1. What this page is
Under UK GDPR Article 28(2), a processor that engages another processor (a "sub-processor") must do so only with the prior written authorisation of the controller. This page is that authorisation in published form — by entering or maintaining a subscription with UK Web Marketing, you authorise the sub-processors listed below. It is also the canonical reference that any signed DPA between us points to.
2. The list
| Sub-processor | Role | Residency | Data category | Transfer safeguard |
|---|---|---|---|---|
| Vercel Inc. | Static hosting + CDN + edge functions | United Kingdom — London region lhr1 | Page renders, server logs (IP, user-agent), first-party Analytics + Speed Insights telemetry | DPA + UK IDTA Addendum (for any US support routing); ISO 27001 + SOC 2 Type II |
| Cloudflare, Inc. | DNS + inbound email routing + CDN edges | European Union + United Kingdom edge POPs | DNS queries, inbound email forwarded to our mailbox | DPA + UK IDTA Addendum; ISO 27001 |
| Resend, Inc. | Outbound transactional + newsletter email | European Union (EU region) | Recipient email, message content, send/open metadata | DPA; EU-resident infrastructure by selection |
| Stripe Payments Europe Ltd. | Subscription billing + fraud prevention | Republic of Ireland | Cardholder data (held by Stripe, not us), email, billing address | DPA + UK IDTA Addendum (for global fraud network); PCI DSS Level 1 |
| Capsule CRM (Zestia Ltd.) | CRM (Growth + Bespoke tiers only) | United Kingdom (Manchester, UK-hosted) | Client + lead contact records | DPA; UK data controller |
| Plausible Analytics | Analytics (only on client sites that opt in) | European Union (Germany) | Aggregated, anonymised visit counts — no personal data | DPA; cookieless by design; not used on ukwebmarketing.com itself |
| Plain | Helpdesk (Bespoke tier bolt-on) | United Kingdom (London-based) | Support tickets, message content, end-user email | DPA; UK data controller |
| Proton Mail | Real mailboxes (£15/inbox/mo bolt-on, any tier) | Switzerland | Email content for named mailboxes | DPA; Swiss data-protection adequacy (UK and EU recognised) |
3. International transfers
Our default architecture keeps personal data on UK or EU infrastructure. Three vendors routinely operate global networks: Cloudflare (DNS + edge), Stripe (fraud prevention), and Vercel (support routing). For each, transfers outside the UK and EEA are protected by the UK International Data Transfer Agreement / Addendum to the EU SCCs (or an equivalent safeguard — UK adequacy regulations where they exist).
Proton Mail is Swiss-resident. The UK recognises Switzerland under adequacy regulations — no IDTA needed.
4. Notification of changes
Before we add a new sub-processor that will process your personal data, we will give you at least 30 days' written notice by email to the address on file. The notice will include the sub-processor's name, role, residency, data category, and transfer safeguard. You may object on reasonable data-protection grounds within that window; if we can't accommodate your objection, you may terminate the subscription with a pro-rata refund of any prepaid Fees covering the period after termination.
To subscribe to sub-processor change notifications without being a current client, email hello@ukwebmarketing.com with the subject "Subscribe to sub-processor changes".
5. Audit + verification
Each sub-processor listed above has a Data Processing Agreement in place with us; we hold copies of their published security certifications (ISO 27001, SOC 2, PCI DSS) where applicable. Clients on Growth and Embedded tiers may request copies of the signed DPAs we hold — email hello@ukwebmarketing.com and we'll respond within 5 working days.
6. Related documents
Data Processing Agreement · Privacy Policy · Cookie Policy · EU-sovereign compliance posture · All legal documents
7. Changelog
- v1.0 — 2026-06-03 — promoted from a section of
/complianceto a standalone canonical disclosure, with transfer safeguards added per-vendor.