Sub-processors

Last updated:

Every third party we engage to help run the platform, where they're located, and the safeguard that applies if data leaves the UK/EEA — kept current, with notice before anything changes.

1. What a sub-processor is

Where we act as a processor of Client Data on a Firm's behalf (see our Privacy Policy), a sub-processor is any third party we engage to help provide the Services who also processes that data — for example, our database and hosting providers. Article 28(2) UK GDPR requires us to obtain a Firm's general authorisation to engage sub-processors, disclose who they are, and give notice before adding a new one. This page is how we do that.

2. Current sub-processors

Nothing here is outsourced without this list being kept current, and every one of these is used to run the platform itself — never to sell or repurpose Client Data.

Sub-processorPurposeLocationInternational transfer safeguard
Supabase, Inc.Database, authentication, and file storageEU (Ireland)None needed — the EEA is recognised as adequate under the UK's own adequacy regulations
Vercel Inc.Application hosting and content deliveryUnited States, served via a global edge network including the EUUK International Data Transfer Agreement (IDTA) / UK Addendum to the EU Standard Contractual Clauses
StripeSubscription payment processing — card details are entered directly into Stripe's hosted fields and never pass through our serversUK/EU and United StatesUK IDTA / UK Addendum to the EU SCCs where data leaves the UK/EEA
ResendTransactional email delivery (account, security, and billing notifications)United StatesUK IDTA / UK Addendum to the EU SCCs
Anthropic, PBCAI-assisted document data extraction — pre-fills draft fields from an uploaded document for a Firm's staff to reviewUnited StatesUK IDTA / UK Addendum to the EU SCCs, or the UK extension to the EU–US Data Privacy Framework where the recipient is certified
AML/identity verification providerIdentity verification for the AML/KYC moduleTo be confirmed once a Firm engages a provider through the platform — the module is provider-agnostic by designTo be confirmed; will meet the same UK GDPR Chapter V standard as every other sub-processor above

3. HMRC and Companies House aren't sub-processors

When a Firm instructs us to submit a filing, HMRC or Companies House receives the filing as an independent controller of the information they collect under their own statutory functions — they aren't a sub-processor engaged by us. We transmit exactly the filing content a Firm has reviewed and approved, at their instruction and under their authority as agent.

4. Notice of new sub-processors

Before we engage a new sub-processor that will process Client Data, we'll update this page and give Firms at least 30 days' notice by email or in-platform notification. If you reasonably object on data protection grounds within that period, we'll work with you to address the concern; if we can't resolve it, either party may treat that as grounds to terminate the affected Subscription without penalty.

5. Changes to this page

This page reflects our sub-processors as of the date at the top. See section 4 for how we notify Firms of changes.

6. Contact us