Last updated: February 8, 2026
This page lists all third-party services that process personal data on behalf of Nautis, as required by GDPR Article 28 and Article 30. We are committed to transparency about who handles your data and how it is protected.
1. Processor Inventory
The following third-party services process personal data as part of delivering the Nautis (PitchWitch Ventures LLC) platform:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, billing info, payment details | US (Privacy Shield) |
| AWS S3 | File storage | Uploaded files, documents, avatars | Configurable region |
| AWS MediaConvert | Video processing | Video files | Configurable region |
| OpenAI | AI-powered analysis | User prompts, document content | US |
| Anthropic | AI-powered analysis | User prompts, document content | US |
| Google Gemini | AI-powered analysis | User prompts, document content | US |
| Sentry | Error monitoring | Error context, anonymized stack traces | US |
| Google Analytics | Website analytics (with consent) | Anonymized usage data | US |
| SMTP Provider | Transactional email delivery | Email addresses, email content | Varies by provider |
| Google reCAPTCHA | Bot protection | IP address, browser fingerprint | US |
| Google Places | Location autocomplete | Search queries | US |
| Short.io | URL shortening | URLs | US |
2. Processing Details
Stripe (Payments)
- Lawful Basis: Contract performance (Art. 6(1)(b))
- Data Categories: Email, name, billing address, payment card details
- Retention: Per Stripe's policy; transaction records kept for 7 years per tax law
AWS (S3, MediaConvert)
- Lawful Basis: Contract performance
- Data Categories: Files uploaded by users (documents, images, videos)
- Encryption: AES-256 server-side encryption
- Retention: Until user deletes or account is closed
AI Providers (OpenAI, Anthropic, Google)
- Lawful Basis: Contract performance
- Data Categories: User prompts and document content sent for analysis
- Important: No bulk data export; only per-request processing. Data is not used for training.
Sentry (Error Monitoring)
- Lawful Basis: Legitimate interest (Art. 6(1)(f))
- Data Categories: Error stack traces, request context, IP address
- Minimization: PII scrubbing enabled; IP anonymization after collection
Google Analytics
- Lawful Basis: Consent (Art. 6(1)(a)) — requires cookie consent
- Data Categories: Page views, session data, anonymized IP
- Retention: 14 months (default GA4 retention)
Email (SMTP Provider)
- Lawful Basis: Contract performance / Legitimate interest
- Data Categories: Email address, email content
- Types: Transactional (service-related) and Marketing (consent-based)
- Unsubscribe: List-Unsubscribe headers on all emails
3. Our Requirements for Processors
All processors are contractually required to:
- Process data only on our documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist with data subject rights requests
- Delete or return data at the end of the service relationship
- Make available information necessary to demonstrate compliance
- Allow and contribute to audits and inspections
4. International Transfers
Some processors are located outside the European Economic Area. We ensure adequate protection for international data transfers through Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.
5. Changes to This List
This processor list is reviewed quarterly. We will update this page whenever processors are added or removed. For details on how we handle your data, please refer to our Privacy Policy.
6. Contact Us
If you have questions about our data processors or sub-processors:
Email: privacy@getnautis.com
Data Protection Officer: dpo@getnautis.com