Sub-processors
Version 1.0
Last updated: 18 May 2026
Next review: 18 August 2026
This page lists the third-party sub-processors I use to deliver services to clients under my Data Processing Agreement (DPA). Not every sub-processor is engaged on every project — the relevant set depends on the agreed Services and the tools the Data Controller already operates.
Change notification
I review this list quarterly and update it whenever sub-processors change. Existing clients will be notified by email at least 30 days before any new sub-processor is engaged or an existing one is replaced. Clients may object on reasonable data-protection grounds within 30 days of notification. If a reasonable objection cannot be resolved, the affected Services may be terminated without penalty (see §8 of the DPA).
To receive change notifications, email info@nathanoconnor.co.uk with the subject “Sub-processor notifications”.
International transfers
Where Personal Data is transferred outside the United Kingdom, transfers are governed by the applicable transfer mechanism in each sub-processor's own Data Processing Agreement, typically one of:
- An Adequacy decision by the UK government (covers the EEA and a limited list of other countries)
- The UK International Data Transfer Agreement (UK IDTA)
- The European Commission's Standard Contractual Clauses (SCCs) with the UK Addendum issued by the ICO
Copies of the applicable transfer mechanism for any individual sub-processor are available on reasonable request.
Current sub-processors
Vendors are grouped by function. Headquarters and data location reflect the vendor's public disclosures at the time this page was last reviewed.
CRM and contact management
| Vendor | Function | HQ / Location |
|---|---|---|
| Twenty CRM | CRM and contact management | EU / UK (self-hosted) |
| CallTrackingMetrics | Call attribution (where deployed on client sites) | United States |
Ad platforms
| Vendor | Function | HQ / Location |
|---|---|---|
| Google Ads | Search, display, and conversion tracking | United States (global infrastructure) |
| Meta Ads | Conversion tracking and audience matching | United States / Ireland |
| LinkedIn Ads | B2B advertising and audience matching | United States / Ireland |
| Microsoft Ads | Search and conversion tracking | United States |
| TikTok Ads | Conversion tracking and audience matching | United States / Ireland / Singapore |
Analytics and tag management
| Vendor | Function | HQ / Location |
|---|---|---|
| Google Tag Manager (client and server-side) | Tag orchestration | United States (global infrastructure) |
| Google Analytics 4 | Web analytics | United States |
| Matomo | Privacy-friendly analytics (consent-gated) | EU / self-hosted |
Consent management
| Vendor | Function | HQ / Location |
|---|---|---|
| CookieYes | Google-certified Consent Management Platform; IAB TCF signalling | United Kingdom |
Automation
| Vendor | Function | HQ / Location |
|---|---|---|
| n8n | Workflow automation | Self-hosted / EU |
AI tools
| Vendor | Function | HQ / Location |
|---|---|---|
| Anthropic (Claude API) | AI content audits and analysis | United States |
| Perplexity | AI-assisted research | United States |
Hosting and infrastructure
| Vendor | Function | HQ / Location |
|---|---|---|
| Vercel | Site hosting; also provides Vercel Analytics and Speed Insights | United States (EU edge regions available) |
| Cloudflare | Edge workers and CDN | Global anycast network |
| Neon | Postgres database | EU (region-configurable) |
| Resend | Transactional email | United States |
| Supabase | Image storage for blog hero images | EU (region-configurable) |
Contact
For questions about this list, sub-processor due diligence, or to request copies of underlying transfer mechanisms or vendor DPAs:
Nathan O'Connor
Email: info@nathanoconnor.co.uk