1. What this page is
Under UK GDPR Article 28(2), a processor that engages another processor (a "sub-processor") must do so only with the prior written authorisation of the controller. This page is that authorisation in published form, by entering or maintaining a subscription with UK Web Marketing, you authorise the sub-processors listed below. It is also the canonical reference that any signed DPA between us points to.
2. The standing list
These eight sub-processors touch personal data on every visit or for every subscriber. Plausible runs on ukwebmarketing.com itself as our cookieless analytics, and Sentry captures the visitor IP address when it records an error.
| Sub-processor | Role | Residency | Data category | Transfer safeguard |
|---|---|---|---|---|
| Vercel Inc. | Static hosting + CDN + edge functions; Vercel Analytics + Speed Insights | United Kingdom, London region lhr1 (Vercel Inc. is US-incorporated) | Page renders, server logs (IP, user-agent), first-party Analytics + Speed Insights telemetry (cookieless) | DPA + UK IDTA Addendum (for any US support routing); ISO 27001 + SOC 2 Type II |
| Neon Inc. (Neon Postgres via Vercel) | Lead / client database (form submissions, enquiry records) | European Union, Frankfurt (AWS eu-central-1). A London migration is planned but not yet done. | Name, email, phone, message text, sector self-ID submitted through our forms | DPA + UK IDTA Addendum (Neon Inc. is US-incorporated); data held in the EEA with intra-EEA safeguards pending the London migration |
| Cloudflare, Inc. | DNS + inbound email routing + CDN edges | European Union + United Kingdom edge POPs | DNS queries, inbound email forwarded to our mailbox | DPA + UK IDTA Addendum; ISO 27001. Documented exception (global network kept by design). |
| Resend, Inc. | Outbound transactional email | European Union (EU region) | Recipient email, message content, send/open metadata | DPA + UK IDTA Addendum (Resend, Inc. is US-incorporated; EU-region infrastructure by selection) |
| Stripe Payments Europe Ltd. | Subscription billing + fraud prevention | Republic of Ireland | Cardholder data (held by Stripe, not us), email, billing address | DPA + UK IDTA Addendum (for global fraud network); PCI DSS Level 1. Documented exception (kept by design). |
| Plausible Analytics | Privacy-friendly web analytics, running on ukwebmarketing.com | European Union (Germany) | Aggregated, cookieless pageview counts, no personal profiles and no shared identifiers | DPA; cookieless by design; EU-hosted |
| Functional Software, Inc. (Sentry) | Error monitoring (captures the visitor IP at the point of an error) | European Union (de.sentry.io ingest region; Functional Software, Inc. is US-incorporated) | Error events with stack trace, URL, browser/device, and visitor IP address | DPA + UK IDTA Addendum; EU ingest region pinned |
| Cal Inc. (Cal.com) | Booking / scheduling | European Union region (Cal Inc. is US-incorporated) | Attendee name, email, and event details for booked calls | DPA + UK IDTA Addendum |
2a. Conditional engagements (not standing processors)
The following are not standing sub-processors. They are engaged only in the circumstances stated, and are listed here for transparency. Capsule CRM applies only on retainers that include lead-tracking; MailerLite is the EU platform for our own newsletter, engaged when you subscribe to it (double opt-in); Plain and Proton Mail are engaged only when the relevant add-on is included in your retainer.
| Provider | When engaged | Residency | Data category | Transfer safeguard |
|---|---|---|---|---|
| Capsule CRM (Zestia Ltd.) | CRM, engaged only on retainers that include lead-tracking (not on a build without a retainer) | United Kingdom (Manchester, UK-hosted) | Client + lead contact records | DPA; UK data controller |
| MailerLite (UAB "MailerLite") | Our own newsletter, subscriptions and broadcasts with double opt-in (activated July 2026) | European Union (Lithuania) | Newsletter subscriber email + signup source + send metadata | DPA under UK / EU GDPR; EU-established processor; any transfer outside the UK or EEA under SCCs / UK IDTA Addendum |
| Plain | Helpdesk, engaged only when a helpdesk add-on is included in your retainer | United Kingdom (London-based) | Support tickets, message content, end-user email | DPA; UK data controller |
| Proton Mail | Real mailboxes, engaged only when the mailbox add-on is purchased | Switzerland | Email content for named mailboxes | DPA; Swiss data-protection adequacy (UK and EU recognised) |
3. International transfers
Our default architecture keeps personal data on UK or EU infrastructure. Several vendors are US-incorporated or operate global networks: Cloudflare (DNS + edge) and Stripe (fraud prevention) are documented exceptions kept by design; Vercel (London hosting + support routing), Neon (the lead / client database, currently hosted in Frankfurt within the EEA), Resend (EU-region email), Sentry (EU ingest region, de.sentry.io), and Cal.com (EU-region scheduling) each store the relevant personal data inside the UK or EEA while their parent companies are US-incorporated. For each, any transfer outside the UK and EEA is protected by the UK International Data Transfer Agreement / Addendum to the EU SCCs (or an equivalent safeguard, including UK adequacy regulations where they exist).
Neon currently sits in Frankfurt (AWS eu-central-1) inside the EEA. A migration to a London region is planned but not yet done; until it completes, the data stays in the EEA under intra-EEA safeguards.
Proton Mail, where the mailbox add-on is purchased, is Swiss-resident. The UK recognises Switzerland under adequacy regulations, so no IDTA is needed.
4. Notification of changes
Before we add a new sub-processor that will process your personal data, we will give you at least 30 days' written notice by email to the address on file. The notice will include the sub-processor's name, role, residency, data category, and transfer safeguard. You may object on reasonable data-protection grounds within that window; if we cannot accommodate your objection, you may terminate the subscription with a pro-rata refund of any prepaid Fees covering the period after termination.
To subscribe to sub-processor change notifications without being a current client, email hello@ukwebmarketing.com with the subject "Subscribe to sub-processor changes".
5. Audit + verification
Each sub-processor listed above has a Data Processing Agreement in place with us; we hold copies of their published security certifications (ISO 27001, SOC 2, PCI DSS) where applicable. Clients on an active retainer may request copies of the signed DPAs we hold, email hello@ukwebmarketing.com and we will respond within 5 working days.
6. Related documents
Data Processing Agreement · Privacy Policy · Cookie Policy · All legal documents
7. Changelog
- v1.2, 2026-07, activated the newsletter and adopted MailerLite (UAB, Lithuania) as the EU newsletter platform in place of the earlier self-hosted Listmonk plan. Double opt-in is enforced: a subscriber stays "unconfirmed" and receives no campaigns until they click the confirmation link.
- v1.1, 2026-06, corrected the standing list to eight data-touching sub-processors: added Neon Postgres (lead / client database, Frankfurt/EU), Sentry (error monitoring, captures visitor IP, EU ingest), and Cal.com (scheduling). Disclosed Plausible as the cookieless analytics running on
ukwebmarketing.comitself and removed the inaccurate "not used on this site" note. Reclassified Capsule CRM, Listmonk, Plain, and Proton Mail as conditional / add-on rather than standing processors. - v1.0, 2026-06-03, promoted from a section of
/complianceto a standalone canonical disclosure, with transfer safeguards added per-vendor.