Sub-processors
Last updated: May 22, 2026
To deliver Nexis we rely on a short list of vendors who each handle a specific slice of the work. This page is the source of truth for who they are, what they do, and what data they process on our behalf. Every vendor on this list is bound by their own privacy policy and, where relevant, a Data Processing Agreement with us.
| Sub-processor | Purpose |
|---|---|
| Vercel All inbound HTTP requests, including authentication cookies and uploaded form data. No persistent storage. Location: United States | Application hosting and edge delivery for the Nexis web app. |
| Supabase Account data, tasks, people, transcripts, encrypted OAuth tokens (Slack, Gmail), session records. Location: United States | Managed PostgreSQL database and authentication (email magic link, Google OAuth). |
| Cloudflare Encrypted audio files uploaded by users. Recordings are scoped per workspace and auto-expire per the user’s plan. Location: Global edge network; R2 control plane in the United States | R2 object storage for voice recordings and meeting audio; CDN for static assets. |
| OpenAI Transcript text. Configured with zero data retention — inputs are not stored by OpenAI and are never used to train models. Location: United States | Task extraction from meeting transcripts and generation of meeting summaries. |
| Soniox Audio file URLs (fetched from Cloudflare R2). Configured with zero data retention. Location: United States | Speech-to-text transcription of voice notes and meeting audio. |
| Paddle Customer billing email, payment-method tokens, billing address, tax location. We never see raw card numbers. Location: United Kingdom / United States | Payment processing and merchant of record for paid plans (global). |
| Resend Recipient email address and the message contents Nexis sends. Location: United States | Transactional email delivery (sign-in links, billing notifications, account alerts). |
| PostHog Anonymous event data and feature usage. No personally identifiable information is sent. Location: European Union | Product analytics — anonymous usage metrics to understand which features are used. |
How we choose sub-processors
We add a sub-processor only when it's necessary to deliver a feature or keep the service running. Each vendor is evaluated on their published security posture, the data they would access, and the legal protections they offer customers (data processing agreements, standard contractual clauses for EU data, breach-notification commitments).
Notice of changes
We'll notify Nexis account owners by email at least 14 days before adding a new sub-processor that materially affects how customer data is handled. If you object to a new sub-processor, you can cancel your account within that window and your data is deleted per our Privacy Policy.
Data processing agreements
Enterprise and business customers can request a Data Processing Agreement covering Nexis's use of these sub-processors. Email nexis.support@ekamspace.com with "DPA request" in the subject line.
Questions
For anything related to sub-processors or how we handle your data, contact nexis.support@ekamspace.com. Our full privacy practices are at /privacy.