Legal · Sub-processor register
Sub-processor register
Last updated: 2026-05-21
Sustaplates uses the third-party services listed below to deliver the platform. Each entry is a sub-processor under UK GDPR — a processor we engage to help us process your personal data. We will notify you of material changes (new sub-processor, change of region, materially different data shared) before they take effect, in line with Section 6 of our privacy policy.
If you are a tenant operator (seller or charity) and require a list of sub-processors for your own DPA, contact us at privacy@sustaplates.com.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| DigitalOcean (provisional) ↗ | Application hosting + managed Postgres + object storage. Final UK/EU region is decided at UAT — DO London (LON1) is the leading candidate. | Every piece of personal data the platform stores at rest — account profiles, KYC documents, orders, donation records. | United Kingdom (LON1) — pending final confirmation. |
| Stripe Payments UK Ltd ↗ | Hosted checkout (Stripe Checkout). Sustaplates never sees card data — buyers are redirected to Stripe's domain to pay, then sent back. | Buyer email + minimal order metadata (order ID, amount). Card data never reaches Sustaplates servers. | United Kingdom + global (data may transit Stripe's EU/US infrastructure under SCCs). |
| Postmark (ActiveCampaign LLC) ↗ | Transactional email delivery in production (the EU region). Sustaplates falls back to a Mailpit catch-all in dev — no real send happens there. | Recipient email address + email subject + email body. | European Union (Postmark EU). |
| AWS SES (Amazon Web Services EMEA SARL) ↗ | Alternative production email provider (eu-west-2 / London). Pick at deploy time; only one of Postmark / SES is active per environment. | Recipient email address + email subject + email body. | United Kingdom (eu-west-2). |
| Cloudflare, Inc. ↗ | Bot protection (Cloudflare Turnstile) on every open form — login, signup, password reset, invitation accept, contact. | Turnstile challenge token + IP address + standard request headers. No form content. | Global edge (data may transit US infrastructure under Cloudflare's SCCs). |
| Ideal Postcodes / postcodes.io ↗ | UK postcode → coordinates lookup, used by the discovery feed and the seller / charity store geolocation. The free postcodes.io endpoint is used today; the paid Ideal Postcodes service is held in reserve for higher accuracy. | The postcode or coordinates the user enters or generates by location-share — typically a partial outward code (e.g. "SE1") plus a precise inward code if they opt in. | United Kingdom. |
| Functional Software, Inc. d/b/a Sentry ↗ | Application error monitoring + crash reporting across the frontend, backend, and AI services. Only active when the visitor accepts analytics cookies (PECR / GDPR). | Anonymised stack traces, breadcrumbs, request URLs (PII-scrubbed before send), user-agent strings. | European Union (Sentry's EU region: sentry.io/regions/de). |
| Anthropic, PBC ↗ | (Held in reserve, currently disabled by config flag.) LLM provider used as a fallback for the AI chatbot when the rule-based intent classifier doesn't match. Today the chatbot is 100% rule-based — no chat content leaves the platform. | Only the user's chatbot message text + a system prompt; no account identifiers. Sent only if `CHATBOT_LLM_FALLBACK_ENABLED=true`. | United States (Anthropic SCCs apply). |
| OpenAI, L.L.C. ↗ | (Held in reserve, currently disabled by config flag.) Alternative LLM fallback provider — same role as Anthropic above. Only one of the two is configured per environment. | Same shape as Anthropic. | United States (OpenAI SCCs apply). |
Notes
- The infrastructure provider (DigitalOcean / equivalent) is the only sub-processor that sees every category of personal data we hold. Every other provider receives a narrow slice scoped to its purpose (e.g. Stripe only sees order metadata; Sentry only sees PII-scrubbed crash data).
- Payment card data is never processed by Sustaplates or any sub-processor on our side — Stripe Checkout takes the buyer off our domain for the card-entry step. This keeps Sustaplates at PCI DSS SAQ A scope.
- Sub-processors outside the UK or EU are engaged under the European Commission's Standard Contractual Clauses (SCCs); copies available on request.