Skip to content

Sub-processors

Last updated: 2026-06-23

Last updated: 23 June 2026.

This page lists the sub-processors Crocker Digital Ltd uses to deliver the CompanyMinder service. UK GDPR Article 28(2) requires prior authorisation from the Customer (as controller) for each sub-processor. By using CompanyMinder you authorise the sub-processors listed below under the general authorisation at DPA §5.1 (the DPA auto-attaches to every business account through our Terms of Service — there is no signup-time acceptance click).

We commit to giving you 30 days' notice by email before adding or replacing a sub-processor. If you object, you may terminate the affected service under clause 5 of the DPA.

Current sub-processors

Sub-processor Role Data categories Processing location
Supabase Inc. (Delaware, USA) / Supabase Ltd (UK) Managed Postgres + Auth + Storage + Row-level security infrastructure Profile + account data, statutory registers (directors, secretaries, PSCs, shareholders), generated documents, audit logs — RLS-scoped UK (London) — eu-west-2 region. Some administrative metadata (e.g. billing, support) may be processed by Supabase Inc. in the USA under its Data Processing Addendum + Standard Contractual Clauses / UK IDTA.
Stripe Payments Europe, Limited (Dublin, Ireland — EU contracting entity) Subscription billing, payment processing, Customer Portal Name, billing email, payment method (tokenised — we never see PAN), subscription + invoice records EU (Ireland) primary; Stripe group support operations (Stripe, Inc. / Stripe LLC, US) may process data in the USA under its DPA + UK Addendum to EU SCCs. PCI-DSS Level 1.
Plus Five Five, Inc. (operating as Resend; San Francisco, USA) Transactional + service-notification email delivery (deadline reminders, password resets, billing + account notices) Recipient email, message content, delivery metadata USA; covered by Data Processing Addendum + Standard Contractual Clauses + UK IDTA
Functional Software Inc. ("Sentry") (California, USA) Error + performance diagnostics Request context, stack traces; PII scrubbed from events before capture EU — de.sentry.io region is selected for this project. Sentry's own DPA + SCCs apply; the contracting entity is the US parent.
Upstash Inc. (California, USA) Rate limiting (ephemeral Redis for per-IP + per-user quotas) IP addresses + user ids with short TTL (minutes) EU (Ireland) — eu-west-1
Netlify Inc. (California, USA) CDN, edge functions, serverless backend (including scheduled crons + webhook handlers) Request logs, function execution metadata, IP addresses (short-term retention for abuse mitigation) USA with EU edge; covered by Data Processing Addendum + Standard Contractual Clauses + UK IDTA
Cloudflare Inc. (California, USA) Turnstile bot challenge on signup + other sensitive forms Device fingerprint token, IP address (seen by Cloudflare only) Global edge; GDPR-compliant per Cloudflare's standard DPA
GoatCounter (Martin Tournoij — managed service) Cookie-free privacy-friendly analytics Page URL, referrer, country, browser family — no cookies, no personal identifiers EU
Microsoft Ireland Operations Limited (Microsoft 365) Shared support mailbox hosting (support@companyminder.co.uk) Inbound support emails, replies EU (Ireland); Microsoft's Online Services DPA

Note on US management-plane access. Several sub-processors above are operated by US-headquartered entities (Supabase, Upstash) whose engineers may exercise management-plane access to data resident in EU/UK regions for the purposes of operating, maintaining, and supporting the underlying infrastructure. Such transfers are governed by the EU Standard Contractual Clauses (2021, Module 2) and the UK International Data Transfer Addendum / IDTA in each provider's DPA. See our Data Processing Agreement Schedule 3 and Privacy Policy for full transfer-mechanism detail per sub-processor.

How transfers outside the UK/EEA are protected

Every sub-processor operating outside the UK/EEA is covered by one of:

  • The International Data Transfer Agreement issued by the ICO on 2 February 2022, or
  • The UK Addendum to the European Commission's Standard Contractual Clauses,

in each case incorporated into our contract with the sub-processor. We have completed a transfer-risk assessment for each such transfer and a summary is available on request to support@companyminder.co.uk.

Change notification

New sub-processors are announced via email to the primary email address on your account, at least 30 days before processing begins. Historical changes are appended to this page rather than overwritten.

Change log

Date Change
2026-06-23 Initial public sub-processor list published, reconciled with DPA Schedule 3 and the Privacy Policy.

Crocker Digital Ltd, Company No. 17008789. Contact: support@companyminder.co.uk.