Subprocessors
Last updated: 2 July 2026. This document is a launch draft and remains subject to legal review.
Status: lawyer-ready draft. Not legal advice.
This page lists third party providers that may process customer personal data for Nucleus.
Nucleus must keep this page current. Do not publish a provider here unless the provider is actually used in production.
Current Subprocessor Register
| Provider | Purpose | Data categories | Location notes | Safeguards |
|---|---|---|---|---|
| --- | --- | --- | --- | --- |
| Contabo | VPS hosting for Nucleus infrastructure | App data, logs, tenant data, operational metadata | Confirm production region before publication | Access controls, server hardening, backups |
| Cloudflare | DNS, TLS, WAF, routing, Turnstile, security services | IP address, request metadata, challenge outcome | Global network | Cloudflare security controls and DPA |
| Stripe | Checkout, billing, subscription state, customer portal | Billing contact data, customer IDs, subscription IDs, payment status | Stripe controlled regions | Hosted checkout, no full card data in Nucleus |
| Email provider | Transactional email and invites | Recipient email, name, email content, delivery metadata | Confirm final provider before publication | Provider DPA and access controls |
| OpenAI or AI provider, if enabled | AI-assisted features and agent workflows | User submitted prompts and CRM context selected by the user | Provider dependent | Disable or review before enabling for customer data |
| Error and monitoring provider, if enabled | Error tracking and operational monitoring | Error metadata, request metadata, limited account metadata | Provider dependent | PII filtering required before enablement |
Providers Not Included In Launch Claims
The following are not launch feature commitments unless later shipped and reviewed:
- SMS delivery providers.
- Outbound webhook delivery providers.
- Booking embed providers.
Customer Controlled Integrations
Customers may connect their own external tools or import data from third party systems. The customer is responsible for those external accounts, lawful data use, and any notices required for their own data subjects.
Change Notice
Nucleus should provide notice before adding a new material subprocessor where required by the customer agreement or applicable data protection law.
Lawyer Review Notes
Before publication, confirm:
- Exact legal names of each provider.
- Production hosting region.
- DPA links and transfer mechanisms.
- Whether any AI provider is enabled for customer data at launch.
- Whether any analytics or error provider receives personal data.