Nover | Subprocessors

List of Sub-Processors

Last Updated: February 5, 2026 Effective Date: February 5, 2026 Version 1.0

About This Page This page lists all third-party sub-processors that process personal data on behalf of **Nover, Inc.** as part of the Nover platform at nover.studio. We maintain this list for transparency and to fulfill our obligations under GDPR and other applicable data protection laws. For full details on how we handle your data, see our [Privacy Policy](/legal/privacy).

## Table of Contents 1. [Current Sub-Processors](#1-current-sub-processors) 2. [Sub-Processor Details](#2-sub-processor-details) 3. [Data Processing Agreements](#3-data-processing-agreements) 4. [Planned Future Sub-Processors](#4-planned-future-sub-processors) 5. [Notification of Changes](#5-notification-of-changes) 6. [Your Rights](#6-your-rights) 7. [Contact Information](#7-contact-information)

## 1. Current Sub-Processors The following third-party sub-processors currently process personal data as part of the Nover Service: | Sub-Processor | Purpose | Data Categories Processed | Data Location | Security Certifications | |---|---|---|---|---| | **Supabase** | Database and authentication | Account data, hashed passwords, authentication tokens, session data | **European Union** | SOC 2 Type II | | **Stripe** | Payment processing | Name, email, billing address, payment method tokens, transaction history | **United States** | PCI DSS Level 1, SOC 1, SOC 2 | | **Runware.ai** | AI image and video generation | Text prompts, generation parameters, image/video output URLs | Service provider's infrastructure | Standard API terms (no formal certifications disclosed) | | **Vercel** | Primary web hosting | IP address, request logs, page views, static assets | **Global CDN** (US-based company) | SOC 2 Type II | | **Netlify** | Backup web hosting | IP address, static assets | **Global CDN** (US-based company) | SOC 2 Type II | | **Namecheap** | Domain registration, DNS, and CDN services | Domain routing data, DNS queries | **United States** | Standard industry practices |

## 2. Sub-Processor Details ### Supabase - **Website:** [supabase.com](https://supabase.com) - **Role:** Provides managed PostgreSQL database and authentication services. Stores all primary account data including user profiles, authentication credentials, and session information. - **Data residency:** EU region, ensuring GDPR-compliant data storage for core personal data. - **Privacy policy:** [supabase.com/privacy](https://supabase.com/privacy) ### Stripe - **Website:** [stripe.com](https://stripe.com) - **Role:** Processes all subscription payments and billing. Handles credit card data, billing addresses, and transaction records. Nover does not store credit card numbers, CVVs, or full card details — these are handled entirely by Stripe. - **Privacy policy:** [stripe.com/privacy](https://stripe.com/privacy) - **Terms of service:** [stripe.com/legal](https://stripe.com/legal) ### Runware.ai - **Website:** [runware.ai](https://runware.ai) - **Role:** Provides API access to AI models for image and video generation. Receives text prompts and generation parameters, returns generated content as publicly accessible URLs. - **Important:** As of the effective date of this document, we do not have a formal Data Processing Agreement (DPA) with Runware.ai. Data is processed under their standard terms of service. - **Note:** Generated images are hosted on Runware.ai's infrastructure as **publicly accessible URLs**. See our [Privacy Policy](/legal/privacy) Section 8 for important privacy implications. ### Vercel - **Website:** [vercel.com](https://vercel.com) - **Role:** Primary web hosting provider. Serves the Nover web application through a global CDN with built-in DDoS protection and automated SSL/TLS. - **Privacy policy:** [vercel.com/legal/privacy-policy](https://vercel.com/legal/privacy-policy) ### Netlify - **Website:** [netlify.com](https://netlify.com) - **Role:** Backup web hosting provider for static assets and redundancy. - **Privacy policy:** [netlify.com/privacy](https://www.netlify.com/privacy/) ### Namecheap - **Website:** [namecheap.com](https://namecheap.com) - **Role:** Provides domain registration, DNS management, and CDN services for the nover.studio domain. - **Privacy policy:** [namecheap.com/legal/general/privacy-policy](https://www.namecheap.com/legal/general/privacy-policy/)

## 3. Data Processing Agreements | Sub-Processor | DPA Status | |---|---| | **Supabase** | Covered under Supabase's standard DPA | | **Stripe** | Covered under Stripe's DPA for connected accounts | | **Runware.ai** | **No formal DPA** — processed under standard API terms | | **Vercel** | Covered under Vercel's standard DPA | | **Netlify** | Covered under Netlify's standard DPA | | **Namecheap** | Standard terms of service | We are committed to establishing formal Data Processing Agreements with all sub-processors that handle personal data. We will update this page as DPAs are executed.

## 4. Planned Future Sub-Processors As Nover grows, we may engage additional sub-processors for the following purposes: | Category | Potential Purpose | Examples | |---|---|---| | **Error Tracking** | Monitoring application errors and platform reliability to improve user experience | Sentry, Datadog, LogRocket | | **Email Service** | Transactional and service-related email delivery (billing confirmations, security alerts, policy updates) | SendGrid, Postmark, Resend | | **Analytics** | Aggregated, anonymized usage analytics to understand how users interact with the Service (no individual tracking or profiling) | Plausible, PostHog, Mixpanel | | **Customer Support** | Ticketing and support communication management | Intercom, Zendesk | These are potential categories only. Specific providers have not been selected. Before engaging any new sub-processor, we will follow the notification process described in Section 5.

## 5. Notification of Changes We will notify users before adding, removing, or replacing any sub-processor that processes personal data: 1. **Advance notice.** We will update this page and notify users via email at least **30 days** before a new sub-processor begins processing personal data. 2. **Right to object.** If you have a reasonable objection to our use of a new sub-processor, you may contact us at <legal@nover.studio> within 30 days of notification. We will work in good faith to address your concerns, which may include offering an alternative configuration or, if no resolution is possible, allowing you to terminate your account. 3. **Emergency additions.** In rare cases where we must add a sub-processor urgently (for example, to address a critical security incident), we will notify users as soon as reasonably practicable and provide a detailed explanation.

## 6. Your Rights Under GDPR and other applicable data protection laws, you have rights regarding how your personal data is processed by our sub-processors, including: - **Right to access** the personal data processed by each sub-processor on your behalf. - **Right to erasure** — request deletion of your data from our systems and, where technically feasible, from sub-processor systems. - **Right to object** to the engagement of a new sub-processor (see Section 5). - **Right to data portability** — receive your data in a structured, machine-readable format. To exercise any of these rights, contact us at <legal@nover.studio>. For full details on your rights, see our [Privacy Policy](/legal/privacy) Sections 12 and 13.

## 7. Contact Information For questions about our sub-processors, data processing practices, or to exercise your data protection rights: - **Privacy and Legal Inquiries:** <legal@nover.studio> - **General Support:** <support@nover.studio> **Nover, Inc.** A Delaware C-Corporation --- **Related Documents:** - [Privacy Policy](/legal/privacy) - [Terms of Service](/legal/terms) - [Security Policy](/legal/security) - [DMCA Policy](/legal/dmca) --- **Previous Versions:** None — this is Version 1.0.