Sub-processors
Last updated: 2026-04-21
This page lists the vendors Norden Vision OÜ engages to help deliver nordenagent.com. It supplements our Data Processing Addendum and Privacy Policy. We will update it whenever the stack changes and will give at least 14 days’ notice by email and in-app banner before a new sub-processor starts handling customer Personal Data.
To subscribe to update notifications even if you are not a logged-in customer, email privacy@nordenagent.com and ask to be added to the sub-processor changes list.
Core infrastructure
Always engaged. Processes customer Personal Data on our instruction to deliver the Service.
| Sub-processor | Purpose | Hosting location | Transfer mechanism |
|---|---|---|---|
| Supabase (Supabase Inc.) | Primary Postgres database, authentication, object storage, Vault for integration secrets, Realtime. | EU (eu-central-1) | No transfer — EU storage. |
| Stripe (Stripe Payments Europe, Ltd.) | Subscription billing, invoicing, tax (Stripe Tax + EU OSS), Stripe Connect Express for affiliate payouts, Radar fraud prevention. | Ireland (primary), US (parent) | Processing primarily in the EU; US transfers covered by SCCs Module 2. |
| Resend (Resend, Inc.) | Transactional email delivery (signup confirm, password reset, billing receipts, quota alerts, workflow failure notices, affiliate commission emails). | US (eu-west-1 sending pool) | SCCs Module 2, sending from eu-west-1 (AWS SES backbone). |
| OpenRouter (OpenRouter Inc.) | LLM + image-model gateway. Routes requests to Anthropic Claude, OpenAI, Google Gemini, and Nano-Banana image generation. Per their enterprise terms, prompts and outputs are not used to train the underlying models. | US | SCCs Module 2. Underlying model providers are also US-based and bound by their own SCCs. |
| Hostinger (Hostinger International Ltd.) | VPS hosting for the Next.js application and cron worker. Domain DNS + email MX for the support mailbox. | EU (Lithuania / Netherlands) | No transfer — EU hosting. |
| Let's Encrypt (Internet Security Research Group) | TLS certificate issuance for nordenagent.com. Certificate Authority restricted by our CAA DNS record. | US | No personal data transferred — only the domain name. |
Operational
Always engaged, but either process only technical metadata or data that has been stripped of PII.
| Sub-processor | Purpose | Hosting location | Transfer mechanism |
|---|---|---|---|
| Sentry (Functional Software, Inc.) | Application error tracking and performance monitoring. PII (keys, tokens, Bearer headers, auth cookies) is scrubbed server-side before events leave the app. | US | SCCs Module 2. |
| Slack (Slack Technologies, LLC) | Our internal operations channel (drift monitor, health alerts). Customer-side Slack integration only activates if the customer connects Slack inside Settings → Integrations. | US / EU (regional data residency where applicable) | SCCs Module 2. |
| GitHub (GitHub, Inc.) | Source-code hosting, CI/CD (GitHub Actions), dependency security scanning (Dependabot, gitleaks). No production customer data. | US | SCCs Module 2. |
Optional
Engaged only when the corresponding environment variable / configuration is set. Listed here so the entire production topography is transparent.
| Sub-processor | Purpose | Hosting location | Transfer mechanism |
|---|---|---|---|
| Upstash (Upstash, Inc.) | Redis-compatible distributed rate-limit store. Only stores ephemeral counter keys (e.g., per-IP request counts), never customer content. | EU (Frankfurt) or US, depending on configuration | SCCs Module 2 where US-region is selected. |
| BetterStack (Better Stack Ltd.) | Public uptime monitoring of /api/health and marketing pages. Receives only HTTP status codes and timing. | EU (Czech Republic) | No transfer — EU storage. |
Customer-connected integrations
These third parties are not sub-processors of ours in the classical sense — you instruct us to exchange data with them on your behalf under the scopes/permissions you grant. They remain independent controllers of the data on their own side. We are listed as a processor relative to you when moving data into or out of them.
| Integration | Purpose (only active when you connect it) |
|---|---|
| Meta (Facebook, Instagram Ads) | Ad account and ads library access, audience data, campaign performance, ad publishing — only when the customer connects Meta. |
| Google (Ads, Analytics 4) | Campaign and conversion data, GA4 web analytics — only when the customer connects Google. |
| Shopify / WooCommerce / Klaviyo | Orders, products, customer metrics, email-flow revenue — only when the customer connects the respective store or list. |
| Reddit, LinkedIn, X (Twitter), TikTok | Growth-loop publishing and lead discovery — only when the customer connects the respective network. |
| Anthropic, OpenAI, Google (Gemini) | Reached indirectly via OpenRouter; see the OpenRouter row above. |
Change log
- 2026-04-21 — Initial published version. Replaced speculative Vercel entry with the actual Hostinger VPS deployment, added OpenRouter, Let’s Encrypt, Sentry, BetterStack, Upstash, and the customer-connected integrations table.