Sub-processors
- Effective date:
- 2026-06-19
- Last updated:
- 2026-06-18
- Version:
- 2
| Controller | Data Protection Contact | Address |
|---|---|---|
| NORTH STAR AI S.R.L., a company registered in Romania, VAT RO54842326, with registered office at Sat Ghionea, Comuna Ulmi, Jud. Giurgiu, cf 747 N, acting as data controller for the NorthStar Platform (ns-ai.io, app.ns-ai.io). | privacy@ns-ai.io | Sat Ghionea, Comuna Ulmi, Jud. Giurgiu, cf 747 N |
Overview
This page lists the third-party service providers ("sub-processors") engaged by NorthStar AI S.R.L. to process personal data on our behalf in connection with the Platform.
We engage sub-processors only where:
- They are bound by written contracts that include the safeguards required by Article 28 GDPR
- They provide sufficient guarantees of appropriate technical and organizational measures
- Their processing is necessary for the operation and improvement of the Platform
This list is authoritative and updated as sub-processors are added, removed, or changed. For information about how we use sub-processors, see our Privacy Policy and Data Processing Agreement (DPA).
Current Sub-Processors
| Provider | Purpose | Location | Transfer | Role |
|---|---|---|---|---|
| Supabase | Managed PostgreSQL database, authentication, and file storage for all Platform data | European Union (Frankfurt, Germany) | Intra-EU transfer | Sub-processor |
| Oblio | Invoice generation and integration with the Romanian ANAF e-Factura system | Romania (intra-EU) | Intra-EU transfer | Sub-processor |
| Termene.ro | Romanian company verification data from ONRC, including administrator and shareholder information | Romania | Intra-EU transfer | Data source |
| VIES | EU VAT number validation; company name and VAT-registered status | European Union | Intra-EU transfer | Data source |
| BNR | Currency exchange rates (no personal data) | Romania | N/A — no personal data | Data source |
| OpenRouter | AI model pricing metadata (no user data) | United States | N/A — no personal data | Data source |
| Google (YouTube Transcript API) | Public video transcript content when customers ingest YouTube URLs into their Knowledge Base | United States | N/A — public content | Data source |
| Cohere Inc. | AI re-ranking model used in Knowledge Base retrieval (semantic relevance scoring on text chunks) | United States | Standard Contractual Clauses (SCC) | Sub-processor |
| Vercel | Web application hosting and edge content delivery | United States (with EU edge locations) | Standard Contractual Clauses (SCC) | Sub-processor |
| Inngest | Workflow orchestration and background job processing | United States | Standard Contractual Clauses (SCC) | Sub-processor |
| Sentry | Error tracking and application performance monitoring | United States | Standard Contractual Clauses (SCC) | Sub-processor |
| Resend | Transactional email delivery (account notifications, password resets, billing alerts) | United States | Standard Contractual Clauses (SCC) | Sub-processor |
| Firecrawl | Web content extraction service used when customers ingest web pages into their Knowledge Base | United States | Standard Contractual Clauses (SCC) | Sub-processor |
| Anthropic, PBC | Large language model API (Claude) for AI processing of user-submitted prompts and content | United States | EU-US Data Privacy Framework (DPF) | Sub-processor |
| OpenAI OpCo, LLC | Large language model API (GPT family) for AI processing of user-submitted prompts and content | United States | EU-US Data Privacy Framework (DPF) | Sub-processor |
| Microsoft Azure AD | OAuth authentication for users signing in via Microsoft accounts | Customer tenant region (varies) with US backbone | EU-US Data Privacy Framework (DPF) | Sub-processor |
| Google OAuth | OAuth authentication for users signing in via Google accounts | United States | EU-US Data Privacy Framework (DPF) | Sub-processor |
| Stripe | Subscription billing and payment processing. NorthStar does not store payment instrument data — Stripe handles this in PCI-DSS scope. | European Union and United States | EU-US Data Privacy Framework (DPF) | Sub-processor |
Third-Party Data Sources (NOT Sub-Processors)
The following third parties provide data to NorthStar from public registries or open APIs. They are not sub-processors because they do not process personal data on our behalf — instead, they are independent sources from which we retrieve information. For data we receive from these sources containing personal data of third parties (e.g., company administrator names from Termene.ro), NorthStar acts as Controller of the received data.
- Termene.ro (RO) — Romanian company verification data from ONRC, including administrator and shareholder information
- VIES (European Commission) — EU VAT number validation; company name and VAT-registered status
- BNR (National Bank of Romania) — Currency exchange rates (no personal data)
- OpenRouter Inc. — AI model pricing metadata (no user data)
- Google (YouTube Transcript API) — Public video transcript content when customers ingest YouTube URLs into their Knowledge Base
Excluded from Sub-Processor List
The following services may appear in our infrastructure but are explicitly NOT sub-processors of personal data:
- UptimeRobot: monitors only health-check endpoints; no personal data
- Snyk: scans source code and dependencies in CI/CD; no production personal data
Sub-Processor Change Notifications
In accordance with Article 28(2) GDPR and our Data Processing Agreement, we notify customers of changes to this sub-processor list as follows:
- New sub-processor additions or material changes: at least 30 days' prior notice by email to the designated administrator contact at each customer organization, with a link to the updated version of this page.
- Sub-processor removals: notice given through the updated version of this page.
- Right to object: within the 30-day notice period, customer organizations may object to a new sub-processor by contacting privacy@ns-ai.io with the basis of their objection. We will work in good faith to address the objection. If we cannot resolve it satisfactorily, the customer's exclusive remedy is to terminate the affected services in accordance with the applicable agreement.
To subscribe to sub-processor change notifications, ensure that your organization's designated administrator email is current in your account settings.
Locations and DPF Verification
For sub-processors marked `` above, the current EU-US Data Privacy Framework certification status can be verified at https://www.dataprivacyframework.gov/list by searching the sub-processor's name. We monitor DPF certification status and rely on Standard Contractual Clauses (SCCs) as fallback where DPF certification is not in place or has been suspended.
For sub-processors processing personal data outside the European Economic Area, we have conducted Transfer Impact Assessments (TIAs) and implemented supplementary technical and organizational measures, including encryption in transit and at rest, contractual restrictions on government access, and no-training clauses for AI providers.
Contact and Documentation
- General sub-processor inquiries: privacy@ns-ai.io
- Object to a sub-processor: privacy@ns-ai.io (within the 30-day notice period)
- Request DPA or copies of SCCs: legal@ns-ai.io
For our overall data processing practices, see our Privacy Policy and Data Processing Agreement.
Version History
This Sub-Processors Disclosure is published in English. A Romanian summary is available at ns-ai.io/subprocessors?lang=ro. In case of any discrepancy, the English version prevails for legal interpretation.
| Controller | Data Protection Contact | Address |
|---|---|---|
| NORTH STAR AI S.R.L., a company registered in Romania, VAT RO54842326, with registered office at Sat Ghionea, Comuna Ulmi, Jud. Giurgiu, cf 747 N, acting as data controller for the NorthStar Platform (ns-ai.io, app.ns-ai.io). | privacy@ns-ai.io | Sat Ghionea, Comuna Ulmi, Jud. Giurgiu, cf 747 N |