Vercel
Hosting
Residency: United Kingdom (London — region lhr1)
Astro production build. All page renders + edge functions execute in lhr1.
Web infrastructure · Compliance
EU-sovereign by design.
Every part of your UK Web Marketing website — the code, the hosting, the email, the CRM, the analytics, the payments — lives on infrastructure resident in the United Kingdom or the European Union. Built that way from the first commit. Not a checkbox added later when a client asked.
Why this matters for UK businesses
Where your data sleeps changes what can happen to it.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 require you, as a UK data controller, to know where your customers' personal data is processed and to be able to demonstrate that protection. The Information Commissioner's Office (the ICO) takes a particular interest in cross-border transfers — especially to jurisdictions where local law allows access by foreign authorities without UK or EU due process.
The biggest practical concern is the US CLOUD Act (2018). If your website host, email provider, CRM, or analytics tool is a US company, US authorities can compel the disclosure of stored data — even data physically held in the EU — without notifying you. That isn't theoretical: the US Department of Justice has used CLOUD Act subpoenas against Microsoft, Google, and Amazon since 2019.
For most UK SMBs that's noise. For independent clinics holding patient data, solicitors holding client confidence, schools holding child data, accountants holding financial records, and B2B SaaS startups whose enterprise customers ask procurement questions — it isn't noise. It's the question your buyer is asking before they buy.
Sub-processor disclosure
Where every part of your site actually lives.
We maintain this under Article 30 records-of-processing and update it whenever a sub-processor changes. The canonical, procurement-friendly version — with per-vendor transfer safeguards — lives at /sub-processors.
Cloudflare
DNS + Email Routing + CDN
Residency: EU + UK edges
Customer email forwarded inbound. DNS served from European POPs by default.
Resend
Transactional + marketing email (outbound)
Residency: European Union
Lead form notifications, newsletter delivery. EU-resident infrastructure.
Capsule CRM
Customer relationship management
Residency: United Kingdom (Manchester-based, EU-hosted)
Used at Growth Engine + Bespoke tiers. UK company, GDPR-strong by default.
Stripe
Payments
Residency: Republic of Ireland (Stripe Payments Europe Ltd)
All UK card payments processed by Stripe's EU entity, which is the EU GDPR data controller.
Plausible Analytics
Analytics (when used)
Residency: European Union (Germany)
Cookieless. No cross-site tracking. Privacy-first by design.
Plain
Helpdesk (when used)
Residency: United Kingdom (London-based)
Available as a bolt-on for Bespoke clients with SaaS-style support needs.
Proton Mail
Real mailboxes (when used)
Residency: Switzerland
EU-equivalent GDPR posture (Swiss data-protection adequacy). Available as a £15/inbox/month bolt-on at any tier.
Built on
- Vercel
- Astro
- Cloudflare
- Stripe
- Resend
- Capsule CRM
- Plausible
Sovereignty by tier
Built into every tier, not just the top one.
EU-sovereignty isn't a Full-Stack-only feature. It's the floor.
| Tier | EU-sovereign hosting | EU-sovereign email | EU-sovereign CRM | EU-sovereign payments |
|---|---|---|---|---|
| Foundation £45/mo | ✓ | ✓ (forwarding) | — | ✓ |
| Growth Engine £195/mo | ✓ | ✓ + EU newsletter | ✓ (Capsule UK) | ✓ |
| Bespoke | ✓ | ✓ + DKIM/DMARC managed | ✓ | ✓ |
Real EU-sovereign mailboxes (Proton Mail) available as a £15/inbox/month bolt-on at any tier — for clients whose teams need to send from named addresses, not just receive.
What we maintain
Documentation that holds up to scrutiny.
- UK GDPR Article 30 records of processing
Maintained per client. Lists what personal data is processed, the lawful basis, the recipients, and the retention period.
- Sub-processor disclosure
The canonical disclosure lives at /sub-processors. Subscribe to material changes via hello@ukwebmarketing.com; updates flagged with 30 days' notice unless the change is security-critical.
- Vulnerability disclosure
Coordinated disclosure policy at /vulnerability-disclosure with safe-harbour, 72h acknowledge, 30d critical-fix SLA. Machine-readable contact at
/.well-known/security.txt(RFC 9116). - Data Processing Agreements
Article 28 DPAs in place with each sub-processor named above. Available on request for clients on Growth Engine + Bespoke tiers.
- Annual review
The full compliance posture is reviewed annually (next: 2027-06). Findings + any vendor changes are published here.
- SOC 2 readiness
Common Criteria + the four elective TSCs (Availability, Processing Integrity, Confidentiality, Privacy) documented in our readiness assessment. 17 of 20 Common Criteria operational; remediation queue mapped for Type I attestation.
Talk through your compliance picture
The website + the paperwork behind it.
If you're a UK clinic, solicitor, school, accountant, or B2B SaaS startup who needs to answer "where does our data live?" with confidence — WhatsApp me. I'll talk you through the specifics for your sector + map the gaps in what you have now.