Sub-processors — GDPR Art. 28
Data Processors and Sub-processors
This page lists the third-party service providers ("processors" in GDPR terminology) that may process personal data of NextSpace investors on behalf of the Fund. Each processor is bound by a Data Processing Agreement (DPA) under Article 28 GDPR. Read the full Privacy Notice for context.
Hetzner Online GmbH
Germany (server in Helsinki, FI; backups in Falkenstein, DE)Hosting & infrastructure (compute + Object Storage)
Data categories processed
- All investor data (server processing)
- Encrypted backups (age-encrypted, key off-site)
Legal basis
Art. 28 GDPR (processor)
Transfer mechanism
Intra-EU only (FI + DE), no third country transfer
DPA status
standard DPA available — to be archived in Legal/DPAs/
— DPA terms
Aruba S.p.A.
ItalyEmail service provider (SMTP for outbound mail)
Data categories processed
- Investor email address (recipient)
- Email subject and body content
Legal basis
Art. 28 GDPR (processor)
Transfer mechanism
Italy only
DPA status
standard DPA available — to be archived in Legal/DPAs/
— DPA terms
GitHub, Inc.
United StatesSource code hosting
Data categories processed
- No personal data — code repositories only, no production secrets, no investor records
Legal basis
N/A — does not process investor personal data
Transfer mechanism
US — Microsoft Standard Contractual Clauses + EU Data Boundary
DPA status
standard DPA on file (Microsoft GitHub Customer DPA)
— DPA terms
Anthropic, PBC
United StatesAI assistant for code authoring (engineering only — no investor data routed through)
Data categories processed
- No investor personal data is sent to Anthropic in production runtime.
- During development, source code may be reviewed via Claude Code.
Legal basis
N/A in production
Transfer mechanism
US — SCC + Anthropic enterprise commitments
DPA status
standard DPA available
— DPA terms
We will update this list when we engage a new processor. If you wish to be notified by email about changes, contact ir@nextspace.it.
Last updated: 02 May 2026