Third-Party Providers

Subprocessors

Effective: April 4, 2026

Last updated: April 4, 2026

Overview

HMD Corp ("Company," "we," "us") uses third-party service providers (subprocessors) to help deliver the Notify'n platform. These subprocessors may process Customer Data on our behalf in accordance with our Data Processing Agreement and Privacy Policy.

This page lists our current subprocessors, their purposes, locations and the data protection safeguards in place. We maintain contractual relationships with all subprocessors that require them to protect Customer Data in accordance with applicable data protection laws.

Change Notification

Subscribe to Updates

We notify customers of new subprocessors via email at least 30 days before engagement. To receive notifications, ensure your billing contact email is current.

Objection Process

If you have a legitimate objection to a new subprocessor based on data protection grounds, you may notify us in writing within 30 days of receiving our notification. We will work with you in good faith to find a reasonable resolution. If no resolution is possible, you may terminate your subscription as your sole remedy.

Current Subprocessors

The following third parties are authorised to process Customer Data on behalf of HMD Corp:

Amazon Web Services, Inc.

Cloud infrastructure, hosting, storage, computing and email delivery (SES)

United StatesStandard Contractual Clauses, DPF Certified, SOC 2 Type II, ISO 27001

Data Processed

All Customer Data, email content, recipient addresses, sender information

MongoDB, Inc.

Database hosting and management (MongoDB Atlas)

United StatesStandard Contractual Clauses, SOC 2 Type II

Data Processed

All Customer Data stored in database

Vercel, Inc.

Application hosting, edge computing and CDN

United StatesStandard Contractual Clauses, SOC 2 Type II

Data Processed

Traffic data, session data

Stripe, Inc.

Payment processing and billing management

United StatesStandard Contractual Clauses, DPF Certified, PCI DSS Level 1

Data Processed

Billing information, payment details, transaction records

Cloudflare, Inc.

CDN, DDoS protection, DNS and security services

United StatesStandard Contractual Clauses, DPF Certified, SOC 2 Type II

Data Processed

Traffic data, IP addresses, security logs

Groq, Inc.

AI inference engine for content generation and behavioural analysis

United StatesData Processing Agreement, Zero Data Retention for inference

Data Processed

Prompts and content provided to AI features (no training on Customer Data)

Pinecone Systems, Inc.

Vector database for AI-powered search and contact intelligence

United StatesSOC 2 Type II, Data Processing Agreement

Data Processed

Vectorised embeddings of contact engagement data (anonymised)

NetGSM

SMS and voice call delivery infrastructure

TurkeyData Processing Agreement, KVKK Compliant

Data Processed

Recipient phone numbers, SMS content, voice call metadata

PostHog, Inc.

Product analytics and feature flags

European Union (Germany)EU Data Hosting, GDPR Compliant

Data Processed

Usage analytics, feature interaction data

Sentry (Functional Software, Inc.)

Error tracking and application monitoring

United StatesStandard Contractual Clauses, SOC 2 Type II

Data Processed

Error logs, stack traces, device information

Data Protection Measures

Standard Contractual Clauses (SCCs)

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to subprocessors located in countries without adequate data protection determinations, we rely on Standard Contractual Clauses approved by the European Commission (Module 3: Processor to Processor).

EU-U.S. Data Privacy Framework

Where applicable, we engage subprocessors that are certified under the EU-U.S. Data Privacy Framework, the UK Extension and/or the Swiss-U.S. Data Privacy Framework.

Contractual Requirements

All subprocessors are contractually required to:

Process Customer Data only on documented instructions from HMD Corp.
Ensure that personnel processing data are under confidentiality obligations
Implement appropriate technical and organisational security measures
Assist with data subject rights requests when applicable
Delete or return Customer Data upon termination of services
Allow for audits and provide information to demonstrate compliance
Only engage further sub-processors with our prior authorisation

Security Certifications

We prioritise subprocessors that maintain recognised security certifications such as:

SOC 2 Type II
ISO 27001
PCI DSS (for payment processors)

Affiliates

HMD Corp may use the following affiliated entities to provide portions of the Service. These affiliates are bound by the same data protection obligations as HMD Corp:

HMD Corp - United Kingdom (Parent Company)

Additional affiliates may be added as our organisation grows. Check back for updates.

Historical Changes

April 2026

Removed OpenAI, LLC (not in use)
Removed Anthropic, PBC (not in use)
Removed Auth0 / Okta, Inc. (not in use; authentication handled by NextAuth)
Removed Intercom, Inc. (not in use)
Merged duplicate AWS entries into a single listing covering SES
Added Groq, Inc. (AI inference engine)
Added Pinecone Systems, Inc. (vector database)
Added NetGSM (SMS and voice delivery)

January 2026

Initial publication of subprocessor list

Contact Information

For questions about our subprocessors or to raise an objection:

Data Protection Inquiries: dpo@notifyn.net
Subprocessor Objections: legal@notifyn.net
Security Concerns: security@notifyn.net

Back to Legal Center

Third-Party Providers

Subprocessors

Effective: April 4, 2026

Last updated: April 4, 2026

Overview

Change Notification

Subscribe to Updates

We notify customers of new subprocessors via email at least 30 days before engagement. To receive notifications, ensure your billing contact email is current.

Objection Process

Current Subprocessors

The following third parties are authorised to process Customer Data on behalf of HMD Corp:

Amazon Web Services, Inc.

Cloud infrastructure, hosting, storage, computing and email delivery (SES)

United StatesStandard Contractual Clauses, DPF Certified, SOC 2 Type II, ISO 27001

Data Processed

All Customer Data, email content, recipient addresses, sender information

MongoDB, Inc.

Database hosting and management (MongoDB Atlas)

United StatesStandard Contractual Clauses, SOC 2 Type II

Data Processed

All Customer Data stored in database

Vercel, Inc.

Application hosting, edge computing and CDN

United StatesStandard Contractual Clauses, SOC 2 Type II

Data Processed

Traffic data, session data

Stripe, Inc.

Payment processing and billing management

United StatesStandard Contractual Clauses, DPF Certified, PCI DSS Level 1

Data Processed

Billing information, payment details, transaction records

Cloudflare, Inc.

CDN, DDoS protection, DNS and security services

United StatesStandard Contractual Clauses, DPF Certified, SOC 2 Type II

Data Processed

Traffic data, IP addresses, security logs

Groq, Inc.

AI inference engine for content generation and behavioural analysis

United StatesData Processing Agreement, Zero Data Retention for inference

Data Processed

Prompts and content provided to AI features (no training on Customer Data)

Pinecone Systems, Inc.

Vector database for AI-powered search and contact intelligence

United StatesSOC 2 Type II, Data Processing Agreement

Data Processed

Vectorised embeddings of contact engagement data (anonymised)

NetGSM

SMS and voice call delivery infrastructure

TurkeyData Processing Agreement, KVKK Compliant

Data Processed

Recipient phone numbers, SMS content, voice call metadata

PostHog, Inc.

Product analytics and feature flags

European Union (Germany)EU Data Hosting, GDPR Compliant

Data Processed

Usage analytics, feature interaction data

Sentry (Functional Software, Inc.)

Error tracking and application monitoring

United StatesStandard Contractual Clauses, SOC 2 Type II

Data Processed

Error logs, stack traces, device information

Data Protection Measures

Standard Contractual Clauses (SCCs)

EU-U.S. Data Privacy Framework

Where applicable, we engage subprocessors that are certified under the EU-U.S. Data Privacy Framework, the UK Extension and/or the Swiss-U.S. Data Privacy Framework.

Contractual Requirements

All subprocessors are contractually required to:

Process Customer Data only on documented instructions from HMD Corp.
Ensure that personnel processing data are under confidentiality obligations
Implement appropriate technical and organisational security measures
Assist with data subject rights requests when applicable
Delete or return Customer Data upon termination of services
Allow for audits and provide information to demonstrate compliance
Only engage further sub-processors with our prior authorisation

Security Certifications

We prioritise subprocessors that maintain recognised security certifications such as:

SOC 2 Type II
ISO 27001
PCI DSS (for payment processors)

Affiliates

HMD Corp may use the following affiliated entities to provide portions of the Service. These affiliates are bound by the same data protection obligations as HMD Corp:

HMD Corp - United Kingdom (Parent Company)

Additional affiliates may be added as our organisation grows. Check back for updates.

Historical Changes

April 2026

Removed OpenAI, LLC (not in use)
Removed Anthropic, PBC (not in use)
Removed Auth0 / Okta, Inc. (not in use; authentication handled by NextAuth)
Removed Intercom, Inc. (not in use)
Merged duplicate AWS entries into a single listing covering SES
Added Groq, Inc. (AI inference engine)
Added Pinecone Systems, Inc. (vector database)
Added NetGSM (SMS and voice delivery)

January 2026

Initial publication of subprocessor list

Contact Information

For questions about our subprocessors or to raise an objection:

Data Protection Inquiries: dpo@notifyn.net
Subprocessor Objections: legal@notifyn.net
Security Concerns: security@notifyn.net