Sub-Processor Register
Effective Date: April 1, 2026 Last Updated: April 1, 2026
1. Overview
nproxy engages the following sub-processors to deliver the service. Each sub-processor is contractually bound to process personal data only for the purposes described below. Changes to the sub-processor list will be communicated to customers in advance per the Data Processing Agreement.
2. Sub-Processor Register
Cloudflare, Inc.
| Field | Value |
|---|---|
| Company | Cloudflare, Inc. |
| Headquarters | San Francisco, California, USA |
| Purpose | All infrastructure hosting and compute for the nproxy platform |
| Services used | Workers (compute), D1 (SQLite database), KV (key-value cache), R2 (object storage), Durable Objects (stateful coordination), Queues (message pipeline), Analytics Engine (metrics) |
| Data processed | All personal data described in the Privacy Policy: user accounts, sessions (IP, user agent), OAuth tokens, organization configurations, API token hashes, audit events, internal packages, billing references, SCIM provisioning data |
| DPA status | Cloudflare DPA available at cloudflare.com/privacy-policy/ (incorporated by reference in Cloudflare's Terms of Service) |
| Certifications | SOC 2 Type II, ISO 27001, PCI DSS Level 1, HIPAA (with BAA on Enterprise plan), C5, FedRAMP |
| Transfer mechanism | EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs) |
| Data location | Global (Cloudflare operates data centers in 300+ cities worldwide; Workers execute at the nearest edge location to the request origin) |
Stripe, Inc.
| Field | Value |
|---|---|
| Company | Stripe, Inc. |
| Headquarters | San Francisco, California, USA |
| Purpose | Payment processing and subscription billing |
| Services used | Stripe Checkout (redirect-based payment collection), Stripe Webhooks (subscription lifecycle events), Stripe API (subscription management) |
| Data processed | Stripe customer ID and Stripe subscription ID (generated by Stripe and stored as references in nproxy). Payment card data is collected and processed entirely by Stripe; nproxy never receives, transmits, or stores card data. |
| DPA status | Stripe DPA available at stripe.com/privacy (incorporated by reference in Stripe's Terms of Service) |
| Certifications | SOC 2 Type II, PCI DSS Level 1, ISO 27001 |
| Transfer mechanism | EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs) |
GitHub, Inc. (Microsoft)
| Field | Value |
|---|---|
| Company | GitHub, Inc. (subsidiary of Microsoft Corporation) |
| Headquarters | San Francisco, California, USA |
| Purpose | OAuth authentication provider |
| Services used | GitHub OAuth App (authentication) |
| Data processed | OAuth authentication: GitHub account ID, OAuth access token, OAuth refresh token |
| DPA status | GitHub DPA available at docs.github.com/en/site-policy/privacy-policies (incorporated by reference in GitHub's Terms of Service) |
| Certifications | SOC 2 Type II, ISO 27001 |
| Transfer mechanism | EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs) |
Resend, Inc. (Planned)
| Field | Value |
|---|---|
| Company | Resend, Inc. |
| Headquarters | San Francisco, California, USA |
| Purpose | Transactional email delivery (account verification, password reset, security notifications) |
| Services used | Resend Email API (planned integration) |
| Data processed | Email address, email subject, email content (transactional messages only) |
| DPA status | Resend DPA available at resend.com/legal/dpa |
| Certifications | SOC 2 Type II |
| Transfer mechanism | Standard Contractual Clauses (SCCs) |
| Note | This sub-processor is listed in advance of integration. Customers will be notified when the integration goes live. |
Socket, Inc. (socket.dev)
| Field | Value |
|---|---|
| Company | Socket, Inc. |
| Headquarters | San Francisco, California, USA |
| Purpose | Package security intelligence — analyzing packages for malware, suspicious behavior, and security scoring |
| Services used | socket.dev API (batch PURL endpoint for package analysis) |
| Data processed | Package names and versions only. No personal data is transmitted to socket.dev. |
| DPA status | Not required — no personal data is shared with socket.dev |
| Certifications | N/A |
| Transfer mechanism | Not applicable (no personal data transfer) |
OSV.dev (Google)
| Field | Value |
|---|---|
| Company | Google LLC (OSV.dev is a Google-operated open-source vulnerability database) |
| Headquarters | Mountain View, California, USA |
| Purpose | Vulnerability advisory data — querying known CVEs and security advisories for packages |
| Services used | OSV.dev API (batch query endpoint) |
| Data processed | Package names only. No personal data is transmitted to OSV.dev. |
| DPA status | Not required — no personal data is shared with OSV.dev |
| Certifications | N/A (OSV.dev is a free, open-source service operated by Google) |
| Transfer mechanism | Not applicable (no personal data transfer) |
3. Sub-Processor Summary Table
| Sub-Processor | Purpose | Personal Data | DPA | Key Certifications |
|---|---|---|---|---|
| Cloudflare | All infrastructure | All personal data | Yes (Cloudflare DPA) | SOC 2, ISO 27001, PCI DSS L1, HIPAA |
| Stripe | Billing | Stripe customer/subscription IDs | Yes (Stripe DPA) | SOC 2, PCI DSS L1, ISO 27001 |
| GitHub | OAuth + source hosting | OAuth tokens, GitHub account ID | Yes (GitHub DPA) | SOC 2, ISO 27001 |
| Resend (planned) | Transactional email | Email addresses | Yes (Resend DPA) | SOC 2 |
| socket.dev | Package analysis | Package names only (no PII) | N/A | N/A |
| OSV.dev (Google) | Vulnerability advisories | Package names only (no PII) | N/A | N/A |
4. Sub-Processor Change Notification
Per GDPR Article 28(2), nproxy will notify customers of any intended changes to sub-processors (additions or replacements) with reasonable advance notice, allowing customers the opportunity to object. Notification will be provided via:
- Email to organization owners (when transactional email is available)
- Dashboard notification banner
- Update to this document
Customers who object to a sub-processor change may terminate their subscription in accordance with the Terms of Service.
5. Document Control
| Version | Date | Changes |
|---|---|---|
| 1.0 | April 1, 2026 | Initial sub-processor register |