Sub-processors
Last updated:
Every third party we engage to help run the platform, where they're located, and the safeguard that applies if data leaves the UK/EEA — kept current, with notice before anything changes.
1. What a sub-processor is
Where we act as a processor of Client Data on a Firm's behalf (see our Privacy Policy), a sub-processor is any third party we engage to help provide the Services who also processes that data — for example, our database and hosting providers. Article 28(2) UK GDPR requires us to obtain a Firm's general authorisation to engage sub-processors, disclose who they are, and give notice before adding a new one. This page is how we do that.
2. Current sub-processors
Nothing here is outsourced without this list being kept current, and every one of these is used to run the platform itself — never to sell or repurpose Client Data.
| Sub-processor | Purpose | Location | International transfer safeguard |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, and file storage | EU (Ireland) | None needed — the EEA is recognised as adequate under the UK's own adequacy regulations |
| Vercel Inc. | Application hosting and content delivery | United States, served via a global edge network including the EU | UK International Data Transfer Agreement (IDTA) / UK Addendum to the EU Standard Contractual Clauses |
| Stripe | Subscription payment processing — card details are entered directly into Stripe's hosted fields and never pass through our servers | UK/EU and United States | UK IDTA / UK Addendum to the EU SCCs where data leaves the UK/EEA |
| Resend | Transactional email delivery (account, security, and billing notifications) | United States | UK IDTA / UK Addendum to the EU SCCs |
| Anthropic, PBC | AI-assisted document data extraction — pre-fills draft fields from an uploaded document for a Firm's staff to review | United States | UK IDTA / UK Addendum to the EU SCCs, or the UK extension to the EU–US Data Privacy Framework where the recipient is certified |
| AML/identity verification provider | Identity verification for the AML/KYC module | To be confirmed once a Firm engages a provider through the platform — the module is provider-agnostic by design | To be confirmed; will meet the same UK GDPR Chapter V standard as every other sub-processor above |
3. HMRC and Companies House aren't sub-processors
When a Firm instructs us to submit a filing, HMRC or Companies House receives the filing as an independent controller of the information they collect under their own statutory functions — they aren't a sub-processor engaged by us. We transmit exactly the filing content a Firm has reviewed and approved, at their instruction and under their authority as agent.
4. Notice of new sub-processors
Before we engage a new sub-processor that will process Client Data, we'll update this page and give Firms at least 30 days' notice by email or in-platform notification. If you reasonably object on data protection grounds within that period, we'll work with you to address the concern; if we can't resolve it, either party may treat that as grounds to terminate the affected Subscription without penalty.
5. Changes to this page
This page reflects our sub-processors as of the date at the top. See section 4 for how we notify Firms of changes.