NordixSystems

Subprocessors

Every third party we rely on to deliver Nordix Systems — what they do, where they store data, and how they protect it.

The list

SubprocessorPurposeData categoryRegion
Amazon Web Services (AWS)Compute, storage, databases, content deliveryAll operational dataEU (Ireland, Stockholm) by default
Amazon SESTransactional email (booking confirmations, password resets, lead notifications)Email addresses, message contentEU
StripePayment processing (when invoicing through cards)Cardholder data tokenized at sourceEU / global per Stripe's residency
Plausible AnalyticsCookieless, anonymous web analyticsPageview events, country (geo-IP), referrer, device classEU (Germany)
Anthropic, OpenAI, AWS BedrockAI model providers for the Nordix BIOS engineConversation content (operator → agent → action)EU and US — see DPA addendum
Postmark (legacy)Transactional email — being phased out in favour of SESEmail addresses, message contentUS

How we choose them

Three criteria, in order:

  1. Data residency — by default we want EU storage. Exceptions (e.g. a US-based AI provider) are documented in the DPA addendum and offered with explicit opt-in.
  2. Contractual rigor — every subprocessor signs a Data Processing Agreement aligned with GDPR Art. 28 and LGPD Art. 39. We refuse to integrate with services that cannot sign a DPA.
  3. Track record — we prefer providers with public incident histories, public status pages, and SOC 2 / ISO 27001 audits over those that promise privately and report nothing.

How we update this list

Material additions (new subprocessor handling personal data) are announced at least 30 days before activation, on this page and via email to customers under a signed MSA. Customers may object to a specific subprocessor; we work with them to find an alternative or, if no alternative exists, document the exception.

Customer rights

Under your MSA you may at any time:

  • Request a full inventory of which subprocessors touch your tenant.
  • Receive a copy of any DPA we hold with a subprocessor on request.
  • Be notified within 72 hours of any confirmed security incident at a subprocessor that affected your data.

Contact

Questions about subprocessors or DPAs: security@nordixsystems.com or privacy@nordixsystems.com.

This list was last updated on 2026-05-12.