Every third party we work with, in the open

For each subprocessor we list:

• What they do — the specific service we use them for
• What data they see — what categories of personal data we pass to them
• Where they are — country of operation; relevant for cross-border transfers
• Legal basis for transfer — EU-US Data Privacy Framework, Standard Contractual Clauses, EU adequacy decision, or "EU only" if no transfer

If you want a copy of any subprocessor's DPA with us, ask — most are public, some are confidential but we will summarise.

Amazon Web Services (AWS)

• Used for: All compute, storage, database, networking, and caching infrastructure. The Norcube platform runs entirely on AWS
• Data: Everything you store in Norcube
• Location: AWS Frankfurt region (eu-central-1). Data does not leave the EU
• Legal basis for transfer: No EU-to-non-EU transfer applies — data stays in EU. AWS, Inc. (the US parent) is certified under the EU-US Data Privacy Framework and offers Standard Contractual Clauses, both incorporated via the AWS Data Processing Agreement that applies to our account
• AWS compliance: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, FedRAMP, many more
• Vendor URL: aws.amazon.com

Stripe

• Used for: Subscription billing, invoicing, payment-method storage. Card details never touch our servers — they go directly from your browser to Stripe via Stripe Elements
• Data: Billing identity (name, email, billing address), card identifiers (pm_xxx, never raw card numbers), invoice records
• Location: Stripe operates globally; for EU customers, data is primarily processed within the EU under Stripe's regional hosting
• Legal basis for transfer: Stripe, Inc. (US parent) is certified under the EU-US Data Privacy Framework, and the Stripe Data Processing Agreement (which auto-applies to merchants) includes Standard Contractual Clauses
• Stripe compliance: PCI DSS Level 1 service provider, SOC 1, SOC 2 Type II, ISO 27001
• Vendor URL: stripe.com

OpenAI

• Used for: Translation (LangSync), content classification (DomainRadar brand monitor), prompt-driven AI features (PromptHub), name generation. Whenever a Norcube product invokes an AI model
• Data: Only the specific text you choose to send through an AI feature. The API call carries the input text + product context; OpenAI returns model output
• Location: OpenAI API endpoints, primarily US-based
• Legal basis for transfer: Standard Contractual Clauses under OpenAI's Data Processing Addendum. API content is not used to train OpenAI's models (this is contractually guaranteed under their enterprise API terms)
• Retention: OpenAI retains API content for up to 30 days for abuse monitoring, then deletes. You can request zero-data-retention for enterprise accounts directly via OpenAI
• OpenAI compliance: SOC 2 Type II, ISO 27001
• Vendor URL: openai.com

Mailgun (Sinch)

• Used for: Transactional email only (signup verification + email-change codes, password resets, account-deletion notifications, billing receipts + dunning, ops alerts). We don't send marketing email through Mailgun today; if we ever start, it would route through a dedicated marketing-email provider, not this Mailgun account
• Data: Recipient email addresses, message content (which contains identifying info like your name and account events)
• Location: EU region (api.eu.mailgun.net) — Mailgun account is configured to keep email data in the European Union
• Legal basis for transfer: Sinch (Mailgun's parent) is certified under the EU-US Data Privacy Framework. Mailgun's DPA includes Standard Contractual Clauses
• Mailgun compliance: SOC 2 Type II, HIPAA-eligible
• Vendor URL: mailgun.com

PostHog (EU Cloud)

• Used for: Web analytics on norcube.com (only after you accept the cookie banner) and product analytics inside app.norcube.com (page views and feature-usage events such as "translation synced", "backup created"). Auto-capture is disabled; session recordings are disabled. We capture page views and events we explicitly call
• Data: A random visitor identifier (distinct_id), page URLs, basic device info (browser family, OS), and the explicit events we emit. PostHog uses the visitor's IP address for coarse geolocation (city level) and stores it briefly for fraud / abuse detection; it is then aggregated to country/region. We do not capture form contents, keystrokes, or clicks beyond page navigation
• Location: PostHog EU Cloud — data hosted in Frankfurt (AWS eu-central-1). Data does not leave the EU in normal operation
• Legal basis: On norcube.com — your consent (Art. 6(1)(a) GDPR + ePrivacy Art. 5(3)) via the cookie banner. Inside app.norcube.com — our legitimate interest in improving the product (Art. 6(1)(f)); PostHog is configured in memory-only mode so it sets no cookies and writes nothing to localStorage in the app, keeping it outside ePrivacy Art. 5(3) scope. You can object at any time via the opt-out toggle in account settings (right to object, Art. 21). The DPA governs PostHog's processing as our sub-processor
• Legal basis for transfer: PostHog Inc. (US parent of the EU instance) signs the PostHog DPA which incorporates EU Standard Contractual Clauses
• Retention: PostHog retains analytics data for as long as your account exists; you can request deletion of any visitor's data via the PostHog dashboard at any time
• PostHog compliance: SOC 2 Type II, ISO 27001, HIPAA-eligible (US Cloud only); the EU instance is hosted on certified AWS infrastructure
• Vendor URL: posthog.com · EU instance

The five vendors above are the complete list of subprocessors that touch your data. If we add another, we will list it here and notify enterprise customers in advance.

Some Norcube products let you connect your own third-party accounts (for example, a knowledge-base API, a chat tool, or a Git provider). When you do, your data flows from Norcube to that vendor under your contract with them — not under any contract Norcube has with them. We are not their customer; we relay your instructions on your behalf.

We do not list customer-enabled integrations here because the contractual relationship is yours, not ours. The data-protection terms come from the third party directly. If you want to understand them, check with the vendor.

For completeness — these tools handle our internal operations, never customer content:

• GitHub (US, DPF + SCCs) — source code hosting, CI/CD
• Slack (US, DPF + SCCs) — internal team communication
• Stripe Tax / accounting software — Czech tax compliance
• AWS again — for our internal monitoring (CloudWatch logs)

These don't process customer data, so they aren't subprocessors under the GDPR Article 28 definition — but we mention them here because some customers ask.

When we change this list (adding, removing, or replacing a subprocessor), we:

1. Update this page with the change and the date
2. Email enterprise customers who have a notice clause in their contract, at least 30 days in advance
3. Other customers see the change reflected here

To opt into change-notification email, write to [email protected] and ask to be added to the subprocessors mailing list.

Per our DPA, you may object to a new subprocessor on legitimate grounds. If we can't resolve the objection, you may terminate the affected portion of the service. To object, email [email protected].

[email protected]