SUB-PROCESSOR LIST NEXAXT WECO
Version: 1.0 Effective date: 11 May 2026 Canonical URL: https://weco.nexaxt.com/pages/subprocessors-en.html
1. SCOPE
1.1. This list enumerates the sub-processors the Licensor engages to process data the Client passes directly to the Licensor in connection with use of the WECO Service (see DPA, Privacy Policy).
1.2. The list does not relate to End-User data of Client public SPV sites — that data lives exclusively on the Client's infrastructure, and the Client chooses its own sub-processor stack for it.
1.3. New sub-processors are announced on this page at least 30 days before activation, per DPA §7.
2. CURRENT SUB-PROCESSORS
| Sub-processor | Purpose | Jurisdiction | Data categories | Legal safeguards |
|---|---|---|---|---|
| FirstVDS LLC | Hosting of public site https://weco.nexaxt.com and related projects | Russian Federation | IP, User-Agent, web logs, contact-form, page content | Provider contract + SCC equivalent |
| Open-Xchange GmbH / NetSol Hosting | Corporate email (anton.orlov@nexaxt.com, info@nexaxt.com, noreply@) | US (operations) / EU (data centers) | Email correspondence, billing notices | Provider DPA; EU SCCs Module 2 |
| NetSol Technologies (SMTP relay) | Transactional email delivery (License JWT issuance, password reset) | US / Germany | recipient emails, subject, body, metadata | Standard terms + SMTP STARTTLS |
| FreedomPay (Tekh-Finans JSC) | Payment gateway for RK Clients | Republic of Kazakhstan | Payment metadata, payer billing data | Within RK jurisdiction; PCI-DSS-compliant |
| GitHub, Inc. (Microsoft) | Dist repo hosting, GitHub Releases (artifacts, installers), Security Advisories | US | Public commit data, GitHub username, release metadata | Microsoft DPA, EU SCCs |
| Let's Encrypt (ISRG) | Certificate Authority — TLS for public domain and Client installations (via ff-certbot) | US | Domain name, account email | ACME protocol, no PII processing |
| Rekor public transparency log (Sigstore / ISRG) | Build-artifact attestation log entries published per release (cosign keyless signing) | US | Release metadata only (tag, SHA, build timestamp, signer identity) — no Client PII | Sigstore public-good infrastructure; entries are immutable and publicly searchable |
3. OPTIONAL SUB-PROCESSORS (ENGAGED ONLY ON REQUEST)
| Sub-processor | Purpose | Jurisdiction | When |
|---|---|---|---|
| Cloudflare, Inc. | CDN / DNS / WAF (optional) | US | On Licensor / Client choice; 30-day notice before activation |
| Google Workspace | Corporate email (alternative to OpenXchange) | US | Not engaged in v1.0 |
4. SUB-PROCESSORS THE LICENSOR DOES NOT USE IN V1.0
For transparency, the Licensor does not use: (a) third-party analytics providers (Google Analytics, Mixpanel, Amplitude, Segment) — no 3rd-party analytics on the Licensor site as of v1.0; (b) third-party customer-support platforms (Intercom, Zendesk, Salesforce); (c) third-party tag managers (Google Tag Manager); (d) third-party ad-networks / marketing pixels (Meta Pixel, Google Ads, LinkedIn Insight); (e) AI providers processing Client personal data; (f) any sub-processor in DPRK, Iran, Syria, Cuba or other UN/OFAC/EU/UK sanctions jurisdictions.
5. CHANGE NOTIFICATION
5.1. Subscribe. The Client may subscribe to change notifications by emailing anton.orlov@nexaxt.com, subject "[WECO Subprocessor Notifications]".
5.2. By default, all active-license Clients are notified automatically.
5.3. Notice window: at least 30 calendar days before activation of a new sub-processor.
5.4. Right to object — see DPA §7.
6. CONTROLS
6.1. Each sub-processor operates under a written DPA with the Licensor imposing obligations equivalent to those the Licensor owes the Client.
6.2. The Licensor performs initial and periodic vendor review for: (a) certifications (ISO 27001, SOC 2, PCI-DSS — where applicable); (b) geography of processing; (c) reputation and incident history; (d) sanctions status.
7. CONTACTS
NEXA IKS TI LLP DPO email: anton.orlov@nexaxt.com Address: 050013, Almaty, Seifullin Avenue 617
End of Sub-processor List v1.0 of 11 May 2026.