NextKS — List of Subprocessors
Last Updated: February 2026
T-SolArch s.r.o. ("NextKS," "we," "us") uses the following third-party service providers ("Subprocessors") to process Customer Data on our behalf in connection with the NextKS service. This page is maintained in accordance with Section 3.4 of our Data Processing Agreement.
Current Subprocessors
| Subprocessor | Purpose | Data Processed | Data Location | DPA / Legal Basis |
|---|---|---|---|---|
| Vercel Inc. | Application hosting and server infrastructure | All Customer Data (application requests, responses, static assets) | EU (West Europe) | Vercel DPA incorporating EU Standard Contractual Clauses (2021) |
| Supabase Inc. | Database hosting, data storage, authentication services | All Customer Data (account data, knowledge base content, usage data, backups) | EU (West Europe) | Supabase DPA incorporating EU Standard Contractual Clauses (2021) |
| OpenAI OpCo, LLC / OpenAI Ireland Ltd | AI processing — large language model inference for query responses, knowledge retrieval, and Q&A ticket processing | Query content, knowledge base snippets, and user names and email addresses associated with Q&A tickets | United States | OpenAI DPA (executed October 2024) incorporating EU Standard Contractual Clauses (2021), Modules Two and Three |
| Anthropic PBC / Anthropic UK Ltd | AI processing — large language model inference for query responses, knowledge retrieval, and Q&A ticket processing | Query content, knowledge base snippets, and user names and email addresses associated with Q&A tickets | United States | Anthropic DPA incorporating EU Standard Contractual Clauses (2021), Modules Two and Three |
| Salesforce, Inc. (Slack) | Messaging platform — delivery of Q&A ticket notifications and responses to Customer's Slack workspace | Q&A ticket content including user names, email addresses, query text, and AI-generated responses | EU / US (per Customer's Slack workspace configuration) | Salesforce DPA incorporating EU Standard Contractual Clauses (2021) |
| Microsoft Corporation (Teams) | Messaging platform — delivery of Q&A ticket notifications and responses to Customer's Teams tenant | Q&A ticket content including user names, email addresses, query text, and AI-generated responses | EU / US (per Customer's Teams tenant configuration) | Microsoft DPA incorporating EU Standard Contractual Clauses (2021) |
Data Transfer Safeguards
EU-Based Subprocessors (Vercel, Supabase): Customer Data processed by Vercel and Supabase is stored and processed entirely within the EU (West Europe region). No international transfer of Customer Data outside the EEA occurs through these Subprocessors.
US-Based Subprocessors (OpenAI, Anthropic): Customer Data sent for AI processing — including user names and email addresses for Q&A ticket functionality — is transferred to LLM provider servers in the United States. These transfers are protected by:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor) and Module Three (Processor to Sub-Processor)
- UK International Data Transfer Addendum (Version B1.0) for UK GDPR transfers
- Contractual commitments that Customer Data is not used to train general-purpose AI models
- Limited data retention (maximum 30 days for OpenAI; per DPA terms for Anthropic), after which data is deleted
- Encryption in transit (TLS) for all data transmitted to LLM providers
- Transfer Impact Assessment conducted and documented (available upon request)
Messaging Platforms (Slack, Microsoft Teams): NextKS pushes Q&A ticket content to the Customer's configured messaging platform. Data location depends on the Customer's own Slack workspace or Microsoft Teams tenant configuration. Where the Customer's messaging platform is configured for EU data residency, no international transfer occurs through these Subprocessors. Where the Customer's messaging platform stores data in the United States, transfers are protected by the respective provider's DPA and Standard Contractual Clauses. Customers are responsible for ensuring their messaging platform configuration meets their data residency requirements.
LLM Providers — Additional Disclosures
In accordance with GDPR transparency requirements, we disclose the following regarding LLM provider processing:
Data transmitted: Query content, knowledge base article snippets, and user names and email addresses associated with Q&A tickets. Login credentials, passwords, IP addresses, and session tokens are NOT transmitted to LLM providers.
OpenAI
- Data retention: OpenAI retains API input and output data for a maximum of 30 days for abuse monitoring and service integrity purposes, after which it is automatically deleted.
- No model training: OpenAI does not use identifiable Customer Data to train its general-purpose AI models.
- De-identified data: OpenAI may use de-identified, aggregated data derived from API interactions to improve their services, as permitted under their Business Terms. Such data cannot be linked back to any individual or customer.
- Processing entity: OpenAI Ireland Ltd acts as the EU-facing entity; processing is performed by OpenAI OpCo, LLC in the United States under Standard Contractual Clauses.
Anthropic
- DPA incorporation: Anthropic's DPA with Standard Contractual Clauses is automatically incorporated into their Commercial Terms of Service. Acceptance of Anthropic's Commercial Terms constitutes acceptance of the DPA.
- Data retention: Data is retained for the duration of the agreement. Upon termination, Anthropic deletes Customer Data within 30 days. Exceptions apply for legal requirements, dispute resolution, or preventing harmful service misuse.
- No model training: Anthropic does not use identifiable Customer Data to train its general-purpose AI models. Processing is limited to providing/maintaining the service, verifying quality/security, and debugging.
- Encryption: AES-256 for data at rest; TLS 1.2+ for data in transit.
- Access controls: Multi-factor authentication, role-based access control, single sign-on enforcement.
- Breach notification: Within 48 hours of becoming aware of any security breach.
- Security audits: Annual third-party audits; reports available at trust.anthropic.com.
- Sub-processors: Listed at trust.anthropic.com/subprocessors. 15-day objection period for new sub-processors.
- Processing entity: Anthropic UK Ltd acts as the EU/UK-facing entity; processing is performed by Anthropic PBC in the United States under Standard Contractual Clauses (SCCs governed by Irish law, Irish courts).
Security Certifications and Standards
| Subprocessor | Certifications / Standards |
|---|---|
| Vercel | SOC 2 Type 2, ISO 27001 |
| Supabase | SOC 2 Type 2 |
| OpenAI | SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 27701 |
| Anthropic | SOC 2 Type 2 |
| Slack (Salesforce) | SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018 |
| Microsoft Teams | SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 27701 |
Notification of Changes
We will notify customers of any intended changes to our Subprocessor list (additions or replacements) at least 30 days before authorizing a new Subprocessor to process Customer Data, in accordance with Section 3.4(c) of our DPA. Notifications are sent by email to the customer's registered contact address.
Customers may object to a new Subprocessor on reasonable data protection grounds within the 30-day notice period. See Section 3.4(d) of our DPA for the objection and resolution process.
Contact
For questions about our Subprocessors or data processing practices:
T-SolArch s.r.o. (NextKS) Příkop 843/4, 602 00 Brno, Czech Republic Email: info@nextks.com (subject line: "Subprocessor Inquiry")
This page is part of the NextKS legal documentation suite. See also: Privacy Policy · Terms of Service · Data Processing Agreement