Sub-processors

Last updated · 29 June 2026

Pointnode Ltd uses the following sub-processors to deliver the Pointnode platform. Each is engaged under a written data-processing agreement and only processes Customer data to provide the service.

We notify org admins by email at least 30 days before adding or replacing a sub-processor. Customers may object before the change takes effect; if a workable alternative cannot be agreed, the Customer may terminate without penalty.

Current sub-processors

ProviderPurposeData processedRegionTransfer mechanism
Supabase Inc.
Privacy · DPA
Postgres database, authentication, file storage, edge functions, realtime subscriptionsAll Customer data — accounts, audit log, telemetry, configuration, uploadsEU (eu-west-1, Ireland)Within UK / EEA — no transfer mechanism required
Vercel Inc.
Privacy · DPA
Cloud dashboard hosting and CDNWeb request logs (IP, user-agent, path); no application data persisted on VercelMulti-region (edge); EU primarySCCs / IDTA in Vercel DPA
Fly.io Inc.
Privacy · DPA
MQTT-to-database ingest service hosting (pointnode-ingest app), with a persistent volume for the disk-spool retry bufferAsset telemetry in transit; transient retry-buffer contents on diskLondon (lhr)Within UK — no transfer mechanism required
HiveMQ GmbH
Privacy · DPA
MQTT broker for asset telemetry transportAsset telemetry in transit (machine data, no personal data)EU (Frankfurt) — confirm cluster region with Customer on requestWithin EEA — no transfer mechanism required
Resend Inc.
Privacy · DPA
Transactional email delivery (alerts, password resets, invitations)Recipient email address, alert subject and bodyUnited StatesEU SCCs / UK IDTA in Resend DPA
Stripe Payments Europe Ltd
Privacy · DPA
Subscription billing, invoice generation and delivery, customer billing portal. Card / bank-account capture happens directly between the Customer and Stripe's hosted checkout pages; Pointnode never sees raw payment instrument data.Customer organisation name, billing contact email address, invoice line items and amounts, payment metadataIreland (EU) with US affiliate processingEU SCCs / UK IDTA in Stripe DPA
Functional Software, Inc. (Sentry)
Privacy · DPA · Sub-processors
Application error monitoring and observability. Browser and server-side exception payloads, stack traces, request URL, user-agent, and the authenticated user’s account UUID for correlation. Email addresses are hashed (deterministic SHA-256 prefix) before transmission; display names, message bodies, and customer telemetry are never sent.Authenticated account UUID, request metadata (URL, user-agent, HTTP status), exception stack trace, environment fingerprintUnited StatesEU SCCs / UK IDTA in Sentry DPA
Anthropic PBC
Privacy · Trust & sub-processors
Optional AI features — the Asset Briefing (per-asset condition narrative) and the AI Engineer assistant. Asset context is sent to Anthropic's API to generate plain-English analysis. Enabled per asset (the paid Asset Intelligence add-on); no data is sent for assets without the feature switched on. Anthropic does not train models on data submitted via its API.Asset telemetry summaries and trends, condition / health signals, event and defect descriptions, compliance status, and the text of questions a user asks the AI Engineer. No payment data; no account credentials; no personal data beyond what a user types into a question.United StatesEU SCCs / UK IDTA in Anthropic DPA
Voyage AI (MongoDB, Inc.)
Privacy
Optional document-vault search (RAG). Generates vector embeddings of documents uploaded to an asset's document vault so the AI Engineer can cite the relevant passage. Enabled per asset (with the Asset Intelligence add-on); no data is sent for assets without it.Text extracted from documents the Customer uploads to an asset (e.g. manuals, drawings, PLC docs, datasheets). No personal data unless the Customer uploads a document containing it.United StatesEU SCCs / UK IDTA in Voyage DPA

The AI features (Asset Briefing, AI Engineer, document search) are optional and are being rolled out progressively. Where a feature is not enabled for an asset, no Customer data for that asset is sent to Anthropic or Voyage.

Auxiliary services (not sub-processors)

These services are used for our own business operations and do not process Customer personal data:

Subscribe to sub-processor changes

Org admins are automatically notified of changes by email. To subscribe an additional address (e.g. a Customer's DPO), email privacy@pointnode.io.