HEA World

Sub-processors

Last updated: July 2026

HEA World (operated by NPE Holding B.V., the Netherlands) engages third-party sub-processors to help deliver the Service. This page lists the sub-processors that may process personal data on behalf of our customers (the controllers) under the Data Processing Agreement. It forms Annex III of that DPA.

Connector-based sub-processors (for example email sync, messaging, and commerce integrations) only process personal data where a customer explicitly enables and connects the relevant integration for their HEA.

Core infrastructure sub-processors

Always active for every customer, as part of hosting, storage, runtime, and AI inference.

Sub-processorServicePersonal data processedProcessing location
Cloudflare, Inc. Object storage (R2), database (D1), Workers, CDN HEA content, conversation archives, visitor IP addresses EU (Western Europe)
Upstash, Inc. Key-value state store Sessions, chat state, configuration, transient conversation data EU (Frankfurt, AWS eu-central-1)
Google Cloud (Google Ireland Ltd.) Background generation and build jobs HEA generation and processing data EU (europe-west)
Vercel Inc. Application hosting and serverless runtime Application data, API traffic, operational logs US (SCCs)
Clerk, Inc. Authentication and session management Account-holder identity, email, authentication identifiers US (SCCs)
OpenAI, L.L.C. AI model inference Conversation content, prompts, resource context (API data not used for model training) US (SCCs)
Stripe, Inc. / Stripe Payments Europe Payment and subscription processing Billing contact details, subscription and payment metadata US / EU (SCCs)
Resend (Plus Five Five, Inc.) Transactional and notification email delivery Email addresses, email content, delivery metadata US (SCCs)
Mistral AI SAS Document OCR for uploaded files Content of uploaded documents EU (France)
Cookiebot / Usercentrics A/S Consent management Consent records EU (Denmark)

Connector-based sub-processors

Active only where the customer enables and connects the corresponding integration.

Sub-processorServicePersonal data processedProcessing location
Meta Platforms, Inc. (WhatsApp Business) WhatsApp messaging channel Phone numbers, message content US / global (SCCs)
Google (Gmail API) CRM email sync Email metadata and content US (SCCs)
Microsoft (Graph API) CRM email sync Email metadata and content US / EU (SCCs)
Shopify Inc. E-commerce integration Store and order data, OAuth tokens US / Canada (SCCs)
Explorium Ltd. CRM B2B enrichment Company domains and prospect (business contact) data US / Israel (adequacy / SCCs)
Generic IMAP providers CRM email sync (customer-supplied mailbox) Email content and credentials for the connected mailbox Per customer’s chosen provider

Not sub-processors under this DPA

The following categories of suppliers do not process customer personal data on HEA World’s behalf and are therefore not sub-processors under the DPA. They are managed in HEA World’s internal supplier register:

International transfers

Where a sub-processor processes personal data outside the European Economic Area, HEA World relies on appropriate safeguards, principally the European Commission’s Standard Contractual Clauses (SCCs) or an applicable adequacy decision, together with supplementary measures where required. Core personal-data stores (object storage, key-value state, background job execution) are configured in the EU.

Changes to this list

HEA World may add or replace sub-processors as the Service evolves. Where required by the DPA, customers will be notified of intended changes with a reasonable opportunity to object, as described in the Data Processing Agreement.

Contact

Questions about sub-processors or data protection can be sent to privacy@hea-world.com.

See also: Data Processing Agreement · Privacy Policy · Terms & Conditions