1. What this page is
Under UK GDPR Article 28(2), a processor that engages another processor (a "sub-processor") must do so only with the prior written authorisation of the controller. This page is that authorisation in published form — by entering or maintaining a subscription with UK Web Marketing, you authorise the sub-processors listed below. It is also the canonical reference that any signed DPA between us points to.
2. The list
| Sub-processor | Role | Residency | Data category | Transfer safeguard |
|---|---|---|---|---|
| Vercel Inc. | Static hosting + CDN + edge functions | United Kingdom — London region lhr1 | Page renders, server logs (IP, user-agent), first-party Analytics + Speed Insights telemetry | DPA + UK IDTA Addendum (for any US support routing); ISO 27001 + SOC 2 Type II |
| Cloudflare, Inc. | DNS + inbound email routing + CDN edges | European Union + United Kingdom edge POPs | DNS queries, inbound email forwarded to our mailbox | DPA + UK IDTA Addendum; ISO 27001 |
| Resend, Inc. | Outbound transactional + newsletter email | European Union (EU region) | Recipient email, message content, send/open metadata | DPA; EU-resident infrastructure by selection |
| Stripe Payments Europe Ltd. | Subscription billing + fraud prevention | Republic of Ireland | Cardholder data (held by Stripe, not us), email, billing address | DPA + UK IDTA Addendum (for global fraud network); PCI DSS Level 1 |
| Capsule CRM (Zestia Ltd.) | CRM (Growth Engine + Bespoke tiers only) | United Kingdom (Manchester, UK-hosted) | Client + lead contact records | DPA; UK data controller |
| Plausible Analytics | Analytics (only on client sites that opt in) | European Union (Germany) | Aggregated, anonymised visit counts — no personal data | DPA; cookieless by design; not used on ukwebmarketing.com itself |
| Plain | Helpdesk (Bespoke tier bolt-on) | United Kingdom (London-based) | Support tickets, message content, end-user email | DPA; UK data controller |
| Proton Mail | Real mailboxes (£15/inbox/mo bolt-on, any tier) | Switzerland | Email content for named mailboxes | DPA; Swiss data-protection adequacy (UK and EU recognised) |
3. International transfers
Our default architecture keeps personal data on UK or EU infrastructure. Three vendors routinely operate global networks: Cloudflare (DNS + edge), Stripe (fraud prevention), and Vercel (support routing). For each, transfers outside the UK and EEA are protected by the UK International Data Transfer Agreement / Addendum to the EU SCCs (or an equivalent safeguard — UK adequacy regulations where they exist).
Proton Mail is Swiss-resident. The UK recognises Switzerland under adequacy regulations — no IDTA needed.
4. Notification of changes
Before we add a new sub-processor that will process your personal data, we will give you at least 30 days' written notice by email to the address on file. The notice will include the sub-processor's name, role, residency, data category, and transfer safeguard. You may object on reasonable data-protection grounds within that window; if we can't accommodate your objection, you may terminate the subscription with a pro-rata refund of any prepaid Fees covering the period after termination.
To subscribe to sub-processor change notifications without being a current client, email hello@ukwebmarketing.com with the subject "Subscribe to sub-processor changes".
5. Audit + verification
Each sub-processor listed above has a Data Processing Agreement in place with us; we hold copies of their published security certifications (ISO 27001, SOC 2, PCI DSS) where applicable. Clients on Growth Engine and Bespoke tiers may request copies of the signed DPAs we hold — email hello@ukwebmarketing.com and we'll respond within 5 working days.
6. Related documents
Data Processing Agreement · Privacy Policy · Cookie Policy · EU-sovereign compliance posture · All legal documents
7. Changelog
- v1.0 — 2026-06-03 — promoted from a section of
/complianceto a standalone canonical disclosure, with transfer safeguards added per-vendor.