Subprocessors
The vendors listed below may process customer personal data on Nurion's behalf. Updates are made by commit; new subprocessors that process personal data trigger a customer notification per the internal subprocessor-notification process and a fourteen (14) day objection window per our DPA.
Platform-wide
| Vendor | Purpose | Region | Transfer mechanism | Vendor DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Application hosting (compute, network, primary databases) | Germany (EEA) | Intra-EEA | Link |
| Mollie B.V. | Payment processing (SEPA, card, recurring billing) | Netherlands (EEA) | Intra-EEA | Link |
| Lettermint B.V. | Transactional email delivery (SMTP relay) for confirmations, invitations, account notifications | Netherlands (EEA) | Intra-EEA | Link |
| Plausible Insights OÜ | Cookieless marketing-website analytics | Estonia (EEA) | Intra-EEA | Link |
Nurion Desk
| Vendor | Purpose | Region | Transfer mechanism | Vendor DPA |
|---|---|---|---|---|
| Verda Cloud (DataCrunch OÜ) | AI inference (LLM and ASR) for Desk-managed flows | Estonia / Finland (EEA) | Intra-EEA | Link |
Nurion Meet
| Vendor | Purpose | Region | Transfer mechanism | Vendor DPA |
|---|---|---|---|---|
| Verda Cloud (DataCrunch OÜ) | AI inference for transcription and summarisation | Estonia / Finland (EEA) | Intra-EEA | Link |
Nurion Funnel
| Vendor | Purpose | Region | Transfer mechanism | Vendor DPA |
|---|---|---|---|---|
| Verda Cloud (DataCrunch OÜ) | AI inference for lead enrichment and intent signals | Estonia / Finland (EEA) | Intra-EEA | Link |
Vendors that do not process personal data
The vendors below are listed for transparency only. They are contracted by Nurion but do not receive customer personal data from the products.
| Vendor | Purpose | Region | Transfer mechanism | Vendor DPA |
|---|---|---|---|---|
| DNSimple Corp. | DNS, domain registration, and SSL issuance — no personal data flow | United States | Not applicable — no personal data | Link |
Standard Contractual Clauses and adequacy
Adequacy jurisdictions
Where a subprocessor is established in a country covered by an active EU Commission adequacy decision (e.g. Switzerland, the United Kingdom, Japan), the transfer is treated as adequate without requiring SCCs.
Standard Contractual Clauses 2021/914
For non-EEA, non-adequate transfers that involve personal data, we rely on the EU Commission's 2021/914 Standard Contractual Clauses, in the relevant module, supplemented where necessary by additional safeguards informed by a transfer impact assessment.
EU-US Data Privacy Framework
Where a US-based subprocessor would be required, we prioritise DPF-certified vendors. At the time of writing no US-based subprocessor processes Nurion customer personal data.
Subprocessor change process
See our internal subprocessor-notification process for the details customer-facing teams follow when a vendor is added or replaced. The summary: notify customers by email at least fourteen (14) days before a new subprocessor begins processing personal data; record objections; resolve or terminate the affected processing.
Contact
Questions about this list: privacy@nurion.com.
Version 2026-04-25 · last updated 2026-04-25