Sub-Processors
Last updated: May 21, 2026
NEXOS uses the third-party service providers listed below to deliver its platform. We refer to these providers as sub-processors. We have entered into a Data Processing Agreement (DPA) with each one that contractually requires them to handle customer data with the same protections we apply, including encryption in transit and at rest, access controls, and breach notification obligations.
This page is updated whenever a sub-processor is added, removed, or has a material change in its role. Customers under an active subscription receive at least 30 days advance notice of additions, sent to the billing email on file, and may object during that window per the terms of their Master Services Agreement.
| Provider | Purpose | Data accessed | Location | Since |
|---|---|---|---|---|
Amazon Web Services, Inc. (AWS) Privacy policy | Cloud hosting infrastructure — compute, database, storage, content delivery, transactional email, secrets management | All customer data stored or processed in the platform (encrypted at rest with AWS KMS, in transit with TLS 1.2+) | United States (us-east-1) | March 1, 2024 |
Stripe, Inc. Privacy policy | Subscription billing, payment processing, sales-rep payout disbursement (Stripe Connect) | Billing contact name, email, business name, payment method tokens (no full card numbers are ever transmitted to or stored by NEXOS) | United States | April 1, 2024 |
Plaid Inc. Privacy policy | Bank account aggregation (only enabled when the customer explicitly connects a bank account via the Plaid Link flow) | Bank transaction data + account metadata for connected accounts only | United States | May 1, 2024 |
Resend Privacy policy | Outbound transactional email delivery (account notifications, password resets, scheduled reports) | Recipient email address, message body, delivery metadata | United States | September 1, 2025 |
Twilio Inc. Privacy policy | Outbound SMS delivery (approval workflows, alerts) via AWS End User Messaging when enabled on the tenant | Recipient phone number, message body | United States | October 1, 2025 |
Sentry (Functional Software, Inc.) Privacy policy | Mobile app crash reporting (iOS + Android native binaries only — does not run on web) | Crash stack traces, device model, OS version, anonymized user identifier (NOT email) | United States | November 1, 2025 |
Datadog, Inc. Privacy policy | Web dashboard real-user monitoring (page-load timing, browser-side JavaScript error capture) | Session metadata, browser type, page navigation events, JavaScript error stack traces | United States | January 1, 2026 |
AI inference + embedding providers | Invoice / receipt extraction, semantic search, in-app assistant. Names disclosed under NDA + signed DPA — see footer. | Document images + extracted text content submitted to the platform. AI providers do NOT receive billing data, banking data, employee PII fields, or password material. | United States | June 1, 2024 |
Customer-Initiated Integrations
When a customer connects a third-party system (e.g., QuickBooks, Xero, Square, Clover, Revel, Toast), that provider is acting as a sub-processor of the customer, not of NEXOS. The customer agrees to that provider's terms directly during the OAuth connection flow, and NEXOS acts only as the data conduit. These integrations are listed separately because the customer's own legal team is the party responsible for the underlying agreement.
How we notify you of changes
When we add a new sub-processor or replace an existing one, customers under an active subscription receive at least 30 days advance notice at the billing email address on file. Removals of sub-processors are not noticed in advance, as removing a sub-processor reduces — never increases — the parties handling your data.
If a customer objects to a new sub-processor in writing within the notice window, both parties will work in good faith to identify a commercially reasonable resolution. If no resolution is reached, the customer may terminate the affected services and receive a pro-rated refund of any prepaid fees.
Data residency
All current sub-processors operate from infrastructure located in the United States. Customer data is not transferred to or processed in jurisdictions outside the United States. Customers with specific regional residency requirements (EU, UK, Canada, Australia) should contact our security team prior to subscribing — we can quote the cost of deploying a dedicated regional instance under a separate contract.
AI provider naming policy
The AI inference and embedding providers powering invoice extraction, semantic search, and the in-app assistant are listed by category on this page rather than by named entity. The full list — including provider names, contract effective dates, data flow descriptions, and copies of the executed DPAs — is made available under NDA and signed DPA. Most enterprise procurement teams accept this arrangement; it lets our customers' counsel verify our compliance posture without us publishing the competitive details of our AI architecture on a public marketing surface.
To receive the full list, email security@nexosscan.com from the email address on your company domain.
Get notified of changes
Subscribe to our sub-processor change notification list to receive an email whenever this page is materially updated. This is separate from your product subscription — anyone (customer, prospect, procurement team) can subscribe.
Subscribe via security@nexosscan.comQuestions
For all questions related to this sub-processor list, our Data Processing Agreement (DPA), our Master Services Agreement (MSA), or any other privacy or security topic, contact security@nexosscan.com.
See also: Privacy Policy · Terms of Service · Compliance