Skip to content
Nextriv

Sub-processor list

The list of further processors (sub-processors) engaged by Nextriv when processing personal data on behalf of its customers — in accordance with section 7 of the Data Processing Agreement (DPA). For each entity we indicate its role, processing location and the safeguard applied to any transfer outside the EEA.

List last updated:

1. What this list is

Nextriv (Thermonext Michał Sendrowski) provides its environmental monitoring service as a processor of personal data on behalf of its customers (controllers). To provide the service, we engage further processors (sub-processors) within the meaning of Art. 28(2) and (4) GDPR.

This page constitutes the current sub-processor list referred to in section 7 of the Data Processing Agreement (DPA). We impose on each sub-processor — by way of a contract — the same data protection obligations as set out in the DPA, and we remain liable to our customers for the performance of the sub-processors' obligations.

2. Current list of sub-processors

We process the data entrusted by customers primarily in data centres located within the European Economic Area. Transfers outside the EEA rely solely on the mechanisms of Chapter V GDPR. We currently engage the following sub-processors:

  • Cloudflare, Inc. (USA) — hosting, content delivery (CDN) and protection of the website and forms against bots and abuse; processing location: global data centre network (including the USA); transfer safeguard: EU–US Data Privacy Framework.
  • Google Ireland Limited (Ireland) — analytics tools (Google Analytics 4, Google Tag Manager); processing location: EEA; possible transfers to Google LLC (USA): EU–US Data Privacy Framework.
  • Microsoft Ireland Operations Ltd (Ireland) — e-mail and office tools used to handle correspondence, and the Microsoft Clarity analytics tool; processing location: EEA; possible transfers to Microsoft Corporation (USA): EU–US Data Privacy Framework.
  • Resend (USA) — delivery of transactional e-mails (system replies, notifications); processing location: USA; transfer safeguard: EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs).
  • SMSAPI sp. z o.o. (Poland) — SMS gateway for sending notifications; processing location: EEA (Poland); transfer outside the EEA: not applicable.

3. Changes to the list and right to object

We inform customers of the intended addition or replacement of a sub-processor by e-mail to the administrative e-mail address indicated in the Main Agreement, sufficiently in advance to allow a response. The customer (controller) may object within 14 days of notification — under the terms described in section 7 of the DPA.

The date of the last update of the list is shown in the header of this page. Questions about sub-processors can be sent to [email protected].