DRAFT — Requires legal review before publication.
Sub-Processor List
Last updated: April 2026
The following third-party services process data on behalf of Nainty users as part of providing the Service. We notify customers of changes to this list via email with 30 days notice.
To request a copy of our Data Processing Agreement (DPA), contact legal@nainty.com.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic | AI features (proposals, forms, reports, workflows) | PII-redacted business context | US |
| Stripe | Payment processing | Payment amounts, payer email | US/Global |
| Plaid | Bank feed connections (US/EU/UK) | OAuth tokens, transaction data | US |
| Basiq | Bank feed connections (AU/NZ) | OAuth tokens, transaction data | AU |
| AssemblyAI | Meeting transcription | Audio recordings | US |
| Twilio | SMS and WhatsApp messaging | Phone numbers, message content | US |
| Clearbit | Company enrichment | Business email addresses | US |
| Apollo | Company enrichment (fallback) | Business email addresses | US |
| Google (Gmail, Calendar) | Email and calendar sync | OAuth tokens, email metadata, calendar events | US/Global |
| Microsoft (Outlook, OneDrive) | Email, calendar, file sync | OAuth tokens, email metadata, files | US/Global |
| Intuit (QuickBooks) | Accounting sync | Invoices, expenses, clients, payments | US |
| Xero | Accounting sync | Invoices, expenses, clients, payments | AU/NZ |
| Gotenberg | PDF generation | Invoice/contract HTML (self-hosted, no external transfer) | Self-hosted |
Security Measures
- All integration tokens encrypted with AES-256-GCM before storage
- OAuth tokens refreshed automatically; access can be revoked at any time
- Circuit breakers on all integrations provide graceful degradation
- Each integration is voluntary — you control which services to connect
Changes
We will notify you via email at least 30 days before adding a new sub-processor. If you object, you may terminate your account before the change takes effect.