Subprocessors
Subprocessors
Effective May 14, 2026 · Sodasoft LLC (30 N Gould St, Sheridan, Wyoming 82801, United States)
NANOTESTING, operated by Sodasoft LLC, engages the third-party subprocessors listed below to deliver the Service. Every subprocessor is bound by written terms that flow down the obligations of the Data Processing Agreement at /legal/dpa.
We post material changes to this inventory at least 30 days before the change takes effect and notify the billing contact on every account by email. To object, follow the process in section 3.4 of the DPA. Latest update: May 14, 2026.
Active subprocessors
| Vendor | Service | Data categories | Region | Transfer mechanism |
|---|---|---|---|---|
| Vercel Inc. | Edge hosting, serverless compute for the marketing site + dashboard | Account email, session cookies, audit-log row id, HTTP request metadata | Global (US-primary), with EU + AP edges | EU SCCs Module Two + UK IDTA Addendum |
| Supabase Inc. | Managed Postgres (data storage), Row-Level Security, encrypted object storage for raw scan output + PDF reports, magic-link auth issuer | Account data, audit log, billing-profile metadata, findings, scan_jobs, customer-supplied secrets (sealed) | EU (eu-central-1) primary; US (us-east-1) for read replicas | EU SCCs Module Two + UK IDTA |
| Fly.io Inc. | Scanner worker fleet + isolated sidecar services (Mythril, Echidna, Playwright screenshot) | Scan output before it lands in object storage; transient processing only | EU (Amsterdam) primary; US fallback regions | EU SCCs Module Three (onward sub-processor) |
| Stripe Payments Europe, Ltd. + Stripe, Inc. | Subscription billing, payment-card processing, tax calculation | Billing email, name, billing address, payment method, tax id | Ireland (EEA) + United States | EU SCCs (Stripe's data-processing terms) |
| Resend Labs, Inc. | Transactional email delivery (magic-link, scan complete, billing receipts) | Recipient email, message body, delivery status | United States | EU SCCs Module Three |
| Cloudflare, Inc. | DNS + edge proxy + DDoS mitigation when fronting the marketing site; Cloudflare Turnstile for bot protection on public preview scans | IP address (hashed for our persistence), user-agent | Global anycast | EU SCCs Module Three |
| Functional Software Inc. d/b/a Sentry | Server + client error monitoring with PII scrubbing in beforeSend and request-payload scrubbing on the Stripe webhook path | Stack traces with PII scrubbed, request-context id | European Union (Frankfurt - ingest.de.sentry.io) | n/a (EU-to-EU); EU SCCs Module Three for any cross-region replication |
| GitHub, Inc. | Source repository hosting for the Service; ingestion of customer-authorised public + private repositories for repo-deep-scan | Customer-pasted GitHub PAT (sealed) + the repo's own contents | United States | EU SCCs Module Three (GitHub Standard DPA) |
Threat-intelligence feeds (no personal data)
We consume the following public threat-intel feeds. These do not receive any customer or visitor personal data; they are listed for transparency.
- CISA Known Exploited Vulnerabilities catalog (cisa.gov)
- FIRST.org EPSS (first.org/epss)
- NIST National Vulnerability Database (nvd.nist.gov)
- U.S. Treasury OFAC SDN list (Web3 add-on only)
How to follow changes
Subscribe to privacy@nanotesting.com with subject line “Subscribe to subprocessor updates”. We will email any material change at least 30 days before it takes effect.