Legal · Document 03 · Sub-processors

Sub-processors.

Effective16 June 2026
Version1.1
Next reviewQuarterly

Who else processes your data when you use ComplyChat, what each one does, where the data sits, and what we have put in place to keep them honest. Every sub-processor on this page has a written contract with us that imposes the same data protection obligations on them as our contract with you imposes on us, in line with Article 28(4) UK GDPR.

01

How to read this list

"Sub-processor" has a specific meaning under the UK GDPR: another organisation we engage to process personal data on your behalf, subject to written terms that flow down from our agreement with you. It does not include parties to whom we send data on our own account (our accountants, our lawyers) or parties we communicate with on operational matters that do not involve your personal data.

The list is not "vendors we use" – it is specifically those vendors that touch personal data we process on your behalf. We have grouped them by role and shown, for each, the category of data that may flow to them, where they store it, and the legal safeguard we rely on for any transfer outside the United Kingdom.

02

Current sub-processors

Microsoft Corporation (Azure)
Hosting · Transient processing
Role
Underlying cloud platform: compute, storage, networking, brief message processing and operational logging across every governed channel (our own secure web space, including the SMS-verified web room, and Microsoft Teams). The message record at rest lives in the Customer's own Microsoft 365 tenant – where the governed record lives wherever the conversation comes from, the Customer's direct relationship with Microsoft, not a sub-processing arrangement of ours.
Data categories
Customer Data in transit and operational state: governed message content during capture and processing, metadata, identifiers and audit logs.
Location of processing
United Kingdom only – UK South region.
Safeguards
Microsoft's Online Services Data Protection Addendum, including ISO 27001/27017/27018 and SOC 2 attestations. No transfers outside the UK in respect of Customer Data stored in these regions.
Microsoft Azure Communication Services
Email · Calls
Role
Two jobs. First, outbound email for the marketing site (contact form delivery) and in-product notifications. Second, for organisations that switch calls on: Azure Communication Services carries voice and video calls inside the governed channel and makes the call recording — every call is recorded, both people are told before it connects, and the recording plus its transcript then transit to the organisation's own Microsoft 365, where the lasting record rests. Messaging in a governed channel does not touch ACS; Meta plays no part anywhere.
Data categories
Email: addresses and message bodies submitted via the contact form; in-product notification recipients and content. Calls (only where switched on): call audio/video in transit, the call recording and transcript while they are made and passed on, and call metadata (who called whom, when, for how long).
Location of processing
United Kingdom data location: data ACS holds at rest — including the short built-in window (up to 24 hours) it keeps a recording before hand-off — rests in the UK. Live call audio and video are carried transiently over Microsoft's global network while the call is in progress, with nothing retained; the recording and the lasting record rest in the UK and in the organisation's own Microsoft 365.
Safeguards
Microsoft's Online Services DPA applies — the same DPA and the same processor entity as the Azure and Microsoft 365 services above, not a new sub-processor. Sender domain protected with SPF and DKIM. ACS sits within Microsoft's ISO 27001/27017/27018 and SOC 2 scope.
Microsoft 365 (Exchange Online)
Operational mailboxes
Role
Shared mailboxes (enquiries@chat.org.uk, compliance@chat.org.uk) that receive correspondence from customers, prospects and data subjects.
Data categories
Sender's name, email address, and whatever they choose to put in the body of their message.
Location of processing
European Union / United Kingdom (Microsoft 365 EU Data Boundary).
Safeguards
Microsoft's Online Services DPA applies. MFA required on all administrator accounts. Access limited to staff with a legitimate need.
Twilio
SMS · One-time passcode delivery
Role
Delivers the one-time passcode text used to verify a phone number when someone opens a ComplyChat web-room channel. Twilio is in the data path only for that verification text – no governed message content passes through Twilio.
Data categories
Phone number and the one-time passcode text itself; standard delivery telemetry.
Location of processing
Twilio's global messaging infrastructure, which may process outside the United Kingdom.
Safeguards
Twilio's Data Protection Addendum, including the UK Addendum to the EU Standard Contractual Clauses for transfers outside the UK.
Stripe Payments UK Limited
Billing · Card processing · Not yet active
Role
PCI-DSS Level 1 card processing and direct debit collection for subscription fees. Card details are entered directly into Stripe-hosted elements; we never see or store them. Listed for when card billing goes live: founding-customer billing currently runs on invoice / BACS, so Stripe is not yet an active sub-processor and no Customer Data flows to it today. It will become active when we switch on card payments, and we will follow the change-notification process in section 04 before that happens.
Data categories
Billing contact name, billing email, billing address, masked payment instrument identifiers, transaction history.
Location of processing
Contracting entity is Stripe Payments UK Limited, an FCA-authorised payment institution. Stripe's processing infrastructure is global; transaction processing may take place in the United States and other Stripe regions.
Safeguards
Stripe's Services Agreement and Data Processing Addendum, including the UK Addendum to the EU Standard Contractual Clauses for any transfers outside the UK. PCI-DSS Level 1 Service Provider attestation. SOC 1, SOC 2 and ISO 27001 audited.
Microsoft Azure Application Insights (Azure Monitor)
Operational telemetry
Role
Receives application errors, performance traces, request and dependency telemetry, and basic usage metrics, so we can diagnose and fix issues quickly.
Data categories
Diagnostic logs, stack traces, request and response metadata, exception detail. We strip message content from telemetry at source and minimise personal data; some operational identifiers (such as phone numbers) may still appear in transient diagnostic logs.
Location of processing
United Kingdom only – the Application Insights workspace is provisioned in a UK Azure region alongside the rest of the platform.
Safeguards
Microsoft's Online Services DPA applies and is the same agreement that covers Azure hosting and ACS. No additional sub-processor is introduced.
Google Ireland Limited (Google Ads / gtag.js)
Advertising measurement · Consent-gated
Role
Conversion measurement on the public marketing site only – it tells us which adverts brought a visitor here. It plays no part in the product or any governed channel and never touches message content. The tag runs under Google Consent Mode v2 with consent denied by default: it sets no advertising cookies and sends no identifiers to Google unless a visitor accepts via the cookie banner.
Data categories
Only where a visitor consents: advertising/measurement cookie identifiers and basic page-interaction events for the marketing site. No Customer Data, and no message content, is ever involved.
Location of processing
Google's global infrastructure, including the United States.
Safeguards
Google Ads Data Processing Terms, including the UK Addendum to the EU Standard Contractual Clauses for transfers outside the UK. Loaded only after consent under Consent Mode v2; see our cookies notice.
03

Not sub-processors

For the avoidance of doubt, the following parties are not sub-processors of Customer Data and are listed only because reviewers sometimes ask:

04

Notification of changes

If we propose to add or replace a sub-processor that processes Customer Data, we will:

If a change is needed urgently for security reasons (for example, to terminate a sub-processor that has experienced a breach), we may make the change immediately and notify you as soon as we reasonably can.

05

Questions

For questions about this list, the contracts that underpin it, or due-diligence packs on any of the named providers, write to compliance@chat.org.uk. We try to respond within five working days.