Data Residency & UK GDPR Compliance
Data Residency & UK GDPR Compliance
NurtureHub is built exclusively for UK property agents and handles personal data relating to UK residents — landlords, tenants, buyers, sellers, and investors. This page documents how data residency is controlled across each sub-processor, and what configuration is required to meet your obligations under UK GDPR Chapter V (transfers to third countries).
Storage — AWS S3 / Tigris
Brand voice documents, uploaded files, and associated assets are stored in AWS S3-compatible object storage via the Tigris client (src/platform/storage/client.ts).
Required configuration
You must set the AWS_REGION environment variable explicitly in your deployment. The client will not default to a UK or EU region automatically.
| Value | Region | Recommended for |
|---|---|---|
eu-west-2 | AWS Europe (London) | UK-primary deployments ✅ |
eu-west-1 | AWS Europe (Ireland) | EU-primary deployments |
# .env / deployment config
AWS_REGION=eu-west-2
Warning: Do not leave
AWS_REGIONunset. The previous default of'auto'does not guarantee UK or EU residency and is not appropriate for production deployments handling UK resident data.
Data stored
- Brand voice documents uploaded by agents
- Any files processed through the storage pipeline
No cross-region replication is configured by default. Data remains in the configured region.
AI Processing — OpenAI
NurtureHub uses OpenAI to generate personalised nurture email sequences.
- Server location: United States (OpenAI does not offer an EU region option)
- Transfer mechanism: Reliance is placed on the EU–US Data Privacy Framework (DPF), under which OpenAI is certified, and — where required for UK transfers — Standard Contractual Clauses (SCCs) under UK GDPR Article 46
- Data minimisation: Only the data necessary to generate email content (contact category, agency brand voice context) is sent to the OpenAI API. Full contact records are not transmitted
Agencies with strict data localisation requirements should review their Data Processing Agreements (DPAs) with OpenAI and ensure their own privacy notices reflect US-based AI processing.
Email Delivery — Resend
NurtureHub uses Resend to deliver outbound emails.
- EU infrastructure: Resend operates EU-based infrastructure. Deployments targeting UK or EU data subjects should configure the Resend EU endpoint.
- Recommended action: Set the
RESEND_BASE_URL(or equivalent endpoint configuration) to the Resend EU endpoint in your deployment configuration.
Sub-processor Summary
| Sub-processor | Purpose | Data location | Transfer basis |
|---|---|---|---|
| AWS S3 / Tigris | File & document storage | eu-west-2 (London) or eu-west-1 (Ireland) — must be explicitly configured | EEA / UK adequacy |
| OpenAI | AI email generation | United States | EU–US DPF + SCCs (UK GDPR Art. 46) |
| Resend | Email delivery | EU (when EU endpoint configured) | EEA / UK adequacy |
UK GDPR Chapter V — Checklist
Before going live, confirm the following:
-
AWS_REGIONis set toeu-west-2oreu-west-1in all deployment environments - Resend is configured to use its EU endpoint
- Your agency's privacy notice discloses AI processing by OpenAI (US)
- A DPA is in place with OpenAI covering UK data subjects
- OpenAI's EU–US DPF certification has been verified for your use case
- This sub-processor list is reflected in your Records of Processing Activities (RoPA)