QMS Nordic — AI-native Quality Management for Medical Devices, IVD & Pharma

QMS Nordic sub-processors

GDPR Article 28(2) disclosure · last updated 2026-04-30

QMS Nordic uses the third parties below to operate the SaaS. Under the DPA, QMS Nordic gives customers at least 30 days advance notice before adding or replacing any sub-processor.

Sub-processor	Purpose	Data categories	Region	Certifications
Amazon Web Services / GCP / Azure (hosting)	Compute, database, object storage for the QMS Nordic platform	· All tenant data at rest · All tenant data in transit	Customer-selectable: EU (eu-central-1) or US (us-east-2). Multi-region for Enterprise.	SOC 2 Type II ISO 27001 HIPAA-eligible GDPR-compliant
Stripe, Inc.	Subscription billing + payment processing	· Customer billing contact · Card data (stored by Stripe, never by QMS Nordic) · Subscription status	US + EU (Stripe Atlas Ireland)	PCI-DSS Level 1 SOC 2 Type II ISO 27001
Resend	Transactional email delivery (verification codes, helpdesk replies, digest emails)	· Email addresses · Email subject + body content	US (with EU pop)	SOC 2 Type II
Twilio Inc.	SMS verification codes	· Phone numbers · SMS message body (verification codes only)	US + EU	ISO 27001 SOC 2 Type II HIPAA
Anthropic PBC	AI document drafting, hazard suggestion, helpdesk classification + reply drafting	· Document content + prompts (zero-data-retention enabled) · Helpdesk message content	US	SOC 2 Type II
OpenAI	Embeddings for the pgvector RAG retrieval index	· Document chunks (embedded as 1536-dim vectors)	US	SOC 2 Type II

To subscribe to change notifications, see our DPA §4. To object to a new sub-processor in the 30-day notice window, contact privacy@qmsnordic.com.