Sub-processors
Last updated: 7 May 2026
7 May 2026 — Legal-entity column added (Resend disclosed as Plus Five Five, Inc.; other sub-processors disclosed against their contracting entities). Sentry region corrected to EU (de.sentry.io selected for this project, matching the active DSN). Microsoft 365 (Microsoft Ireland Operations Limited) added for the support-mailbox processing channel. Stripe contracting entity corrected to Stripe Payments Europe, Limited (Dublin, IE), with Stripe LLC (US) disclosed as importer under the UK Data Bridge. Sub-processor change-notice window aligned with the DPA at 30 days. US management-plane footer note added.
AnswerVault uses the following third-party services ("sub-processors") to provide the Service. Each sub-processor has a data processing agreement (DPA) in place with Crocker Digital Ltd.
We will update this page when we add or change sub-processors. Registered users will be notified of changes by email at least 30 days before the change takes effect, matching the commitment in clause 5.2(c) of the Data Processing Agreement.
Current sub-processors
| Service | Legal entity | Purpose | Data processed | Primary location | DPA |
|---|---|---|---|---|---|
| Supabase | Supabase Inc. (US) / Supabase Ltd (UK) | Database, user authentication, file storage | Account data, ESG facts, documents, questionnaire responses, session tokens | UK (London) — eu-west-2 |
Supabase DPA |
| Stripe | Stripe Payments Europe, Limited (One Wilton Park, Wilton Place, Dublin 2, D02FX04, Ireland — EU contracting entity), with Stripe, Inc. and Stripe LLC (US) as importers for group support operations | Payment processing and subscription management | Name, email, payment card details (tokenised — Stripe holds the PAN), billing history | EU (Ireland) primary; US for group support operations | Stripe DPA |
| Resend | Plus Five Five, Inc. (operating as Resend; San Francisco, USA) | Transactional email delivery | Email address, message content (password resets, billing alerts, account notifications) | US | Resend DPA |
| GoatCounter | Martin Tournoij (NL, sole trader) | Privacy-focused website analytics | Anonymous page views only. No personal data, no cookies, no IP storage. | EU | Cookie-free; no personal data processed |
| Netlify | Netlify, Inc. (US) | Website and application hosting | Server access logs (IP address, request URL, user agent) | US with EU edge | Netlify GDPR/DPA |
| Sentry | Functional Software, Inc. (US) | Application error monitoring | Error stack traces, anonymised usage context. No user content or personal data in normal operation. | EU (de.sentry.io region selected) |
Sentry DPA |
| Cloudflare (Turnstile) | Cloudflare, Inc. (US) | Bot-protection CAPTCHA on signup, login and password-reset forms | IP address, user agent and browser-fingerprint signals collected for each challenge; no account or questionnaire data | Global edge | Cloudflare DPA |
| Upstash | Upstash, Inc. (US) | Redis cache for per-IP and per-user rate limiting | Rate-limit keys (IP address or user ID) + counters; no account or questionnaire content; entries auto-expire | EU (Ireland) primary / US fall-back | Upstash DPA |
| Microsoft 365 | Microsoft Ireland Operations Limited (Microsoft 365) | Support mailbox + DSR-instruction inbox processing (support@answervault.co.uk) |
Inbound support emails, replies, attachments | Ireland (EU) | Microsoft Online Services DPA |
AI / LLM providers. AnswerVault does not currently use any third-party AI model provider (OpenAI, Anthropic, Google, Mistral, etc.) and does not send Customer Personal Data to any LLM. If this changes, the relevant provider will be added to this sub-processor list before use, with the standard 30-day change notice in clause 5.2(c) of the Data Processing Agreement.
International transfers
Where sub-processors process data outside the UK or EU/EEA, appropriate safeguards are in place. Stripe contracts via the EU entity (Stripe Payments Europe, Limited — adequacy applies); for US-importer transfers within Stripe's group support operations the UK Extension to the EU-US Data Privacy Framework (UK Data Bridge) applies, with SCCs as a fall-back. Resend, Netlify, Cloudflare (Turnstile) and Upstash (where US fall-back applies) rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses. Supabase processing is in the UK (London — eu-west-2); GoatCounter is in the EU; Upstash is configured with EU as primary region; Sentry has the EU region (de.sentry.io) selected for this project, with SCCs held as a fallback under Sentry's own DPA. Microsoft 365 contracting is via Microsoft Ireland Operations Limited (adequacy).
Note on US management-plane access. Several sub-processors above are operated by US-headquartered entities (Supabase, Upstash, Sentry, Cloudflare, Netlify, Stripe group, Resend) whose engineers may exercise management-plane access to data resident in EU/UK regions for the purposes of operating, maintaining, and supporting the underlying infrastructure. Such transfers are governed by the EU Standard Contractual Clauses (2021, Module 2) and the UK International Data Transfer Addendum / IDTA in each provider's DPA. See our Data Processing Agreement Schedule 3 and Privacy Policy for full transfer-mechanism detail per sub-processor.
Changes to this list
If we add a new sub-processor or change how an existing one processes data, we will:
- Update this page.
- Notify registered users by email at least 30 days before the change takes effect (matching DPA clause 5.2(c)).
If you object to a new sub-processor, contact us at support@answervault.co.uk within the notice period.
Contact
Questions about our sub-processors? Contact us at support@answervault.co.uk.