Sub-processors
UK GDPR Article 28(2) requires the controller to authorise sub-processors. The platform operator engages a small number of third parties to deliver the workspace as a SaaS; each is named here, with the data scope, the region, the data processing addendum status, and the substitution criteria.
The platform operator notifies principal firms 30 days in advance of any addition or material change to this list. A firm with a contractual veto on a sub-processor change can object during the notice window; the operator either resolves the objection or terminates with the firm at no penalty.
Sub-processor list
Section titled “Sub-processor list”| Sub-processor | Purpose | Region | Personal data scope | DPA | Notes |
|---|---|---|---|---|---|
| Vercel Inc. | Application hosting (Next.js runtime, edge network, build platform) | UK / EU regions, with global edge | All workspace traffic in transit; no application-level persistence | Vercel DPA signed; SOC 2 Type II, ISO 27001 | The default deployment pins compute to UK and EU regions. Edge nodes terminate TLS only; payloads never persist on the edge. |
| Postgres provider (Supabase, Neon, or Railway) | Primary database (Postgres 16, RLS, audit chain, attachments metadata) | EU region (Frankfurt default for Supabase; AWS eu-west-2 for Neon) | All persisted personal data | Provider DPA signed; SOC 2 Type II for each | The platform operator selects one provider per deployment. Default is Supabase EU. |
| AWS S3 (or S3-compatible) | Audit chain durable copy under Object Lock; attachment storage | EU region (eu-west-1 default) | Audit events; attachments | AWS DPA signed; ISO 27001, SOC 2 Type II | Object Lock in compliance mode for 10 years on audit roll-up. Attachments inherit parent record’s retention. |
| Postmark (ActiveCampaign LLC) | Transactional email (invitations, MFA enrolment, breach-deadline reminders) | US-region by default; EU-region available | Recipient email address; message body (which contains a link, not PII-rich content) | Postmark DPA signed; UK SCCs for US transfer; SOC 2 Type II | The firm can request Postmark EU. Operator default is US for cost; a per-tenant override moves traffic to EU at the firm’s expense. |
| Sentry (Functional Software, Inc.) | Error monitoring with PII scrubbing | EU region (Frankfurt) | Server-side exception payloads with PII fields scrubbed at the SDK layer | Sentry DPA signed; SOC 2 Type II, ISO 27001 | beforeSend hook strips known PII shapes. 90-day retention. |
| Upstash | Redis-backed rate limiter and step-up cache | EU region | IP, session id, and email hash for rate-limit counters; 1-hour TTL | Upstash DPA signed; SOC 2 Type II | No long-lived personal data. |
DPA terms common to all
Section titled “DPA terms common to all”Each sub-processor’s DPA includes the Article 28 commitments in standard form:
- Process only on documented instructions from the controller (the platform operator passes through the principal firm’s instructions).
- Confidentiality commitments on persons authorised to process.
- Article 32 security measures appropriate to the risk.
- Sub-sub-processor authorisation and flow-down (with each sub-processor’s own list available on request).
- Assistance with subject-rights requests within 30 days.
- Assistance with Articles 32 to 36 (security, breach notification, DPIA).
- Deletion or return of personal data at end of services.
- Audit rights for the controller.
- UK Standard Contractual Clauses for any transfer to a non-adequate country (the UK Extension to the EU-US DPF where applicable for US sub-processors).
The operator holds copies of each DPA and provides them to a principal firm on request as part of the firm’s DPIA process.
Region defaults
Section titled “Region defaults”The default deployment pins data to UK and EU regions. The compute path is UK-region Vercel; the database is EU-region Postgres; durable storage is EU-region S3; rate-limiter is EU-region Upstash; error monitoring is EU-region Sentry.
The two US-region defaults are Postmark (US-region by default for transactional email) and the global Vercel edge network for TLS termination. Both are covered by UK SCCs and the UK Extension to the EU-US Data Privacy Framework.
A principal firm that requires UK-only or EU-only data residency for all sub-processors can request the configuration; the operator confirms the available providers and any cost differential during the adoption call (adoption path).
Substitution criteria
Section titled “Substitution criteria”The operator commits to evaluating any replacement sub-processor against:
- Equivalent technical and organisational measures (Article 32).
- Equivalent or stronger transfer safeguards (UK SCCs, adequacy regulation, or the relevant transfer instrument).
- DPA terms at least as protective as the incumbent.
- A 30-day notice window during which a principal firm can object.
Replacement of a sub-processor is itself a privacy-affecting change that the firm reflects in its own DPIA review.
Audit rights
Section titled “Audit rights”The operator commissions an annual SOC 2 Type II report covering the platform’s own controls. The report is available to principal firms under NDA.
For any sub-processor that does not produce its own SOC 2 Type II or ISO 27001 attestation, the operator runs an annual vendor review and produces a summary the firm can rely on. None of the sub-processors named above sit in this category at present; all hold at least SOC 2 Type II.
A principal firm that requires direct audit of a sub-processor follows the audit clause in its DPA with the operator, which passes through to the sub-processor’s audit clause. In practice, the SOC 2 reports satisfy the audit need for all but the largest principal firms.
Notification of changes
Section titled “Notification of changes”A change to this list is notified to principal firms by email and via a banner in the workspace 30 days before the change takes effect. The notification carries:
- The new or removed sub-processor.
- The data scope.
- The region.
- The DPA status.
- The reason for the change.
The 30-day window allows a firm to object, raise the change in its own DPIA review, or terminate the contract without penalty under the master service agreement’s sub-processor-objection clause.
What is not a sub-processor
Section titled “What is not a sub-processor”The platform operator’s own staff are not sub-processors. They are the operator’s employees, subject to the operator’s confidentiality and access-control regime. Operator staff access to production data goes through a separately audited break-glass mechanism with a recorded operational event for each access; the operator’s internal runbook covers the controls.
A principal firm’s own integrations (a CRM that the firm pulls customer data from to look up a case reference, for example) are not sub-processors of the platform. They are the firm’s own controllers or processors, governed by the firm’s own data-processing arrangements.
The FCA, when a tenant has enabled the FCA-auditor role, is a recipient of personal data, not a sub-processor. The legal basis for disclosure is the FCA’s regulatory powers under FSMA and the principal firm’s own obligations.