Sub-processors
Version 1.2
Last updated: 2 June 2026
Next review: 2 September 2026
This page lists the third-party sub-processors I use to deliver services to clients under my Data Processing Agreement (DPA). Not every sub-processor is engaged on every project — the relevant set depends on the agreed Services and the tools the Data Controller already operates.
Change notification
I review this list quarterly and update it whenever sub-processors change. Existing clients will be notified by email at least 30 days before any new sub-processor is engaged or an existing one is replaced. Clients may object on reasonable data-protection grounds within 30 days of notification. If a reasonable objection cannot be resolved, the affected Services may be terminated without penalty (see §8 of the DPA).
To receive change notifications, email info@nathanoconnor.co.uk with the subject “Sub-processor notifications”.
International transfers
Where Personal Data is transferred outside the United Kingdom, transfers are governed by the applicable transfer mechanism in each sub-processor's own Data Processing Agreement, typically one of:
- An Adequacy decision by the UK government (covers the EEA and a limited list of other countries)
- The UK International Data Transfer Agreement (UK IDTA)
- The European Commission's Standard Contractual Clauses (SCCs) with the UK Addendum issued by the ICO
Copies of the applicable transfer mechanism for any individual sub-processor are available on reasonable request.
Current sub-processors
Vendors are grouped by function. Headquarters and data location reflect the vendor's public disclosures at the time this page was last reviewed.
CRM and contact management
| Vendor | Function | HQ / Location | Transfer mechanism |
|---|---|---|---|
| Twenty CRM | CRM and contact management | EU / UK (self-hosted) | Adequacy (EU/UK hosted) |
| CallTrackingMetrics | Call attribution (where deployed on client sites) | United States | UK IDTA / SCCs + UK Addendum |
Ad platforms (independent controllers — see note)
| Vendor | Function | HQ / Location | Transfer mechanism |
|---|---|---|---|
| Google Ads | Search, display, and conversion tracking | United States (global infrastructure) | UK IDTA / SCCs + UK Addendum (controller-to-controller) |
| Meta Ads | Conversion tracking and audience matching | United States / Ireland | UK IDTA / SCCs + UK Addendum (controller-to-controller) |
| LinkedIn Ads | B2B advertising and audience matching | United States / Ireland | UK IDTA / SCCs + UK Addendum (controller-to-controller) |
| Microsoft Ads | Search and conversion tracking | United States | UK IDTA / SCCs + UK Addendum (controller-to-controller) |
| TikTok Ads | Conversion tracking and audience matching | United States / Ireland / Singapore | UK IDTA / SCCs + UK Addendum (controller-to-controller) |
Analytics and tag management
| Vendor | Function | HQ / Location | Transfer mechanism |
|---|---|---|---|
| Google Tag Manager (client and server-side) | Tag orchestration | United States (global infrastructure) | UK IDTA / SCCs + UK Addendum |
| Google Analytics 4 | Web analytics | United States | UK IDTA / SCCs + UK Addendum |
| Matomo | Privacy-friendly analytics (consent-gated) | EU / self-hosted | Adequacy (EU/UK hosted) |
Consent management
| Vendor | Function | HQ / Location | Transfer mechanism |
|---|---|---|---|
| CookieYes | Google-certified Consent Management Platform; IAB TCF signalling | United Kingdom | Adequacy (UK) |
Automation
| Vendor | Function | HQ / Location | Transfer mechanism |
|---|---|---|---|
| n8n | Workflow automation | Self-hosted / EU | Adequacy (EU/UK hosted) |
AI tools
| Vendor | Function | HQ / Location | Transfer mechanism |
|---|---|---|---|
| Anthropic (Claude API) | AI content audits and analysis | United States | UK IDTA / SCCs + UK Addendum |
| Perplexity | AI-assisted research | United States | UK IDTA / SCCs + UK Addendum |
| ElevenLabs | Conversational AI voice assistant on this website (processes visitor microphone audio only after the visitor clicks to start and grants microphone permission) | United States | UK IDTA / SCCs + UK Addendum |
Hosting and infrastructure
| Vendor | Function | HQ / Location | Transfer mechanism |
|---|---|---|---|
| Vercel | Site hosting; also provides Vercel Analytics and Speed Insights | United States (EU edge regions available) | UK IDTA / SCCs + UK Addendum |
| Cloudflare | Edge workers and CDN | Global anycast network | UK IDTA / SCCs + UK Addendum |
| Neon | Postgres database | EU (region-configurable) | Adequacy (EU/UK hosted) |
| Resend | Transactional email | United States | UK IDTA / SCCs + UK Addendum |
| Supabase | Image storage for blog hero images | EU (region-configurable) | Adequacy (EU/UK hosted) |
Note on ad platforms
Google Ads, Meta, LinkedIn, Microsoft Ads, and TikTok are listed here for transparency, but in most engagements they operate as independent data controllersfor conversion measurement and advertising, not as sub-processors acting on the client's behalf. Each determines the purposes and means of its own processing under its own terms with the advertiser and the end user. The relationship is therefore typically controller-to-controller, governed by the relevant platform's Data Processing Terms, and the transfer mechanism shown above reflects that.
Note on Anthropic (Claude API)
Per Anthropic's Commercial Terms of Service, inputs and outputs submitted to the Claude API are not used to train Anthropic's models. Anthropic retains operational logs for a limited period (typically up to 30 days) for safety and abuse monitoring, then deletes them. The free audit tools send URL content and extracted text only — no customer-relationship data is sent to the Claude API.
Note on ElevenLabs (voice assistant)
The optional voice assistant on this website is powered by ElevenLabs. It is off by default: nothing connects and the microphone is never accessed until a visitor explicitly clicks to start and grants browser microphone permission. While a conversation is active, the visitor's speech is streamed to ElevenLabs to generate the assistant's responses. No account is required and the assistant does not ask for sensitive personal data. See the Privacy Policy for the lawful basis and retention.
Contact
For questions about this list, sub-processor due diligence, or to request copies of underlying transfer mechanisms or vendor DPAs:
Nathan O'Connor
Email: info@nathanoconnor.co.uk