting region: Global edge with EU regional caching policies enabled.
Transfer mechanism: EU Standard Contractual Clauses + Cloudflare GDPR addendum.

Stripe

Stripe Payments Europe Ltd (Ireland)

DPA / policy ↗

Purpose: Payment processing, subscription billing, customer portal, invoicing.
Data categories: Customer email, billing address, payment method tokens, transaction history.
Hosting region: Stripe acts as an independent controller for payment data; EU processing via Stripe Payments Europe Ltd (Dublin).
Transfer mechanism: EU Standard Contractual Clauses where US transfers occur; Stripe DPA.

Anthropic

Anthropic PBC (United States)

DPA / policy ↗

Purpose: AI-assisted analysis for the optional Claude-powered features (e.g. evidence type resolution, doctrine assistant).
Data categories: Anonymised assessment snippets when AI features are explicitly used. No customer-identifying data sent.
Hosting region: US compute; the API endpoint is hit only when an AI feature is invoked.
Transfer mechanism: EU Standard Contractual Clauses + Anthropic Zero Data Retention agreement (API tier).

OpenAI

OpenAI Ireland Ltd (Ireland)

DPA / policy ↗

Purpose: AI-assisted regulatory ontology resolution (GPT-5) when invoked by NexCyberEU staff during ontology governance workflows. Not exposed in customer-facing features at the date hereof.
Data categories: Anonymised regulatory text and labels. No customer personal data.
Hosting region: EU contractual entity (Ireland); compute may include US regions under SCCs.
Transfer mechanism: EU Standard Contractual Clauses + Zero Data Retention API tier where applicable.

PurelyMail

PurelyMail LLC (United States)

DPA / policy ↗

Purpose: Transactional email delivery (account verification, password reset, billing notifications, audit notifications).
Data categories: Email address of the recipient, subject and content of transactional messages.
Hosting region: Primary processing in the United States.
Transfer mechanism: Standard Contractual Clauses; minimal content to satisfy the messaging purpose only.

PostHog

PostHog Inc. (United States, EU region operated)

DPA / policy ↗

Purpose: Product analytics for the authenticated application — feature usage, funnel analysis, error tracking. Cookieless and IP-anonymised configuration.
Data categories: Pseudonymous tenant identifier, event names, page paths. No payload content.
Hosting region: EU — Frankfurt (Germany).
Transfer mechanism: Processing entirely in EU region. SCCs available if the US fallback is enabled.

Requesting changes or objections

Customers may object to the engagement of a new sub-processor in writing within 30 days of notification. Reach our privacy team via our privacy contact form to lodge an objection or to request the signature-ready DPA including this Sub-processor Annex.