Northbeams uses a small number of third-party services to deliver the product. This page lists every one of them, what they do, what data they see, where they run, and what compliance standards they hold. We update it whenever the list changes.
01 / How to read this page
Under GDPR Article 28, when you (the controller) hand customer data to a processor (us), and we hand part of it to another vendor (a sub-processor), we have to disclose that vendor and give you a chance to object.
Northbeams' architecture limits how much customer data leaves the user's device in the first place. The classifier runs in the browser. Original prompt content does not leave the device. What is sent to our servers and to the vendors below is metadata: tool identifiers, category labels, redacted snippets, account information, and billing data. Details per vendor below.
Last list-wide review: 2026-05-07.
02 / Active sub-processors
| Vendor | Purpose | Data categories | Region | Certifications | Last reviewed |
|---|---|---|---|---|---|
| Vercel | Marketing site, dashboard, and API hosting; serverless functions; edge network. | Account data, application logs, request metadata, IP addresses. | United States | SOC 2 Type II, ISO 27001, GDPR-aligned | 2026-05-07 |
| Google Cloud / Firebase | Authentication (Google OAuth, Microsoft OAuth, email magic links, TOTP MFA); Firestore database for organisation, member, and incident records. | Account data, organisation data, AI-tool detection events (no original prompt content), email addresses, MFA enrollment metadata. | United States (us-central1) | SOC 2 Type II, ISO 27001 / 27017 / 27018, HIPAA-eligible BAA available | 2026-05-07 |
| Stripe | Subscription billing, invoices, payment processing. | Billing contact, invoice data, subscription state. Card data is tokenised at Stripe; we never see card numbers. | United States | PCI-DSS Level 1, SOC 2 Type II, ISO 27001 | 2026-05-07 |
| Resend | Transactional email (organisation invites, daily digests, contact-form responses, onboarding drips). | Recipient email addresses, message content sent. | United States | SOC 2 Type II | 2026-05-07 |
| Sentry | Application error tracking and performance monitoring. | Error stack traces, request metadata, session metadata, hashed user identifiers. PII scrubbing rules in place. | United States | SOC 2 Type II, ISO 27001, GDPR-aligned | 2026-05-07 |
| Slack | Org-level incident alerts via incoming webhooks. Optional; only used if the customer configures a webhook URL in their settings. | Aggregate incident counts, AI-tool names, severity labels. No original prompt content. | Customer-configured workspace region | SOC 2 Type II, ISO 27001, FedRAMP Moderate | 2026-05-07 |
| Crisp | Live customer support chat on northbeams.com. | Chat message content, visitor email, visitor name, visitor IP address. | European Union (France) | GDPR-aligned. SOC 2 status under review; vendor replacement evaluated for enterprise customers requiring SOC 2 Type II from chat providers. | 2026-05-07 |
| Cloudflare R2 | Object storage and CDN delivery for the Northbeams desktop installer. | Download metadata: IP addresses, user agents, timestamps for installer downloads. No customer-account data stored here. | Global edge network | SOC 2 Type II, ISO 27001, GDPR-aligned | 2026-05-07 |
03 / Notification of changes
When we add, replace, or remove a sub-processor, we update this page and notify subscribed customers by email at least 30 days before the change takes effect. Customers may object to a new sub-processor by replying within that window; if we cannot resolve the objection, the customer may terminate the affected service for prorated refund.
To subscribe to change notifications, email security@northbeams.com with the subject "Subscribe sub-processor notifications" and the email address you want notified. Unsubscribe the same way.
04 / Marketing analytics on northbeams.com
The list below runs on northbeams.com (this marketing site) only. It does not run on monitor.northbeams.com (the customer dashboard). None of these vendors receive AI-tool detection events, organisation data, customer account data, or anything from a paid workspace. Each is loaded under Consent Mode v2 with default-deny, so no data is sent until a visitor opts in.
We use Google Analytics 4 to measure page views, conversion paths, and aggregate marketing performance. We use the Meta Pixel, LinkedIn Insight Tag, and Reddit Pixel for retargeting visitors who have opted in. All four operate only on the marketing site; the customer dashboard at monitor.northbeams.com does not load any of them. Each is gated by Consent Mode v2 default-deny: the script loads but transmits nothing until consent is granted. Visitors who decline are not tracked and no data leaves the page.
05 / Internal vendors (not sub-processors)
We use GitHub for source control, code review, and CI; the repositories contain our source code, not customer data. We use the Apple Developer Program to sign and notarise the Northbeams macOS installer; Apple receives binary metadata, not customer data. We also use AI development tools internally to write code and documentation; those tools never receive customer data. We list these here for completeness but they do not appear in the table above because they do not process customer data.
For data-processing agreements, vendor security questionnaires, or to subscribe to change notifications, write to security. We acknowledge within one business day.
See also: Trust center · Disclosure policy