Skip to main content
Nexture.
Legal NoticesMay 31, 2026
Home

Sub-Processors

Nexture AI, Inc.

Effective Date: May 26, 2026

This document was last reviewed and updated on the effective date above.

A sub-processor is a third-party service that processes data on Nexture AI's behalf to deliver the Service. This page is the definitive, continuously-maintained inventory. We commit to providing 30 days' advance notice via email and an in-app banner before adding any new sub-processor that handles tenant data.

Each entry below identifies the provider's role, the class of data it processes, the geographic region of processing, the contractual basis (typically a Data Processing Addendum, or "DPA"), and the provider's commitment regarding the use of customer data for model training.

Data classes used on this page:

  • Tenant data — uploaded documents, extracted policy data, and content derived from them.
  • Metadata — system-generated information about tenant data (e.g., timestamps, identifiers, processing state).
  • User identity — authentication credentials, profile, and session information.
  • Operational telemetry — application logs, error traces, and performance metrics, with personal information scrubbed prior to transmission.
  • Billing — subscription and invoicing information; no policy or insured personal information.

1. Active Sub-Processors

These providers are engaged for every paying customer of the Service.

1.1. Infrastructure

Render

  • Role: Platform-as-a-Service hosting. The entire Nexture AI application stack runs on Render, including web servers, background workers, and runtime memory. Render personnel have technical access to container environment variables, logs, and runtime memory in the course of providing the service.
  • Data class: Tenant data, metadata, user identity, operational telemetry.
  • Region: United States (us-east).
  • Contractual basis: Render Privacy Policy.
  • Training commitment: Customer data is not used for training any models.

MongoDB Atlas

  • Role: Primary application database. Stores documents, extracted data, user records, and platform metadata.
  • Data class: Tenant data, metadata, user identity.
  • Region: AWS us-east-1 (N. Virginia). Cluster: nexture-main.wjfc9c.mongodb.net.
  • Contractual basis: MongoDB Data Processing Addendum. MongoDB Atlas maintains SOC 2 Type II and ISO 27001.
  • Training commitment: Customer data is not used for training any models.

Redis Cloud (Redis Labs)

  • Role: Job queue (BullMQ) and session cache supporting the extraction pipeline.
  • Data class: Metadata; transient tenant data passed through the queue during job execution.
  • Region: AWS us-east-1.
  • Contractual basis: Redis Enterprise Cloud DPA.
  • Training commitment: Customer data is not used for training any models.

1.2. Amazon Web Services

All AWS services below are governed by the AWS Service Terms and the AWS Data Processing Addendum. Customer data processed through AWS is not used to develop or improve AWS or third-party services.

AWS S3

  • Role: Encrypted object storage for uploaded PDFs, OCR transcripts, and generated deliverables. Bucket: nexture-prod-files. Server-side encryption (SSE-KMS or AES-256) is enforced on every object write.
  • Data class: Tenant data.
  • Region: us-east-1.
  • Contractual basis: AWS DPA.
  • Training commitment: Customer data is not used for training any models.

AWS KMS

  • Role: Key management. Manages the server pepper used in per-user key derivation for encrypted fields and the keys protecting at-rest data.
  • Data class: Cryptographic material only; no tenant content.
  • Region: us-east-1.
  • Contractual basis: AWS DPA.
  • Training commitment: Not applicable.

AWS SES (v2)

  • Role: Outbound transactional email (share notifications, review requests, system messages).
  • Data class: User identity (recipient address), metadata, and any tenant content embedded in the message body or links.
  • Region: us-east-1.
  • Contractual basis: AWS DPA.
  • Training commitment: Customer data is not used for training any models.

AWS Cognito

  • Role: User authentication, password hashing, JWT issuance, and multi-factor authentication.
  • Data class: User identity.
  • Region: us-east-1.
  • Contractual basis: AWS DPA.
  • Training commitment: Customer data is not used for training any models.

AWS Secrets Manager

  • Role: Storage and rotation of platform secrets (API keys, integration credentials).
  • Data class: Cryptographic and credential material; no tenant content.
  • Region: us-east-1.
  • Contractual basis: AWS DPA.
  • Training commitment: Not applicable.

1.3. Large Language Model Providers

OpenAI

  • Role: Large language model for extraction, conversational responses in the SOIFA assistant, and embeddings.
  • Data class: Tenant data (document text and derived prompts).
  • Region: United States.
  • Contractual basis: OpenAI Enterprise Privacy (API/Enterprise tier).
  • Training commitment: Zero training on customer data; zero retention beyond the OpenAI abuse-monitoring window.

Anthropic

  • Role: Large language model. Primary model for the SOIFA assistant and used (including Claude Opus 4.7) for extraction validation.
  • Data class: Tenant data (document text and derived prompts).
  • Region: United States.
  • Contractual basis: Anthropic Commercial Terms of Service.
  • Training commitment: Zero training on customer data under the Commercial API.

Google AI (Gemini)

  • Role: Large language model for the structural extraction pass (Gemini via generativelanguage.googleapis.com), and the Google Geocoding API for address normalization. Both services share a single backend key.
  • Data class: Tenant data (document text for Gemini; address strings for Geocoding).
  • Region: United States.
  • Contractual basis: Google Cloud Data Processing Addendum.
  • Training commitment: Customer data submitted via paid Google Cloud APIs is not used to train Google's foundation models.

Mistral AI

  • Role: Large language model used to provide extraction diversity, and Mistral OCR as a document-processing fallback.
  • Data class: Tenant data (document text).
  • Region: European Union.
  • Contractual basis: Mistral AI Terms.
  • Training commitment: Customer data submitted via the paid API is not used to train Mistral models.

1.4. Document Processing

Mistral AI — OCR (Primary)

  • Role: Primary optical character recognition (OCR) and PDF-to-text conversion. Configured as the default OCR provider via OCR_PROVIDER=mistral. See the Mistral entry under Section 1.3 for full data-handling details — the same Mistral contractual agreement and training-opt-out commitment applies to OCR usage as to LLM usage.

LLMWhisperer (Unstract, Inc.) — OCR (Backup)

  • Role: Backup OCR provider, used only when the primary (Mistral) is unavailable or returns insufficient text. Not invoked in the normal path.
  • Data class: Tenant data (raw document bytes and extracted text).
  • Region: United States.
  • Contractual basis: Unstract Privacy Policy; data-handling documented at Unstract Data Privacy FAQ; Data Processing Agreement available from Unstract on request.
  • Plan tier: Nexture AI operates on Unstract's paid plan. Per Unstract's documentation, documents on the paid plan are not stored — the API functions as a clean pass-through where text is extracted and the source document is discarded.
  • Training commitment: Documents on the paid plan are not stored and are not used to improve or train Unstract's models. (Unstract's free plan does store documents and may use them for system improvement; Nexture AI does not use the free plan.)
  • Compliance: Unstract publicly claims SOC 2, ISO 27001, GDPR, and HIPAA compliance.

1.5. Billing

Stripe

  • Role: Subscription billing and invoicing.
  • Data class: Billing only. Stripe receives the subscriber's billing details and does not receive policy data or insured personal information.
  • Region: United States and Stripe's global processing footprint.
  • Contractual basis: Stripe Data Processing Agreement. Stripe maintains SOC 1, SOC 2, SOC 3, and PCI DSS Level 1.
  • Training commitment: Customer data is not used for training any models.

1.6. Operational Telemetry

Sentry

  • Role: Error tracking and performance monitoring across both the API and UI services.
  • Data class: Operational telemetry. Personal information is scrubbed before transmission.
  • Region: United States.
  • Contractual basis: Sentry Data Processing Addendum.
  • Training commitment: Customer data is not used for training any models.

2. Conditional Sub-Processors

These providers are engaged only when a customer or their administrator explicitly opts in to the corresponding feature. They are not invoked for customers who do not enable them.

2.1. Cloud Connectors (activated by OAuth consent in /dashboard/settings/integrations)

Microsoft (Microsoft Graph)

  • Role: Outlook, OneDrive, and SharePoint connectors. Used only when a broker grants OAuth consent. Nexture AI requests minimum scopes (Files.Read, Mail.Read, Calendars.Read).
  • Data class: Tenant data (the specific Microsoft 365 content the user authorizes).
  • Region: Microsoft's global footprint as configured for the customer's tenant.
  • Contractual basis: Microsoft Graph data handling.
  • Training commitment: Customer data is not used for training any models.
  • Feature flag: Per-user OAuth consent.

Box

  • Role: Cloud-folder ingest from Box. Used only when a broker grants OAuth consent.
  • Data class: Tenant data (the specific Box content the user authorizes).
  • Region: Box's global footprint as configured for the customer's account.
  • Contractual basis: Box Customer Agreement.
  • Training commitment: Customer data is not used for training any models.
  • Feature flag: Per-user OAuth consent.

2.2. Web Research (activated when ENABLE_WEB_RESEARCH=true for the deployment)

Tavily

  • Role: Web search for market intelligence, including carrier rate notes and regulatory filings.
  • Data class: Query terms only (e.g., carrier names, public topics). No tenant document content is transmitted.
  • Region: United States.
  • Contractual basis: Tavily terms.
  • Training commitment: Per the provider's stated terms.
  • Feature flag: ENABLE_WEB_RESEARCH.

Jina Reader

  • Role: URL-to-markdown extractor (r.jina.ai) used as a fallback inside the web-research pipeline.
  • Data class: Public URLs only. No tenant document content is transmitted.
  • Region: Provider's global footprint.
  • Contractual basis: Jina AI legal.
  • Training commitment: Per the provider's stated terms.
  • Feature flag: ENABLE_WEB_RESEARCH.

Firecrawl

  • Role: AI-assisted web scraping for anti-bot or JavaScript-heavy sites. Third-tier fallback inside the web-research pipeline.
  • Data class: Public URLs only. No tenant document content is transmitted.
  • Region: United States.
  • Contractual basis: Firecrawl terms.
  • Training commitment: Per the provider's stated terms.
  • Feature flag: ENABLE_WEB_RESEARCH and a configured FIRECRAWL_API_KEY.

3. Dormant — Listed for Transparency

The following providers have API keys reserved in our configuration for planned future integrations but are not currently transmitting customer data. They are disclosed here for full transparency. Each will be moved to the Active list above with 30 days' advance notice before any customer data is sent.

  • AM Best — carrier financial ratings (planned for enrichment).
  • Dun & Bradstreet (D&B) — business firmographics.
  • Middesk — entity verification.
  • OpenCorporates — corporate registry lookup.
  • OFAC — sanctions screening.
  • Realie — property data.
  • Parse.bot — generic web data extraction.

Listed for transparency. Not currently transmitting data. Will be moved to Active with 30 days' advance notice before any customer data is sent.

4. Notice of Changes

Before engaging any new sub-processor that handles tenant data, we will:

  • Update this page to reflect the new entry, including its role, data class, region, and contractual basis.
  • Provide at least 30 days' advance notice to customers via email and an in-app banner.
  • Update the "Effective Date" at the top of this page.

Customers who object to a proposed new sub-processor should contact us at admin@nextureai.com during the notice period to discuss available options.

5. Contact Information

For questions about this Sub-Processors page or our vendor management program, please contact us at:

Nexture AI, Inc.

1521 Alton Rd. PMB 106, Miami Beach, FL 33139, United States

Email  admin@nextureai.com

© 2026 Nexture AI, Inc.   ·   Miami, FL

Nexture AI · Miami