Free website audit · a plan and a fair price built around your business · no lock-in

Free audit · a plan built for you · no lock-in

Run a free audit →

Legal

Sub-processor Disclosure

Last updated: July 2026 · Next review: July 2027 · Read time: 4 min · Version 1.2

TL;DR. Eight standing sub-processors touch personal data: Vercel (hosting + Analytics + Speed Insights), Neon Postgres (lead / client database), Cloudflare, Resend, Stripe, Plausible (cookieless analytics on this site), Sentry (error monitoring), and Cal.com (scheduling). All are UK or EU resident; Stripe and Cloudflare route some data through global infrastructure under a UK IDTA Addendum as documented exceptions, and Neon currently sits in Frankfurt (EU) with a London migration planned. Capsule CRM is engaged only on retainers that include lead-tracking; MailerLite (our EU newsletter platform), Plain, and Proton Mail are conditional or add-on, not standing processors. We notify clients of new sub-processors at least 30 days before adding them, by email to the address on file. This is the canonical disclosure referenced by our DPA Article 28 §7.

1. What this page is

Under UK GDPR Article 28(2), a processor that engages another processor (a "sub-processor") must do so only with the prior written authorisation of the controller. This page is that authorisation in published form, by entering or maintaining a subscription with UK Web Marketing, you authorise the sub-processors listed below. It is also the canonical reference that any signed DPA between us points to.

2. The standing list

These eight sub-processors touch personal data on every visit or for every subscriber. Plausible runs on ukwebmarketing.com itself as our cookieless analytics, and Sentry captures the visitor IP address when it records an error.

Sub-processor Role Residency Data category Transfer safeguard
Vercel Inc. Static hosting + CDN + edge functions; Vercel Analytics + Speed Insights United Kingdom, London region lhr1 (Vercel Inc. is US-incorporated) Page renders, server logs (IP, user-agent), first-party Analytics + Speed Insights telemetry (cookieless) DPA + UK IDTA Addendum (for any US support routing); ISO 27001 + SOC 2 Type II
Neon Inc. (Neon Postgres via Vercel) Lead / client database (form submissions, enquiry records) European Union, Frankfurt (AWS eu-central-1). A London migration is planned but not yet done. Name, email, phone, message text, sector self-ID submitted through our forms DPA + UK IDTA Addendum (Neon Inc. is US-incorporated); data held in the EEA with intra-EEA safeguards pending the London migration
Cloudflare, Inc. DNS + inbound email routing + CDN edges European Union + United Kingdom edge POPs DNS queries, inbound email forwarded to our mailbox DPA + UK IDTA Addendum; ISO 27001. Documented exception (global network kept by design).
Resend, Inc. Outbound transactional email European Union (EU region) Recipient email, message content, send/open metadata DPA + UK IDTA Addendum (Resend, Inc. is US-incorporated; EU-region infrastructure by selection)
Stripe Payments Europe Ltd. Subscription billing + fraud prevention Republic of Ireland Cardholder data (held by Stripe, not us), email, billing address DPA + UK IDTA Addendum (for global fraud network); PCI DSS Level 1. Documented exception (kept by design).
Plausible Analytics Privacy-friendly web analytics, running on ukwebmarketing.com European Union (Germany) Aggregated, cookieless pageview counts, no personal profiles and no shared identifiers DPA; cookieless by design; EU-hosted
Functional Software, Inc. (Sentry) Error monitoring (captures the visitor IP at the point of an error) European Union (de.sentry.io ingest region; Functional Software, Inc. is US-incorporated) Error events with stack trace, URL, browser/device, and visitor IP address DPA + UK IDTA Addendum; EU ingest region pinned
Cal Inc. (Cal.com) Booking / scheduling European Union region (Cal Inc. is US-incorporated) Attendee name, email, and event details for booked calls DPA + UK IDTA Addendum

2a. Conditional engagements (not standing processors)

The following are not standing sub-processors. They are engaged only in the circumstances stated, and are listed here for transparency. Capsule CRM applies only on retainers that include lead-tracking; MailerLite is the EU platform for our own newsletter, engaged when you subscribe to it (double opt-in); Plain and Proton Mail are engaged only when the relevant add-on is included in your retainer.

Provider When engaged Residency Data category Transfer safeguard
Capsule CRM (Zestia Ltd.) CRM, engaged only on retainers that include lead-tracking (not on a build without a retainer) United Kingdom (Manchester, UK-hosted) Client + lead contact records DPA; UK data controller
MailerLite (UAB "MailerLite") Our own newsletter, subscriptions and broadcasts with double opt-in (activated July 2026) European Union (Lithuania) Newsletter subscriber email + signup source + send metadata DPA under UK / EU GDPR; EU-established processor; any transfer outside the UK or EEA under SCCs / UK IDTA Addendum
Plain Helpdesk, engaged only when a helpdesk add-on is included in your retainer United Kingdom (London-based) Support tickets, message content, end-user email DPA; UK data controller
Proton Mail Real mailboxes, engaged only when the mailbox add-on is purchased Switzerland Email content for named mailboxes DPA; Swiss data-protection adequacy (UK and EU recognised)

3. International transfers

Our default architecture keeps personal data on UK or EU infrastructure. Several vendors are US-incorporated or operate global networks: Cloudflare (DNS + edge) and Stripe (fraud prevention) are documented exceptions kept by design; Vercel (London hosting + support routing), Neon (the lead / client database, currently hosted in Frankfurt within the EEA), Resend (EU-region email), Sentry (EU ingest region, de.sentry.io), and Cal.com (EU-region scheduling) each store the relevant personal data inside the UK or EEA while their parent companies are US-incorporated. For each, any transfer outside the UK and EEA is protected by the UK International Data Transfer Agreement / Addendum to the EU SCCs (or an equivalent safeguard, including UK adequacy regulations where they exist).

Neon currently sits in Frankfurt (AWS eu-central-1) inside the EEA. A migration to a London region is planned but not yet done; until it completes, the data stays in the EEA under intra-EEA safeguards.

Proton Mail, where the mailbox add-on is purchased, is Swiss-resident. The UK recognises Switzerland under adequacy regulations, so no IDTA is needed.

4. Notification of changes

Before we add a new sub-processor that will process your personal data, we will give you at least 30 days' written notice by email to the address on file. The notice will include the sub-processor's name, role, residency, data category, and transfer safeguard. You may object on reasonable data-protection grounds within that window; if we cannot accommodate your objection, you may terminate the subscription with a pro-rata refund of any prepaid Fees covering the period after termination.

To subscribe to sub-processor change notifications without being a current client, email hello@ukwebmarketing.com with the subject "Subscribe to sub-processor changes".

5. Audit + verification

Each sub-processor listed above has a Data Processing Agreement in place with us; we hold copies of their published security certifications (ISO 27001, SOC 2, PCI DSS) where applicable. Clients on an active retainer may request copies of the signed DPAs we hold, email hello@ukwebmarketing.com and we will respond within 5 working days.

6. Related documents

Data Processing Agreement · Privacy Policy · Cookie Policy · All legal documents

7. Changelog

  • v1.2, 2026-07, activated the newsletter and adopted MailerLite (UAB, Lithuania) as the EU newsletter platform in place of the earlier self-hosted Listmonk plan. Double opt-in is enforced: a subscriber stays "unconfirmed" and receives no campaigns until they click the confirmation link.
  • v1.1, 2026-06, corrected the standing list to eight data-touching sub-processors: added Neon Postgres (lead / client database, Frankfurt/EU), Sentry (error monitoring, captures visitor IP, EU ingest), and Cal.com (scheduling). Disclosed Plausible as the cookieless analytics running on ukwebmarketing.com itself and removed the inaccurate "not used on this site" note. Reclassified Capsule CRM, Listmonk, Plain, and Proton Mail as conditional / add-on rather than standing processors.
  • v1.0, 2026-06-03, promoted from a section of /compliance to a standalone canonical disclosure, with transfer safeguards added per-vendor.
← Back to legal index

Free audit · a plan built for you · no lock-in

Ready to find out exactly what your business needs?

Run a free audit