Back to Home

Sub-processors

Last Updated: May 3, 2026

Nova AI Ops engages a small set of third-party sub-processors to deliver the platform. This page lists each sub-processor, the type of data they process on our behalf, where the processing takes place, and the safeguards we apply. Updates to this list are notified at least 30 days in advance per Section 7 of our Data Processing Agreement.

1. Infrastructure & Hosting

These providers host the Nova AI Ops platform, customer telemetry, and incident data.

  • Amazon Web Services (AWS), Inc.: primary cloud hosting (compute, object storage, managed database, networking). Data location: us-east-1 (Virginia, US) by default; Customer may opt into eu-west-1 (Ireland) on Enterprise. Safeguards: AWS DPA, EU SCCs, ISO 27001 / SOC 2 / SOC 3 certifications.
  • Cloudflare, Inc.: CDN, DDoS mitigation, WAF, and edge TLS termination. Data location: global edge; only request metadata and TLS handshake data are observed. Safeguards: Cloudflare DPA, EU SCCs, ISO 27001.
  • Let's Encrypt (Internet Security Research Group): automated TLS certificate issuance for novaaiops.com and customer subdomains. Data location: global. Only public domain names and ACME challenge data are processed.

2. AI Inference & Model Providers

Providers used for AI agent reasoning, summarisation, and on-call analysis. Customer prompts and incident metadata are sent to these providers; payloads are not used to train provider models.

  • Anthropic PBC: Claude family models (default). Data location: US. Safeguards: Anthropic Commercial Terms, zero-retention API tier where Customer enables it, EU SCCs.
  • OpenAI, L.L.C.: GPT family models (optional, Customer-toggled). Data location: US. Safeguards: OpenAI Enterprise/API DPA, zero-retention by default, EU SCCs.
  • Google LLC (Vertex AI / Gemini): optional Gemini family models (Customer-toggled). Data location: US or eu-west-4 (Netherlands), Customer-selectable. Safeguards: Google Cloud DPA, EU SCCs.

Customer can disable any non-Anthropic provider in Workspace Settings. The choice of model provider affects which sub-processor in this section processes Customer prompt data.

3. Communication & Notifications

Providers used to deliver alerts, password resets, invitations, and product communications.

  • Microsoft Corporation (Microsoft 365 / Exchange Online): outbound transactional email (alerts, password resets, invitations) sent from alerts@novaaiops.com. Data location: US (primary). Safeguards: Microsoft Online Services DPA, EU SCCs, ISO 27001 / SOC 2.
  • Twilio Inc.: SMS / voice on-call notifications (Pro and Enterprise plans). Data location: US. Safeguards: Twilio DPA, EU SCCs, SOC 2.
  • Slack Technologies, LLC (Salesforce): when a Customer connects Slack via OAuth, notification payloads pass through Slack to the Customer's workspace. Data location: per Customer's Slack workspace. Safeguards: Slack DPA, EU SCCs.

4. Payments & Billing

  • Stripe, Inc.: payment processing for plan subscriptions. Card data is sent directly from the customer's browser to Stripe; Nova AI Ops does not store full card numbers. Data location: US, with EU residency option on request. Safeguards: PCI DSS Level 1, Stripe DPA, EU SCCs.

5. Analytics & Product Telemetry

  • Plausible Insights OÜ: privacy-preserving website analytics for novaaiops.com. No cookies; no personally identifiable data is processed. Data location: Germany (EU). Safeguards: Plausible DPA, GDPR-aligned by design.
  • Google LLC (Google Analytics 4): optional, only on consent. Where the EU cookie banner records consent, GA4 is loaded; otherwise it is not. Data location: per the Customer's region as selected in GA4. Safeguards: Google Analytics DPA, EU SCCs, IP anonymisation enabled.

6. Customer Support

  • HubSpot, Inc.: support ticket and CRM system used for inbound enquiries from contact-us forms. Stores name, email, and conversation content. Data location: US. Safeguards: HubSpot DPA, EU SCCs, SOC 2.

7. Internal Operations (Affiliates)

  • Nova AI Ops, Inc. and its wholly-owned affiliates: internal employees and contractors providing support, engineering, and operations. Personnel are bound by confidentiality obligations and access Personal Data only on a least-privilege basis tied to a documented support, engineering, or compliance need.

8. Notification of Changes

We notify Customers of any addition or replacement of a Sub-processor at least 30 days before the change takes effect. Notification is delivered via:

  • An update to this page (with the Last Updated date revised).
  • An in-product notification visible to Workspace Admins.
  • An email to the billing or admin email on file.

Customer may object to a new Sub-processor on reasonable data-protection grounds within the 30-day notice window per Section 7 of the DPA. To subscribe to direct notifications, email privacy@novaaiops.com with the subject line "Sub-processor notifications".

9. Contact

For questions about this list, including the safeguards applied to a specific Sub-processor or to request a counter-signed copy of the DPA, contact:

Data Protection: privacy@novaaiops.com
Security: security@novaaiops.com
Mailing Address: Nova AI Ops, Inc., Houston, TX, United States