Sub-processors
Nediva uses the third-party services below to operate the platform. Each is bound by a data-processing agreement and only sees the information necessary to deliver its function. We do not sell or share personal information with advertisers.
Current sub-processors
| Provider | Purpose | Data accessed | Region |
|---|---|---|---|
| Stripe, Inc. | Payment processing, Stripe Connect Express payouts, KYC/AML, fraud screening, card vaulting, 1099 reporting. | Donor name + email + billing address, card data (Stripe-only, never on our servers), nonprofit Stripe-onboarding info. | US |
| Supabase, Inc. | Postgres database, auth, file storage, realtime infrastructure. | All non-payment data: profiles, posts, donations metadata, follows, notifications, uploaded media. | US (AWS) |
| Vercel, Inc. | Application hosting, edge delivery, deployment infrastructure. | Server-rendered HTML, request metadata (IP, user-agent), no persistent user data. | US + global edge |
| Resend, Inc. | Transactional email — receipts, password resets, notifications, thank-you emails. | Recipient name + email, message contents. | US |
| OpenAI, L.L.C. | AI caption generation (composer assistant); content-moderation classifier on user-generated content. | Post draft text or media filename; user identifiers are NOT sent with requests. | US |
| Cloudflare, Inc. | CDN delivery for static assets and uploaded media; DDoS protection. | Cached assets, request IP for delivery routing. | Global edge |
| Endaoment Inc. | Independent donor-advised-fund sponsor for the optional DAFpay grant flow. | Only the data needed to route a grant the donor initiates (donor name + email + grant amount + recipient EIN). | US |
| Anthropic, PBC (Claude API) | Internal engineering automation only — does not handle live user traffic. | Application source code + design assets passed during build-time agent work. No production user data. | US |
Authentication services
Supabase Auth handles credential hashing + storage; Nediva never sees a user’s password. Supabase processes the email + display name during sign-up. Password reset emails are sent via Resend.
Changes to this list
We will update this page when a sub-processor is added, removed, or materially changes scope. Where required by law, we will notify affected users by email at least 30 days before a new sub-processor begins processing personal information.
Questions
For DPA requests or detailed processing questions, email legal@aishtamidhats.com.