Sub-processors
Last updated: July 2026
HEA World (operated by NPE Holding B.V., the Netherlands) engages third-party sub-processors to help deliver the Service. This page lists the sub-processors that may process personal data on behalf of our customers (the controllers) under the Data Processing Agreement. It forms Annex III of that DPA.
Connector-based sub-processors (for example email sync, messaging, and commerce integrations) only process personal data where a customer explicitly enables and connects the relevant integration for their HEA.
Core infrastructure sub-processors
Always active for every customer, as part of hosting, storage, runtime, and AI inference.
| Sub-processor | Service | Personal data processed | Processing location |
|---|---|---|---|
| Cloudflare, Inc. | Object storage (R2), database (D1), Workers, CDN | HEA content, conversation archives, visitor IP addresses | EU (Western Europe) |
| Upstash, Inc. | Key-value state store | Sessions, chat state, configuration, transient conversation data | EU (Frankfurt, AWS eu-central-1) |
| Google Cloud (Google Ireland Ltd.) | Background generation and build jobs | HEA generation and processing data | EU (europe-west) |
| Vercel Inc. | Application hosting and serverless runtime | Application data, API traffic, operational logs | US (SCCs) |
| Clerk, Inc. | Authentication and session management | Account-holder identity, email, authentication identifiers | US (SCCs) |
| OpenAI, L.L.C. | AI model inference | Conversation content, prompts, resource context (API data not used for model training) | US (SCCs) |
| Stripe, Inc. / Stripe Payments Europe | Payment and subscription processing | Billing contact details, subscription and payment metadata | US / EU (SCCs) |
| Resend (Plus Five Five, Inc.) | Transactional and notification email delivery | Email addresses, email content, delivery metadata | US (SCCs) |
| Mistral AI SAS | Document OCR for uploaded files | Content of uploaded documents | EU (France) |
| Cookiebot / Usercentrics A/S | Consent management | Consent records | EU (Denmark) |
Connector-based sub-processors
Active only where the customer enables and connects the corresponding integration.
| Sub-processor | Service | Personal data processed | Processing location |
|---|---|---|---|
| Meta Platforms, Inc. (WhatsApp Business) | WhatsApp messaging channel | Phone numbers, message content | US / global (SCCs) |
| Google (Gmail API) | CRM email sync | Email metadata and content | US (SCCs) |
| Microsoft (Graph API) | CRM email sync | Email metadata and content | US / EU (SCCs) |
| Shopify Inc. | E-commerce integration | Store and order data, OAuth tokens | US / Canada (SCCs) |
| Explorium Ltd. | CRM B2B enrichment | Company domains and prospect (business contact) data | US / Israel (adequacy / SCCs) |
| Generic IMAP providers | CRM email sync (customer-supplied mailbox) | Email content and credentials for the connected mailbox | Per customer’s chosen provider |
Not sub-processors under this DPA
The following categories of suppliers do not process customer personal data on HEA World’s behalf and are therefore not sub-processors under the DPA. They are managed in HEA World’s internal supplier register:
- Source code hosting and developer tooling (e.g. GitHub, coding assistants) — no customer data.
- Static asset delivery (e.g. jsdelivr, charting CDNs, web fonts) — no customer personal data intended.
- Search, SEO, and AEO tooling that processes business queries rather than visitor personal data.
- External uptime/status monitoring using signed, aggregated status summaries.
International transfers
Where a sub-processor processes personal data outside the European Economic Area, HEA World relies on appropriate safeguards, principally the European Commission’s Standard Contractual Clauses (SCCs) or an applicable adequacy decision, together with supplementary measures where required. Core personal-data stores (object storage, key-value state, background job execution) are configured in the EU.
Changes to this list
HEA World may add or replace sub-processors as the Service evolves. Where required by the DPA, customers will be notified of intended changes with a reasonable opportunity to object, as described in the Data Processing Agreement.
Contact
Questions about sub-processors or data protection can be sent to privacy@hea-world.com.
See also: Data Processing Agreement · Privacy Policy · Terms & Conditions
HEA World