Legal · Document 03 · Sub-processors

Sub-processors.

Effective25 May 2026

Version1.0

Next reviewQuarterly

Who else processes your data when you use Chat Compliance, what each one does, where the data sits, and what we have put in place to keep them honest. Every sub-processor on this page has a written contract with us that imposes the same data protection obligations on them as our contract with you imposes on us, in line with Article 28(4) UK GDPR.

How to read this list

"Sub-processor" has a specific meaning under the UK GDPR: another organisation we engage to process personal data on your behalf, subject to written terms that flow down from our agreement with you. It does not include parties to whom we send data on our own account (our accountants, our lawyers) or parties we communicate with on operational matters that do not involve your personal data.

The list is not "vendors we use" – it is specifically those vendors that touch personal data we process on your behalf. We have grouped them by role and shown, for each, the category of data that may flow to them, where they store it, and the legal safeguard we rely on for any transfer outside the United Kingdom.

The "TBD" tag indicates a sub-processor that will be appointed before the service goes live for our first paying Customers, and which we are listing here in good faith so that reviewers can see the shape of the supply chain. The category will be confirmed and the name added when the appointment is finalised.

Current sub-processors

Microsoft Corporation (Azure)

Hosting · Storage · KMS

Role

Underlying cloud platform: compute, storage, networking, the archive store, customer-managed key vaulting and operational logging.

Data categories

All Customer Data, including governed message content, metadata, identifiers and audit logs.

Location of processing

United Kingdom only – UK South and UK West regions.

Safeguards

Microsoft's Online Services Data Protection Addendum, including ISO 27001/27017/27018 and SOC 2 attestations. No transfers outside the UK in respect of Customer Data stored in these regions.

Microsoft Azure Communication Services

Email · WhatsApp BSP

Role

Two purposes on one Microsoft product: (a) outbound transactional email for the marketing site (contact form delivery) and in-product notifications; (b) the Meta-approved Business Solution Provider layer between Chat Compliance and the WhatsApp Business API, via ACS Advanced Messaging for WhatsApp.

Data categories

Email: addresses and message bodies submitted via the contact form; in-product notification recipients and content. WhatsApp: outbound and inbound messages routed via the Business API on the Customer's number, including content, attachments, sender phone numbers and delivery metadata.

Location of processing

United Kingdom data location for both services.

Safeguards

Microsoft's Online Services DPA applies and covers both purposes. Sender domain protected with SPF, DKIM and (in due course) DMARC. ACS sits within Microsoft's ISO 27001/27017/27018 and SOC 2 scope.

Microsoft 365 (Exchange Online)

Operational mailboxes

Role

Shared mailboxes (enquiries@chat.org.uk, compliance@chat.org.uk) that receive correspondence from customers, prospects and data subjects.

Data categories

Sender's name, email address, and whatever they choose to put in the body of their message.

Location of processing

European Union / United Kingdom (Microsoft 365 EU Data Boundary).

Safeguards

Microsoft's Online Services DPA applies. MFA required on all administrator accounts. Access limited to staff with a legitimate need.

Meta Platforms Ireland Limited (WhatsApp Business API)

Messaging transport

Role

Operator of the WhatsApp service through which Governed Channels are delivered. Meta's role in respect of message metadata and content is complex and is governed by the WhatsApp Business Solution Terms; in places Meta acts as a processor and in places as an independent controller.

Data categories

Phone numbers and WhatsApp display names of participants; message content and metadata routed via the Business API; standard telemetry.

Location of processing

Primarily within the European Economic Area, with onward transfers to the wider Meta group as set out in Meta's published terms.

Safeguards

WhatsApp Business Solution Terms, including Meta's UK Addendum to the EU Standard Contractual Clauses for any transfers outside the EEA/UK.

Stripe Payments UK Limited

Billing · Card processing

Role

PCI-DSS Level 1 card processing and direct debit collection for subscription fees. Card details are entered directly into Stripe-hosted elements; we never see or store them.

Data categories

Billing contact name, billing email, billing address, masked payment instrument identifiers, transaction history.

Location of processing

Contracting entity is Stripe Payments UK Limited, an FCA-authorised payment institution. Stripe's processing infrastructure is global; transaction processing may take place in the United States and other Stripe regions.

Safeguards

Stripe's Services Agreement and Data Processing Addendum, including the UK Addendum to the EU Standard Contractual Clauses for any transfers outside the UK. PCI-DSS Level 1 Service Provider attestation. SOC 1, SOC 2 and ISO 27001 audited.

Microsoft Azure Application Insights (Azure Monitor)

Operational telemetry

Role

Receives application errors, performance traces, request and dependency telemetry, and basic usage metrics, so we can diagnose and fix issues quickly.

Data categories

Diagnostic logs, stack traces, request and response metadata, exception detail. We strip personal data and message content from telemetry at source; what remains is identifier-free metadata about how the system is performing.

Location of processing

United Kingdom only – the Application Insights workspace is provisioned in a UK Azure region alongside the rest of the platform.

Safeguards

Microsoft's Online Services DPA applies and is the same agreement that covers Azure hosting and ACS. No additional sub-processor is introduced.

Not sub-processors

For the avoidance of doubt, the following parties are not sub-processors of Customer Data and are listed only because reviewers sometimes ask:

GitHub, Inc. – source code repository hosting. Holds our code, not Customer Data.
Azure Static Web Apps – delivery of the chat.org.uk marketing site. The site itself collects no Customer Data; the contact form path is described under Azure above.
Our professional advisers (lawyers, accountants, auditors) – engaged on our own account, under confidentiality, and only receive personal data of named individuals where strictly necessary for their advice.

Notification of changes

If we propose to add or replace a sub-processor that processes Customer Data, we will:

Update this page at least 30 days before the change takes effect;
Notify the account administrator of each affected Customer by email;
Give you the opportunity to object on reasonable data protection grounds. If we cannot adequately address the objection, you may terminate the affected Order Form without penalty and we will refund any fees paid in advance for the unexpired portion.

If a change is needed urgently for security reasons (for example, to terminate a sub-processor that has experienced a breach), we may make the change immediately and notify you as soon as we reasonably can.

Questions

For questions about this list, the contracts that underpin it, or due-diligence packs on any of the named providers, write to compliance@chat.org.uk. We try to respond within five working days.