Subprocessors

Last updated May 5, 2026 · Nova Companion LLC · 17 vendors

What this page is

Every vendor that touches your Nova data is named here. Who they are, what they see, where they’re hosted, what they’re attested against, and a link to their DPA.
We split the list by exposure. Core infrastructure is what every Nova user touches by virtue of using the app. AI providers see chat content and attached photos. Research vendors see search queries when Nova switches into Boosters research mode. Opt-in vendors only see data when you explicitly turn the corresponding feature on.
We notify you of additions, removals, and swaps before they go live, where reasonable. To receive notifications, email privacy@novasystems.app with the word “subprocessors” in the subject line.
This page is the canonical list for GDPR Article 28(2) authorisation purposes. If you’re a data controller relying on Nova as a processor, this is the list you’ve authorised.

Core infrastructure

Touched by every Nova user. Application hosting, database, cache, error monitoring, transactional email, billing.

Vercel
Application hosting (Next.js), AI Gateway, Blob storage, Cron, OIDC token issuer
Data sent
All HTTP request and response payloads, env-var ciphertext, build artifacts, blob storage payloads
Region
United States (function default), edge regions global
Compliance
SOC 2 Type 2
DPA
vercel.com/legal/dpa
Supabase
Postgres database, authentication, row-level security
Data sent
Structured user data — messages, dossiers, contacts, journals, OAuth tokens (encrypted at rest), audit log
Region
United States (project region: US East)
Compliance
SOC 2 Type 2
DPA
supabase.com/legal/dpa
Upstash (Redis)
Distributed rate limiting, memory cache, transient session state
Data sent
Rate-limit counters, cached LLM responses (30 min TTL), transient session state (24 h TTL)
Region
Global multi-region (configurable)
Compliance
SOC 2 Type 2
DPA
upstash.com/trust/dpa.pdf
Upstash (Search)
Hybrid dense + sparse vector index for memory recall
Data sent
Memory text and vector embeddings (per-user namespace)
Region
Global multi-region (configurable)
Compliance
SOC 2 Type 2
DPA
upstash.com/trust/dpa.pdf
Sentry
Error monitoring and session replay (PII off, replay text masked)
Data sent
Stack traces, error metadata, masked replay; user IDs masked
Region
United States (EU option available)
Compliance
SOC 2 Type 2
DPA
sentry.io/legal/dpa
Resend
Transactional email (welcome, blast, memory digest, waitlist)
Data sent
Recipient email address, subject line, HTML body
Region
United States
Compliance
SOC 2 Type 2
DPA
resend.com/legal/dpa
Stripe
Subscription billing and webhook delivery
Data sent
Customer email, subscription metadata. Card numbers and CVVs are sent directly to Stripe Elements and never touch Nova.
Region
United States and EU
Compliance
SOC 2 Type 2 + PCI DSS Level 1
DPA
stripe.com/legal/dpa

AI providers

The model and inference vendors that see chat content, attached photos, and content sent for AI processing.

Anthropic
Routed via Vercel AI Gateway (no persistent retention via Gateway)
Claude — primary chat model and creative LLM tier
Data sent
Chat content (system prompt + user messages + Nova replies), attached photo data URLs
Region
United States
Compliance
SOC 2 Type 2 — Anthropic does not train on customer data
DPA
anthropic.com/legal/dpa
OpenAI
Routed via Vercel AI Gateway
GPT-4o (chat fallback), GPT-4o-mini (memory extraction)
Data sent
Chat content (fallback path only), message text for memory extraction
Region
United States
Compliance
SOC 2 Type 2 — API data not used for training; 30 d retention for abuse monitoring
DPA
openai.com/policies/data-processing-addendum
Google Cloud Platform
Vision, Translate, YouTube Data v3, Routes, Air Quality, Pollen, Time Zone, Places, Gmail API, Calendar API, Contacts API, Gemini Live
Data sent
Photos (Vision), text strings (Translate), search queries (YouTube), coordinates (Routes/Air/Pollen/TZ), Gmail metadata + body when summarizing, calendar events, contacts on import, voice audio (Gemini Live)
Region
United States multi-region
Compliance
SOC 2 Type 2 + ISO 27001/27017/27018 + FedRAMP
DPA
cloud.google.com/terms/data-processing-addendum

Research vendors

Used only when Nova switches into Boosters research mode. Receives search query text — never your chat content, memories, or identifiers.

Tavily
Web search (Boosters research mode)
Data sent
Search query text. No user PII.
Region
United States
Compliance
SOC 2 + GDPR + UK DPA 2018 — zero data retention, prompt-injection defense layer
DPA
trust.tavily.com
Exa
Semantic web search (Boosters research mode)
Data sent
Search query text. No user PII.
Region
United States
Compliance
SOC 2 Type II — zero data retention available on Enterprise tier
DPA
trust.exa.ai
Firecrawl
Web scraping for research and Boosters context
Data sent
Target URL (user-supplied or LLM-suggested). No raw user PII.
Region
United States
Compliance
SOC 2 Type II + GDPR — Enterprise tier offers zero retention
DPA
trust.firecrawl.dev

Opt-in only

Only see data when you explicitly enable the corresponding feature (image generation, Incubator company intel, financial integration, music).

FAL.ai
Opt-in only
Image generation (avatars, generic image gen)
Data sent
Generation prompts, user-supplied reference images when applicable. No user identifiers, chat history, memory content, OAuth tokens, contacts, calendar data, journal entries, or financial data.
Region
United States
Compliance
Active SOC 2 program, Vanta-backed Trust Center; final report NDA-gated. Risk-acceptance memo on file.
DPA
trust.fal.ai
Apollo.io
Opt-in only
Company intelligence for Incubator project tab
Data sent
Company name, domain, project context
Region
United States
Compliance
SOC 2 Type 2
DPA
apollo.io/legal/data-protection-addendum
Plaid
Opt-in only
Financial integration (Pro-gated)
Data sent
Plaid access token (encrypted at rest in Supabase), link metadata
Region
United States
Compliance
SOC 2 Type 2 + ISO 27001/27701
DPA
plaid.com/legal/data-protection-addendum
Spotify
Opt-in only
Pro-gated playlist generation
Data sent
OAuth refresh token (encrypted at rest), playlist creation requests
Region
European Union (Spotify is Swedish-headquartered; user data routed to user region)
Compliance
SOC 2 + ISO 27001 (also PCI, HIPAA, GDPR, FedRAMP, CSA STAR L1)
DPA
spotify.com/legal/business-partner-agreement

How a new vendor gets added

Before any new vendor sees a single byte of Nova user data in production:

The vendor is logged in our internal vendor inventory.
A SOC 2 / ISO 27001 / equivalent attestation is captured, or a documented risk-acceptance memo is filed by the owner.
A DPA is executed with the vendor, or vendor terms-of-service are accepted as DPA where the vendor offers them in that form.
This public list is updated, and notification subscribers are emailed.
The data-flow diagram and risk register are updated.

How to opt out

For opt-in vendors, simply don’t enable the corresponding feature. You can disconnect any connected Google service, Spotify, or Plaid account from your Profilepage. Image generation only fires when you explicitly request a generated image. Incubator’s Apollo enrichment runs only on projects you create.

For core infrastructure and AI providers, the only way to fully opt out is to delete your Nova account, which you can do from Profile → Delete account. Account deletion removes your data from Nova’s databases and memory store within 30 days.

Questions or objections

Reach privacy@novasystems.app for any subprocessor question, including objection to a specific vendor. Under GDPR Article 28(2) you may object to a planned change of subprocessors; if Nova cannot accommodate the objection, you have the right to terminate the contract.

Subprocessors

What this page is

Core infrastructure

Vercel

Supabase

Upstash (Redis)

Upstash (Search)

Sentry

Resend

Stripe

AI providers

Anthropic

OpenAI

Google Cloud Platform

Research vendors

Tavily

Exa

Firecrawl

Opt-in only

FAL.ai

Apollo.io

Plaid

Spotify

How a new vendor gets added

How to opt out

Questions or objections