Sub-processors

NPG Pulse engages the following external services ("sub-processors") to operate the platform. This list is the authoritative source, kept in sync with the clinic DPA's Annex B, and updated with 30 days' notice for additions or replacements (per DPA clause 6.3).

Last updated: 2026-06-04 · Questions: privacy@nordicpatientgroup.dk

Sub-processors handling clinic patient data

These parties process patient data on behalf of the clinic (NPG acts as processor). They appear in the clinic DPA's Annex B.

VEKST Solutions LLC

VEKST Solutions LLC (EIN 98-1931362)

Patient dataVisibility dataPlatform infrastructure

Operating the NPG Pulse platform — application logic, integrations, and data processing on behalf of NPG.

Country: USA (Florida)
Data location: USA (contractual counterparty) + EU (primary storage at Supabase in Stockholm).
Transfer basis: SCCs (EU Standard Contractual Clauses)
Engaged since: 2026-04-23

Primary sub-processor. SCCs Module 3 (Processor→Sub-processor) is signed between NPG and VS-LLC in a separate sub-processor agreement. TIA in the DPA's Annex D.

DPA signed bilaterallyPrivacy policy ↗

Supabase

Supabase Inc.

Patient dataVisibility dataPlatform infrastructure

Primary application database (PostgreSQL) incl. authentication and auto-backup.

Country: USA (contractual counterparty)
Data location: Stockholm, Sweden (eu-north-1).
Transfer basis: SCCs (EU Standard Contractual Clauses)
Engaged since: 2026-04-21

Data is stored physically in the EU; contractual counterparty is US-based, hence SCCs as transfer basis.

Vendor DPA ↗Privacy policy ↗

Vercel

Vercel Inc.

Patient dataVisibility dataPlatform infrastructure

Application hosting (Next.js). EU edge regions preferred.

Country: USA
Data location: EU edge regions preferred; control plane in the USA.
Transfer basis: SCCs (EU Standard Contractual Clauses)
Engaged since: 2026-04-21

Vendor DPA ↗Privacy policy ↗

Vercel Blob

Vercel Inc.

Patient dataPlatform infrastructure

File storage — clinic logos and any patient-data exports for DSARs.

Country: USA
Data location: EU regions.
Transfer basis: SCCs (EU Standard Contractual Clauses)
Engaged since: 2026-04-22

Vendor DPA ↗Privacy policy ↗

Postmark

AC PM LLC (Postmark, an ActiveCampaign company)

Patient data

Transactional email — delivery of NPS invitations (and later clinic-staff authentication emails) from the NPG Pulse database to recipients' inboxes. Canonical storage remains in the NPG Pulse database; Postmark receives only render-ready HTML/text plus recipient data at send time.

Country: USA
Data location: USA (Chicago + AWS US).
Transfer basis: SCCs + EU-US DPF
Engaged since: 2026-05-04

Transactional email delivery for all patient surveys + clinic-owner invitations. Stream separation enforced: NPS invitations on the 'transactional' message stream; broadcast stream reserved for any future clinic-staff product notifications. No marketing email is sent via Postmark. DKIM + Return-Path verified on vekst.dk.

Vendor DPA ↗Privacy policy ↗

OpenRouter

OpenRouter, Inc.

Patient data

AI inference for clinic-aggregated feedback insights. The model receives feedback text but not direct patient identifiers (email / name).

Country: USA
Data location: USA (model-provider dependent).
Transfer basis: SCCs (EU Standard Contractual Clauses)
Engaged since: 2026-04-17

Not trained on our prompts (zero-data-retention configured at OpenRouter). Pseudonymisation: identifiers are removed before text is sent to the model.

Vendor DPA ↗Privacy policy ↗

Sub-processors for visibility data (public reviews)

These parties process publicly available Google and Facebook reviews. NPG acts as controller (not processor) in this scope, so these vendors appear in the privacy policy — not the clinic DPA.

Review-data collection

Third-party provider (EU/EEA)

Visibility data

Collection of publicly available Google and Facebook reviews for clinic visibility analytics.

Country: EU/EEA
Data location: EU
Transfer basis: Intra-EEA (no specific transfer mechanism required)
Engaged since: 2026-04-15

Processes only publicly available reviews. NPG acts as Controller (not Processor) for visibility data — this service therefore does NOT appear in the clinic DPA's Annex B, but in NPG's privacy policy.

DPA signed bilaterallyPrivacy policy ↗

Changes to the list

Addition, replacement or removal of a sub-processor is announced to clinics with at least 30 days' notice via email and dashboard message, per DPA clause 6.3. The clinic has the same period to object.

The full sub-processor basis (purpose, data location, transfer mechanism, vendor DPA and privacy-policy links) is in the tables above.