ONX (Optimal Nexus Ltd) uses the following third-party subprocessors to deliver the platform. Each subprocessor is covered by a Data Processing Agreement (DPA) and, where data is transferred outside the EEA, by Standard Contractual Clauses (SCCs) under GDPR Article 46.
Last updated: July 2026 · To request the full DPA or SCC documentation, contact compliance@optimalnexus.com
Purpose
Application database (PostgreSQL), user authentication, row-level security
Data processed
All application data including account, pipeline, and contact records
Location
European Union (AWS eu-north-1, Stockholm)
Transfer safeguard
Not required — data hosted in the EEA
Certifications
SOC 2 Type II, ISO 27001 (AWS infrastructure)
Purpose
Application hosting, serverless edge functions, global content delivery
Data processed
Request data, session tokens, application traffic
Location
United States / Global Edge Network
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
SOC 2 Type II
Purpose
ICP generation, signal analysis, deal recommendations, outreach drafting, AI-assisted insights
Data processed
Company-level context and signals. Outreach drafting and talent matching additionally include limited contact/candidate professional data (e.g. first name, job title, resume text). Not used for model training.
Location
United States
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
Enterprise DPA available
Purpose
Company firmographic enrichment and workforce analytics
Data processed
Company domains, firmographics, aggregate workforce data
Location
United States
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
Per PDL DPA
Purpose
Company and contact data enrichment via waterfall enrichment stack
Data processed
Company domain, public LinkedIn URLs, firmographic data
Location
United States
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
Per Clay DPA
Purpose
Real-time company research and signal discovery
Data processed
Company names, domains, public web context
Location
United States
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
Per Perplexity DPA
Purpose
System emails — account notifications, compliance alerts, deal nudges, team invites
Data processed
Email addresses, notification content
Location
United States
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
Per Resend DPA
Purpose
Subscription billing and payment processing
Data processed
Billing contact details, payment card data (held by Stripe, never by ONX)
Location
United States / EU
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
PCI DSS Level 1, SOC 2
Purpose
Product usage analytics to improve the platform
Data processed
Usage events, user identifiers (email), session metadata
Location
European Union (EU Cloud)
Transfer safeguard
Not required — data hosted in the EEA
Certifications
Per PostHog DPA
Purpose
Application error tracking and performance monitoring
Data processed
Error metadata, request context, user/tenant identifiers
Location
United States
Transfer safeguard
Standard Contractual Clauses (EU SCCs)
Certifications
SOC 2 Type II
Changes to this list:Optimal Nexus Ltd will provide 30 days' notice of any new subprocessors via in-platform notification and email to the account DPA contact. Customers may object to new subprocessors in accordance with their DPA.
Data Processing Agreement: A DPA is available on request for all paying customers. Enterprise customers may request a mutually negotiated DPA.