GDPR-12: Introducing Our Sub-Processor DPA Register
GDPR-12: Introducing Our Sub-Processor DPA Register
Release: v0.1.158 Control: GDPR-12 Framework: GDPR
Overview
As part of our ongoing commitment to GDPR compliance, we have addressed control GDPR-12 by publishing a formal sub-processor register. Previously, third-party processors were named in the privacy policy without associated contract references or DPA confirmation. This release closes that gap in line with GDPR Article 28.
What Changed
A new Sub-Processor List page is now available at /sub-processors. It replaces the informal inline naming of processors in the privacy policy with a structured register that records:
| Field | Description |
|---|---|
| Company Name | Legal name of the sub-processor |
| Country | Country where processing takes place |
| Processing Purpose | What personal data is processed and why |
| DPA / Privacy Policy | Link to the processor's DPA or privacy policy |
| DPA Status | Confirmation that a written DPA is in place |
Sub-Processors Covered
The following processors are listed in the register:
- Google — Infrastructure and productivity services
- GitHub — Source code hosting and CI/CD
- Stripe — Payment processing
- Neon — Managed PostgreSQL database hosting
- Resend — Transactional email delivery
- Twilio — SMS and communications
Stripe, Google, and Twilio each provide self-serve online DPA acceptance. Neon, Resend, and GitHub DPAs are available via their respective legal/privacy portals.
Compliance Context
GDPR Article 28 requires that a data controller:
- Only uses processors that provide sufficient guarantees about technical and organisational measures.
- Ensures that processing by a processor is governed by a binding written contract (DPA) that sets out the subject matter, duration, nature, and purpose of the processing.
- Maintains records sufficient to demonstrate compliance.
Without a formal register, customers and client Data Protection Officers (DPOs) had no single source of truth for processor relationships. This update provides that transparency.
Impact on Customers
- DPOs and compliance teams conducting vendor assessments can now review the full list of processors, their purposes, and confirm DPA status without raising a support request.
- Privacy policy (
/privacy) has been updated to link directly to the sub-processor register. - No changes to data flows, processing activities, or application functionality were made as part of this release.