1. About this list
NowRep uses a small number of third-party service providers to run the Service. Some of them process personal data on our behalf as subprocessors, under the terms of our Data Processing Addendum. Others handle non-personal data, or sit at a layer below us (for example, our infrastructure provider’s own subprocessors). This page lists both groups so Customers can see the full picture.
For background on how NowRep handles personal data, see our Privacy Policy. For the contractual relationship between NowRep and our Customers, see our Data Processing Addendum.
2. Change-notification commitment
If we engage a new subprocessor or swap an existing one in a way that materially changes how Customer personal data is processed, we update this page and show an in-app notice at least 14 days before the change takes effect. That gives Customers time to review the change before it goes live.
For Customers on Pro or Enterprise plans with a signed DPA, this notification commitment and any objection rights are governed by that DPA.
3. Subprocessors that process Customer personal data
| Subprocessor | Purpose | Categories of personal data | Processing location |
|---|---|---|---|
| Primary platform: relational database, authentication, file storage, realtime, and server-side functions. | All categories described in §3 of the Privacy Policy. That includes account data, Talent profile data, identity documents, portfolio media, and business records. | United States | |
Stripe, Inc. | Subscription billing for NowRep Customers: checkout, recurring charges, customer portal, and tax handling. | NowRep Customer billing identity (name, email, billing address), subscription metadata, and customer/subscription identifiers. Card data is held directly by Stripe and never reaches NowRep. | United States, with regional processing in the EU and UK |
Resend (Resend.com, Inc.) | Transactional email: sign-up confirmations, password resets, team invitations, invoice delivery, and operational notifications. | Recipient email address, recipient name where included, and the subject and body of transactional messages. | United States |
Functional Software, Inc. (Sentry) | Server-side and client-side error monitoring and performance tracing. | Stack traces, request URLs, the user identifier of the session that hit the error, browser and device metadata, and partial breadcrumb context. Payload contents are scrubbed by configured rules. | United States |
Cloudflare, Inc. (Turnstile) | Bot and captcha protection on sign-in, sign-up, and the marketing-site contact form. | Visitor IP address, user-agent string, and the captcha challenge response. | Global edge network |
| Application hosting. Runs the NowRep web application and its server-side workers. Fly.io’s DPA is provided to customers on request. | All personal data in transit through, and at rest on, the application servers. Encrypted at rest at the storage layer. | United States | |
Google LLC (Google Fonts) | Web-font delivery for the marketing site and application UI. Stylesheets load from fonts.googleapis.com and font files from fonts.gstatic.com. | Visitor IP address and user-agent, sent to Google by the visitor’s browser when a font is requested. No NowRep account data is transmitted. | Global (Google CDN) |
4. Service providers that handle Customer data but are not engaged by NowRep
These services may receive personal data because a Customer agency chooses to use them, not because NowRep sends data on the Customer’s behalf. We list them here for transparency, but they are not subprocessors under our DPA.
| Provider | What triggers data flow | Categories of data | Relevant policy |
|---|---|---|---|
| YouTube (Google LLC) | A Customer agency embeds a YouTube video on a Talent profile or portfolio. Server-side, NowRep fetches public oEmbed metadata. Client-side, the visitor’s browser loads the embedded player when the video is viewed. | Server-side: video URL only. Client-side: visitor IP, browser, and cookies set by YouTube on playback. | Google Privacy Policy |
| Vimeo, Inc. | A Customer agency embeds a Vimeo video. Same data flow as YouTube. | Same shape as YouTube. | Vimeo Privacy Policy |
5. Service providers that handle no personal data
| Provider | Purpose | Why it is not a subprocessor |
|---|---|---|
Frankfurter API | Daily server-side refresh of currency exchange rates used in multi-currency invoicing. | Only currency codes and dates are transmitted. No personal data. No Customer identifiers. No Talent data. |
6. NowRep’s own infrastructure
NowRep operates from the United States. Personal data is processed in the United States by default, with onward transfers to the locations shown in the table above. For transfers from the UK, the EEA, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent Swiss safeguards. See §7 of the Privacy Policy for detail.
7. How to ask about this list
For questions about a specific subprocessor, or to request a copy of the safeguards we use for a particular cross-border transfer, email privacy@nowrep.io.
For security-vulnerability reports, email security@nowrep.io.
8. Change log
| Date | Change |
|---|---|
| May 31, 2026 | Initial publication. |