Last updated:
These are the vendors NvisionData relies on to run the service. They process customer data on our behalf — under written contracts that bind them to confidentiality, security, and the GDPR's processor obligations.
We keep the list short on purpose. Each vendor is here because removing it would materially degrade the service. The role column says exactly what each one does for us so you can see at a glance which categories of data sit where.
“Region” is where the vendor stores or primarily processes the data. Where a US-headquartered vendor is unavoidable, we rely on the European Commission's Standard Contractual Clauses and the additional safeguards each vendor publishes — see our Privacy Policy for the transfer detail.
| Vendor | Role | Region | Certifications |
|---|---|---|---|
| Vercel | Console hosting (Next.js, edge + serverless functions) | EU (fra1) | SOC 2 Type II, ISO 27001, PCI DSS |
| Fly.io | Collector, console-api, consent-engine, worker (compute) | EU (ams) | SOC 2 Type II |
| Hetzner | Collector and worker compute (self-managed cluster) | EU (Falkenstein FSN1) | ISO 27001 |
| Cloudflare | Edge network, DDoS protection, DNS | Global edge (request data routed to nearest PoP) | SOC 2 Type II, ISO 27001, PCI DSS |
| Supabase | Postgres metadata database, authentication | EU (eu-central-1) | SOC 2 Type II |
| ClickHouse Cloud | Event store (raw events, aggregates) | EU (eu-central-1, Frankfurt) | SOC 2 Type II, ISO 27001, HIPAA-eligible |
| Stripe | Payment processing, subscription management, metered billing | United States (with EU SCCs) | SOC 2 Type II, ISO 27001, PCI DSS Level 1 |
| Sentry | Error monitoring and performance tracing | United States (with EU SCCs) | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email (magic links, billing receipts, alerts) | United States (with EU SCCs) | SOC 2 Type II |
Certifications listed are those each vendor publishes for the regions and product editions we use. They are not certifications held by NvisionData itself — see our security section for that.
When we add a sub-processor, we update this page at least 30 days before the change takes effect, and we email customers on paid plans. If you object during the notice window — for example because the new vendor doesn't fit your own compliance posture — write to legal@nvisiondata.com and we'll work with you on an acceptable path (which may include cancelling without penalty).
When we remove a sub-processor we update the page at the same time as the change ships; there's no advance-notice obligation for removals.
The list above describes NvisionData Cloud. If you self-host NvisionData, the only sub-processors that apply to you are the ones you configure — your own database, your own object store, the destinations you opt in to. We don't hold your data, so we are not a sub-processor in your stack.