Effective
2026-05-03
Last verified
2026-07-02
Status
legal-review
Owner
Legal and Product

NetQnect Subprocessors

Draft status: for legal review before publication.

Effective date: 2026-05-03

Contact: legal@netqnect.com

1. About This List

This list explains the main third-party providers and provider categories that may process personal data for NetQnect.

The production provider list, regions, contracts, data-processing agreements and transfer safeguards must be confirmed before publication. Optional integrations are included only where they are enabled for a user, organiser or workspace.

2. Core Infrastructure

Google Cloud Platform and Firebase

  • Purpose: hosting, authentication, databases, cloud functions, storage, messaging, app security, crash reporting, performance monitoring and analytics where enabled.
  • Data: account, profile, event, connection, message, usage, diagnostics, token, notification and security data.
  • Location: production Firestore is currently in Google nam5; production Cloud Functions are in europe-west2; some Firebase services run on global Google infrastructure or service-specific locations.
  • Safeguards: Google Cloud/Firebase data-processing terms, Google Cloud subprocessors, applicable SCCs/transfer safeguards, security measures, data-deletion tooling and Data Incident commitments. Legal/Product must approve the mixed-region disclosure before publication.

IONOS VPS hosting

  • Purpose: worker services, AI Concierge orchestration, operational jobs, queues, caches and supporting databases.
  • Data: assistant messages, tool calls, task context, logs, traces and operational metadata.
  • Location: current runtime and graph/vector VPS evidence points to UK-hosted IONOS services.
  • Safeguards: IONOS data-processing terms are part of the IONOS GTC for current contracts; account-specific contract, backup/deletion and incident escalation evidence must be retained in the launch evidence pack.

3. AI And Embeddings

OpenAI

  • Purpose: direct OpenAI AI assistant responses, model calls, embeddings, AI-supported search, recommendations or related AI processing only where enabled or retained as a fallback.
  • Data: prompts, assistant messages, profile text, relationship context, event context, embeddings input and technical metadata, depending on the feature.
  • Location: current NetQnect evidence shows the available direct OpenAI API project geography as Global; Nebius and Google Agent Platform are separate launch lanes.
  • Safeguards: OpenAI Services Agreement, OpenAI DPA, API data controls and OpenAI subprocessor list. Direct OpenAI must not be claimed as EU/UK-resident unless the account and deployed project evidence support that claim.

Nebius Token Factory

  • Purpose: AI model calls for assistant, relationship-memory, generated-content or worker-side AI processing where enabled.
  • Data: prompts, assistant messages, profile text, relationship context, event context and technical metadata, depending on the feature.
  • Location: approved launch models are selected in Nebius Token Factory with eu-north1 shown in the provider interface. Model locations can vary by model and must be checked before model changes.
  • Safeguards: Nebius DPA incorporated into the Terms of Service, SCCs and UK Addendum for applicable transfers, zero data retention enabled for launch, no prompt/output training under ZDR, published subprocessor list, security measures and certification evidence. Data Lab, post-training, fine-tuning and uploaded datasets are not approved for launch personal-data use unless separately reviewed.

Google Cloud Gemini Enterprise Agent Platform

  • Purpose: embedding generation for profile, event, team/business and capability vector workflows where enabled through Google Cloud Gemini Enterprise Agent Platform / Vertex AI.
  • Data: embedding input text, profile context, event context, team/business context, capability context, returned vectors and technical metadata, depending on the feature.
  • Location: approved embedding calls must supply a Google Cloud Agent Platform region in the API request. Current dev evidence uses europe-west2; staging and production deployments must use the approved UK/EU region and avoid the global endpoint where regional ML processing is required.
  • Safeguards: Google Cloud Data Processing Addendum, SCCs for applicable transfers, Google Cloud AI/ML no-training restriction, regional Agent Platform processing commitments for supported locations, published Google Cloud subprocessor list, security measures and Data Incident commitments. Request-response logging, grounding, session resumption and optional tuning/training are not approved for personal-data embeddings unless separately reviewed.

Self-hosted Neo4j vector storage/search, with Milvus/Zilliz rollback risk

  • Purpose: vector storage and similarity search for profile, event, team, capability, recommendation or matching features where enabled.
  • Data: embeddings, embedding metadata, profile/event/team identifiers, similarity-search metadata and technical metadata, depending on the configured vector provider.
  • Location: intended launch path is self-hosted Neo4j on the IONOS graph host. Some deployed Function evidence still showed stale Milvus/Zilliz and Neo4j Aura configuration and must be cleaned or published as active providers before launch.
  • Safeguards: IONOS host evidence plus NetQnect-controlled vector resolution, deletion, exclusion and rebuild procedures. If Zilliz/Milvus/Aura remain enabled, their DPA, region, retention and deletion evidence must be added before publication.

4. Analytics, Diagnostics And Monitoring

Google Analytics

  • Purpose: website and app analytics if enabled after consent.
  • Data: cookie or device identifiers, page views, events, approximate location, browser and device information.
  • Location: Google Analytics processing locations under Google terms; account/property settings must be confirmed before launch.
  • Safeguards: Google Analytics data-processing terms, retention controls, consent controls, data-sharing settings and publication disclosure.

Firebase Crashlytics and Firebase Performance Monitoring

  • Purpose: crash reports, app diagnostics and performance monitoring where enabled.
  • Data: device, app, diagnostic, event and performance data.
  • Location: Firebase/Google processing locations depending on service and configured project.
  • Safeguards: Firebase/Google data-processing terms, Firebase privacy/security controls, app privacy settings and consent/preference handling. Performance Monitoring pre-consent behavior must be verified before publication.

5. Payments And Billing

Stripe

  • Purpose: paid plans, payments, invoices, billing, tax and subscription administration where enabled.
  • Data: billing contact details, payment identifiers, subscription status, invoice data and transaction metadata.
  • Location: Stripe and its affiliates/subprocessors process globally as described in Stripe terms.
  • Safeguards: Stripe DPA, data-transfer addendum, Stripe service provider/subprocessor list, payment-security controls and financial-record retention exceptions. Paid-plan launch status and account acceptance evidence must be confirmed before enabling.

6. Connected Services

Google Calendar, Microsoft Calendar, GitHub and LinkedIn are not enabled for the current launch scope. They should be added back to this list before use if NetQnect later enables those connection or import features.

Eventbrite

  • Purpose: event import, organiser workflows, attendee matching, check-in or event reference data where enabled.
  • Data: event, organiser, attendee, ticket, claim and platform reference data.
  • Location: provider processing locations to be confirmed.
  • Safeguards: Eventbrite legal terms, organiser DPA, API Terms of Use, security evidence, user or organiser authorisation and disconnect/import deletion controls. See tracker/privacy_ai_compliance/testing/29_event-attendee-authority-and-third-party-transparency-evidence.md for the Eventbrite launch-scope decision packet and current public source URLs.

7. Communications And Support

Firebase Trigger Email, self-hosted Postfix, Porkbun forwarding and support mailbox providers

  • Purpose: transactional email, support messages, product notices and service communications.
  • Data: name, email address, message content, notification tokens, delivery status and support metadata.
  • Location: Firebase Trigger Email extension is deployed in europe-west2; production email queue data follows the production Firestore nam5 database; Postfix runs on the IONOS VPS; Porkbun provides forwarding for domain addresses; destination support mailbox region/provider must be confirmed.
  • Safeguards: Google/Firebase terms, IONOS terms, Porkbun privacy and forwarding terms, Postfix operational controls and mailbox provider evidence. legal@netqnect.com forwarding to Outlook is temporarily risk-accepted for launch on 2026-07-02 and should be replaced with a DPA-backed business mailbox when feasible.

8. Change Notice

NetQnect should update this list before adding a new subprocessor that materially changes how personal data is processed.