Sub-processor list

Third-party providers that process customer data on our behalf.

Sub-processor list

Last updated: 2026-04-25 Notification window: we publish updates to this page at least 30 days before a new sub-processor begins processing customer data, unless the change is required for security or legal reasons.

NoDowntimeShield uses the following sub-processors to deliver the platform. Each is bound by a Data Processing Agreement that meets or exceeds the protections in our customer DPA. If you would like a copy of the relevant agreement, email [email protected].

Core infrastructure

| Sub-processor | Purpose | Region | | ------------- | -------------------------------------------------------- | -------------- | | Supabase | PostgreSQL + Auth + Object Storage | US-East | | Upstash | Redis (queue + cache + rate-limit counters) | US-East / EU | | Vercel | Web hosting + CDN + edge functions | Global edge | | Fly.io | Worker container hosting | US-East |

Payments

| Sub-processor | Purpose | Region | | ------------- | -------------------------------------------------------- | -------------- | | Stripe | Subscription billing + Stripe Tax + checkout (incl. PayPal flow) | US/EU |

Communications

| Sub-processor | Purpose | Region | | ------------- | -------------------------------------------------------- | -------------- | | Brevo | Transactional email delivery (26 templates) | EU | | Kapso.ai | WhatsApp Business message routing | US |

Threat intelligence + AI

| Sub-processor | Purpose | Region | | ------------- | -------------------------------------------------------- | -------------- | | Anthropic | Claude LLM — finding triage + AI fix-config + chat | US | | OpenRouter | LLM router — fallback + cost optimisation | US | | OpenAI | LLM — fallback provider | US | | MiniMax | LLM — APAC-region fallback provider | APAC | | HIBP | Have I Been Pwned — breach + credential-leak data | US | | Google Safe Browsing | URL reputation classification | US | | VirusTotal | URL + file reputation enrichment | US | | MXToolbox | Email blacklist lookup | US | | URLScan.io | Phishing-page sandbox + screenshot | EU | | OSV.dev | Open-source vulnerability database | US | | NVD | National Vulnerability Database (CVSS metadata) | US | | EPSS | Exploit Prediction Scoring System | US |

Observability

| Sub-processor | Purpose | Region | | ------------- | -------------------------------------------------------- | -------------- | | Sentry | Application error tracking + performance monitoring | US |

DNS / domain

| Sub-processor | Purpose | Region | | ------------- | -------------------------------------------------------- | -------------- | | Namecheap | Domain availability lookup (brand-protection scanner) | US | | Cloudflare | WAF rule deployment + IP blocklist sync | Global edge |

What customer data each sub-processor receives

| Data category | Sub-processors that receive it | | -------------------------------------------- | ---------------------------------------------------------------------------- | | Account profile (email, name) | Supabase, Brevo, Stripe | | Billing details (last-4 PAN, address) | Stripe | | Scan findings + scan history | Supabase, Sentry (via error breadcrumbs only) | | Findings sent to LLM for plain-English rewrite | Anthropic, OpenRouter, OpenAI, MiniMax (per provider routing) | | Findings sent to alert channels | Brevo (email), Kapso (WhatsApp), customer-configured Slack / Teams / Jira | | Domain + DNS lookups | Google Safe Browsing, VirusTotal, MXToolbox, URLScan.io, Namecheap, OSV.dev |

Data-residency option

Customers on the Business plan can request EU-resident infrastructure. The Supabase EU project is provisioned per-customer on request; data never leaves the EU region for those customers. Email [email protected] to enable.

Removing a sub-processor

If a sub-processor materially changes its terms or jurisdiction, customers may object in writing within 30 days; we will work in good faith to provide a comparable alternative or pro-rate the remainder of the subscription term.