NodeFoxLast updated: April 8, 2026
NODEFOX SUBPROCESSOR LIST
Version 1.0 | Effective Date: April 8, 2026 | Last Updated: April 8, 2026
Beta Status Notice: NodeFox is currently provided in beta. Features, behavior, documentation, and controls may change without notice. You must independently validate suitability for your use case and maintain your own safeguards.
© 2025–2026 NodeFox LLC. All rights reserved.
IMPORTANT NOTICE
THIS SUBPROCESSOR LIST ("LIST") IDENTIFIES THIRD-PARTY SUBPROCESSORS THAT NODEFOX LLC ("NODEFOX," "WE," "US," OR "OUR") MAY ENGAGE TO PROCESS PERSONAL DATA ON BEHALF OF CUSTOMERS IN CONNECTION WITH THE SERVICES.
THIS LIST IS INCORPORATED BY REFERENCE INTO THE NODEFOX DATA PROCESSING ADDENDUM ("DPA") AND IS REFERENCED IN THE PRIVACY POLICY. THIS LIST DOES NOT CREATE CONTRACTUAL OBLIGATIONS, SERVICE-LEVEL COMMITMENTS, WARRANTIES, OR GUARANTEES OUTSIDE THE DPA. IN THE EVENT OF CONFLICT BETWEEN THIS LIST AND THE DPA, THE DPA CONTROLS.
THIS LIST IS PROVIDED FOR TRANSPARENCY AND DISCLOSURE PURPOSES ONLY. IT MAY BE INCOMPLETE AT ANY GIVEN TIME; THE ONLINE VERSION AT HTTPS://WWW.NODEFOX.AI/LEGAL/SUBPROCESSORS IS THE CONTROLLING CURRENT LIST.
FOR CUSTOMERS SUBJECT TO A DPA, NOTICE AND OBJECTION RIGHTS REGARDING SUBPROCESSOR CHANGES ARE GOVERNED BY THE DPA, NOT THIS LIST.
SECTION 1. INTRODUCTION
1.1 Purpose. This List provides transparency regarding third-party service providers NodeFox may engage to process Customer Data, enabling Customers to fulfill their own compliance obligations.
1.2 Scope.
This List reflects NodeFox's Subprocessors as of the Last Updated date and may change. Not all Subprocessors process Personal Data for all Customers or Services. Certain Subprocessors are engaged only where Customers elect specific features.
Local Client Execution. When the Services are utilized via the NodeFox Desktop Application or executed locally in the Customer's web browser via WebAssembly (WASM), processing occurs on the Customer's own device. The Customer's local hardware, operating system, browser, and local network infrastructure are entirely outside the scope of this List and are not NodeFox Subprocessors.
Independent Controllers. Some vendors listed herein may also process certain data as independent controllers for their own purposes (e.g., analytics providers for their own product improvement, auth providers for their own security operations). Those independent controller relationships are described in the Privacy Policy (/legal/privacy). Listing a vendor here as a Subprocessor does not mean all processing by that vendor is conducted as a Subprocessor.
1.3 Definitions. Capitalized terms not defined here have the meanings in the DPA or Terms of Service. "Customer Data" means Personal Data NodeFox processes on behalf of a Customer as a Processor. "DPA" means the Data Processing Addendum. "DPF" means the EU-U.S. Data Privacy Framework (and UK Extension and Swiss-U.S. DPF where applicable). "IDTA" means the UK International Data Transfer Agreement or UK Addendum to EU SCCs. "SCCs" means the Standard Contractual Clauses (Commission Implementing Decision 2021/914) for international data transfers. "Subprocessor" means a third-party Processor engaged by NodeFox to process Customer Data.
SECTION 2. SUBPROCESSOR FRAMEWORK
2.1 Role. Subprocessors assist NodeFox with hosting, storage, authentication, security, payments, communications, analytics, and other operational functions. Access is limited to what is necessary for their function.
2.2 Subprocessor vs. Independent Controller. Some third parties interacting with Customer Data act as independent controllers, not Subprocessors. In particular:
- Third-party AI providers connected via Customer's own API keys are generally NOT Subprocessors. They act as independent controllers under their own terms. See Section 7.
- User-configured API destinations (webhooks, databases, SaaS platforms, external HTTP endpoints) that Customers configure Workflows to interact with are NOT Subprocessors. NodeFox acts as the routing engine; recipient destinations of user-configured requests are outside NodeFox's Subprocessor obligations.
- Public package registries (NPM, PyPI, CDNs) accessed when Customers execute code nodes that dynamically import external dependencies are NOT Subprocessors.
- Open-source frameworks and gateways (e.g., Model Context Protocol components) that natively interact with package registries or default endpoints are inherent to the open-source architecture; such entities are not Subprocessors.
2.3 NodeFox Affiliates. NodeFox may utilize wholly-owned affiliates, subsidiaries, or authorized contractors for engineering, maintenance, and support. All operate under confidentiality obligations and the security standards in the DPA.
2.4 Sub-tier Processors. NodeFox's primary Subprocessors (e.g., AWS, Cloudflare) may engage their own downstream sub-tier processors. Downstream delegation is governed by the primary Subprocessor's own data processing agreements. NodeFox relies on the primary Subprocessor's contractual guarantees regarding downstream vendor management.
SECTION 3. COMMITMENTS
NodeFox seeks to implement the following practices, proportionate to the beta nature, scale, and risk profile of the Services:
3.1 We seek to enter into written agreements with Subprocessors imposing data protection obligations no less protective than the DPA.
3.2 We typically conduct risk-based due diligence prior to engagement.
3.3 We seek to limit Subprocessor access to what is necessary.
3.4 Where Subprocessors are outside the EEA/UK/Switzerland, we seek to implement appropriate transfer mechanisms as required by applicable law.
3.5 We provide notice of material Subprocessor changes to subscribed DPA Customers as described in Section 9.
3.6 DPA Customers may object to new Subprocessors as described in Section 10.
3.7 We may monitor Subprocessor compliance on a risk-based basis.
3.8 NodeFox's liability for Subprocessor acts/omissions is as described in the DPA and Terms of Service.
SECTION 4. CURRENT SUBPROCESSORS
Infrastructure and Hosting
| Subprocessor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Vercel Inc. | Web application hosting, edge network, CDN | IP addresses; request metadata; session data; logs; cached content | United States (global edge network) | SCCs; DPF where applicable |
| Amazon Web Services, Inc. (AWS) | Cloud infrastructure, compute, storage, database, backup | Customer Data; application data; logs; backups | United States (us-west-2, us-east-1 primarily) | SCCs; AWS DPA; DPF where applicable |
| Supabase, Inc. | Database (PostgreSQL), authentication, real-time subscriptions, storage | User account data; hashed credentials; Workflow metadata; application data | United States | SCCs; DPF where applicable |
Authentication and Identity
| Subprocessor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase, Inc. | Authentication, session management, identity (same entity as above) | Email addresses; hashed passwords; auth tokens; session data; login metadata | United States | SCCs; DPF where applicable |
| Google LLC (Google Sign-In) | OAuth authentication (optional; only where Customer/users elect Google Sign-In) | Google account ID; email; name; profile picture (as user-authorized) | United States (global infrastructure) | SCCs; DPF where applicable |
Payment Processing
| Subprocessor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, invoicing | Name; email; billing address; payment card data (processed directly by Stripe); transaction history | United States (global infrastructure) | SCCs; DPF where applicable |
Note: Stripe is PCI DSS Level 1 certified. Payment card data is processed directly by Stripe. NodeFox does not access or store full card numbers; NodeFox receives only last four digits, card type, expiration, and billing postal code.
Communication Services
| Subprocessor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Resend, Inc. | Transactional email delivery (notifications, password resets, alerts) | Email addresses; email content; delivery metadata | United States | SCCs; DPF where applicable |
Analytics and Monitoring
| Subprocessor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Google LLC (Google Analytics) | Website and application analytics to understand usage patterns and operate the Services | IP address (may be anonymized); device/browser info; pages visited; session duration; usage events | United States (global infrastructure) | SCCs; DPF where applicable |
Note: Users may manage analytics preferences through browser settings or Google's opt-out tools (https://tools.google.com/dlpage/gaoptout). IP anonymization implemented where available.
Security Services
| Subprocessor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | DDoS protection, WAF, CDN, DNS, security services | IP addresses; request headers; traffic patterns; security event data; cached content | United States (global edge network) | SCCs; DPF where applicable |
Support Services
NodeFox currently provides customer support directly via email. The infrastructure hosting corporate email communications (Google Workspace / Google LLC) may process Customer Data voluntarily submitted in support emails.
NodeFox may use support tooling vendors in the future. If those vendors process Customer Data as Subprocessors, they will be added to this List.
Support is discretionary. No guaranteed response times.
SECTION 5. SUBPROCESSOR SUMMARY TABLE
| Subprocessor | Category | Location | Transfer |
|---|---|---|---|
| Vercel Inc. | Infrastructure / CDN | US (global edge) | SCCs; DPF |
| Amazon Web Services | Infrastructure / Storage | US | SCCs; DPF |
| Supabase, Inc. | Infrastructure / Auth | US | SCCs; DPF |
| Google LLC (Sign-In) | Authentication (optional) | US (global) | SCCs; DPF |
| Stripe, Inc. | Payments | US (global) | SCCs; DPF |
| Resend, Inc. | US | SCCs; DPF | |
| Google LLC (Analytics) | Analytics | US (global) | SCCs; DPF |
| Cloudflare, Inc. | Security / CDN | US (global edge) | SCCs; DPF |
| Google LLC (Workspace) | Corporate Email / Support | US (global) | SCCs; DPF |
The detailed per-vendor entries in Section 4 control if the summary table conflicts.
SECTION 6. COMPLIANCE CERTIFICATIONS
Certifications are as reported by the Subprocessor and may change. NodeFox does not independently certify or guarantee Subprocessor compliance status.
| Subprocessor | SOC 2 | ISO 27001 | PCI DSS | Other |
|---|---|---|---|---|
| AWS | Yes | Yes | Yes | FedRAMP; HIPAA eligible* |
| Supabase | Yes | — | — | HIPAA eligible* |
| Stripe | Yes | Yes | Level 1 | — |
| Cloudflare | Yes | Yes | Yes | — |
| Yes | Yes | — | — | |
| Vercel | Yes | — | — | — |
| Resend | Yes | — | — | — |
HIPAA Note: Vendor HIPAA eligibility refers to that vendor's own offering capabilities. NodeFox does not offer HIPAA processing and does not accept Protected Health Information (PHI) absent a separately executed Business Associate Agreement (BAA).
NodeFox Certifications. As of the Last Updated date, NodeFox has not obtained third-party certifications (SOC 2, ISO 27001). NodeFox may pursue certifications in the future at its discretion without commitment or timeline.
SECTION 7. THIRD-PARTY AI PROVIDERS — NOT SUBPROCESSORS
7.1 Third-party AI providers connected via Customer's own API keys are generally NOT Subprocessors. They act as independent controllers or processors under their own terms.
7.2 When Customers execute Workflows calling AI providers: Customer provides their own keys; Input Data is transmitted to the provider; the provider processes under their own terms; NodeFox acts as a conduit.
7.3 Customer's relationship with each AI provider is governed by their agreement with that provider. NodeFox is not responsible for AI provider data practices, retention, or training policies. Providers' practices are outside NodeFox's control. Customers must not send secrets or credentials to AI providers unless intended.
7.4 Managed AI. If NodeFox provides AI or model access under NodeFox's own credentials in the future, those AI vendors will be listed as Subprocessors and subject to the DPA's subprocessor notification framework.
7.5 Common AI providers (examples only; may change):
| Provider | Purpose | Privacy Policy |
|---|---|---|
| OpenAI | GPT models, DALL-E, embeddings | https://openai.com/privacy |
| Anthropic | Claude models | https://www.anthropic.com/privacy |
| Google (Vertex AI / Gemini) | Gemini models | https://policies.google.com/privacy |
| Mistral AI | Mistral models | https://mistral.ai/privacy-policy/ |
SECTION 8. DATA TRANSFERS
8.1 Most Subprocessors are in the United States. For Personal Data from the EEA, UK, or Switzerland, we rely on applicable legal mechanisms:
- DPF where the Subprocessor is certified.
- SCCs (Commission Implementing Decision 2021/914) where DPF does not apply or as supplementary.
- UK IDTA or UK Addendum for UK transfers.
- Supplementary measures where required by transfer impact assessments.
8.2 SCCs/IDTA specifics are governed by the DPA. This section is a summary only.
8.3 Transient Edge Caching. NodeFox utilizes global CDNs and edge-compute networks (Cloudflare, Vercel). Transient copies of data, cached assets, or API responses may be temporarily routed or cached at edge nodes outside the primary storage jurisdiction. Such transient caching does not constitute a permanent geographic data transfer and is necessary for global delivery of the Services.
SECTION 9. SUBPROCESSOR CHANGE NOTIFICATION
9.1 NodeFox may add or remove Subprocessors as business needs evolve. Material changes are notified to subscribed DPA Customers.
9.2 Notice may be provided via: updates to this List; email to subscribed Customers; in-app notification; or other means as determined by NodeFox.
9.3 To subscribe: email legal@nodefox.ai with subject "Subprocessor Notification Subscription" including company name, contact name, and notification email.
9.4 NodeFox generally seeks to provide advance notice of material changes, unless shorter notice is necessary for operational, security, or legal reasons. In emergencies, changes may be implemented immediately with notice as permitted and practicable.
9.5 All notification mechanics, timelines, and obligations are governed by the DPA. This List does not expand or modify DPA notification obligations.
SECTION 10. OBJECTION TO SUBPROCESSORS
10.1 DPA Customers may object to new Subprocessors on data protection grounds by submitting a written objection to legal@nodefox.ai within the period specified in the DPA.
10.2 Objections must include: the specific Subprocessor; data protection grounds; and any alternative arrangements acceptable.
10.3 NodeFox may consider objections and may, in its discretion, provide additional information, offer alternatives, or implement additional safeguards. NodeFox is not obligated to accommodate objections.
10.4 If the objection cannot be resolved, either party may terminate the affected Services per the DPA. Termination is Customer's sole and exclusive remedy.
10.5 If Customer does not object within the DPA-specified period, Customer is deemed to have accepted the new Subprocessor, where permitted by applicable law and the DPA.
10.6 All objection mechanics, timelines, and remedies are governed by the DPA. This List does not create independent objection rights.
SECTION 11. SUBPROCESSOR REQUIREMENTS
NodeFox seeks to require Subprocessors to contractually commit to, as appropriate under our agreements:
11.1 Confidentiality of Personal Data and personnel obligations.
11.2 Appropriate technical and organizational security measures, including industry-standard encryption at rest.
11.3 Assistance with data subject requests, security incidents, and impact assessments as required under our agreements and applicable law.
11.4 Audit rights (NodeFox typically retains audit rights; Customer audit rights are per the DPA).
11.5 Return or deletion of Personal Data upon termination, subject to backups/legal holds.
SECTION 12. CUSTOMER RESPONSIBILITIES
12.1 Customers are responsible for reviewing this List and determining compatibility with their own compliance requirements.
12.2 Where Customers act as Controllers: lawful bases, data subject notices, data subject request responses, impact assessments, and compliance with applicable law remain Customer's responsibility.
12.3 Customers are solely responsible for third-party AI provider relationships, user-configured webhook/API destinations, and optional features (e.g., Google Sign-In).
12.4 Customers should maintain correct subscription email for Subprocessor notifications.
SECTION 13. DATA RETENTION AND SECURITY
13.1 Each Subprocessor has its own retention policies. We seek to require retention only as long as necessary and deletion upon instruction, subject to backups and legal holds.
13.2 Upon termination or Customer request, we instruct Subprocessors to delete Customer Data per the DPA, where applicable and technically feasible.
13.3 SOC 2 reports and audit reports for Subprocessors may be available to DPA Customers under NDA in NodeFox's discretion, subject to Subprocessor restrictions. Contact legal@nodefox.ai.
SECTION 14. GEOGRAPHIC INFORMATION
14.1 Customer Data is generally stored and processed in the United States. Some Subprocessors have global infrastructure and may process data in additional locations subject to transfer safeguards.
14.2 Enterprise customers may request information about regional data processing options. Contact sales@nodefox.ai. Availability not guaranteed.
14.3 NodeFox does not intentionally store or process data in sanctioned jurisdictions. See the AUP (/legal/acceptable-use).
SECTION 15. GENERAL
15.1 NodeFox's liability for Subprocessor acts/omissions is per the DPA and Terms of Service. Liability limitations in those agreements apply.
15.2 NodeFox may modify this List at any time. The Last Updated date indicates the most recent revision. Previous versions may be available.
15.3 This List is informational. It does not constitute legal advice. Customers should consult their own counsel.
SECTION 16. CONTACT
| Purpose | Contact |
|---|---|
| Subprocessor Questions / Objections / Notifications | legal@nodefox.ai |
| Privacy Inquiries | privacy@nodefox.ai |
| Data Protection Officer | dpo@nodefox.ai |
| Security Questions | security@nodefox.ai |
| Enterprise Data Residency | sales@nodefox.ai |
NodeFox may respond to inquiries; no guaranteed response time.
Mailing Address: NodeFox LLC, PO Box 1667, Ross, CA 94957, United States.
EU Representative: Euverify Ltd (Ireland), Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland. Email: gdpr@euverify.com.
UK Representative: Euverify Ltd (UK), 3rd Floor, 86-90 Paul Street, London EC2A 4NE, United Kingdom. Email: gdpr@euverify.com.
GDPR Request Portal: https://gdpr.euverify.com/verify/40de1847-966c-42c5-bc95-9ad6c91c3348
IMPORTANT NOTICES
Beta Status. The Services are in beta. This List may change as the Services evolve.
Third-Party AI Providers. AI providers connected via Customer's own API keys are NOT Subprocessors.
Managed AI. If NodeFox provides AI access under its own credentials, those vendors will be listed here.
No Warranties. This List does not create service-level commitments, warranties, or guarantees.
No Legal Advice. Consult your own counsel regarding compliance obligations.
RELATED DOCUMENTS
| Document | URL |
|---|---|
| Terms of Service | /legal/terms |
| Privacy Policy | /legal/privacy |
| Data Processing Addendum | /legal/data-processing-addendum |
| Cookie Policy | /legal/cookies |
| Acceptable Use Policy | /legal/acceptable-use |
| EULA | /legal/eula |
| Marketplace Terms | /legal/marketplace-terms |
| IP & DMCA Policy | /legal/dmca |
ACKNOWLEDGMENT
This Subprocessor List is provided for transparency. For DPA Customers, Subprocessor engagement, notice, objection, and related rights are governed by the DPA.
END OF SUBPROCESSOR LIST
© 2025–2026 NodeFox LLC. All rights reserved.
NodeFox LLC | PO Box 1667, Ross, CA 94957, United States | https://www.nodefox.ai