Sub-Processor Register
Last updated: March 2026
A complete list of the third-party sub-processors that ScopeKit engages to process personal data on behalf of our customers, in accordance with UK GDPR (as amended by the Data Use and Access Act 2025) Article 28.
1. Overview
As a data processor, ScopeKit may engage third-party sub-processors to assist in providing our services. Under UK GDPR (as amended by the Data Use and Access Act 2025) Article 28, we are required to maintain a register of all sub-processors and to inform our customers of any intended changes.
This register lists all current sub-processors, including the nature of the processing they perform, the categories of personal data they may access, and the location where processing takes place. For full details of our data processing obligations and safeguards, please refer to our Data Processing Agreement.
2. Current Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location / Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data hosting | All platform data including user accounts, project records, documents, and database storage | EU West (London, eu-west-2) |
| Elastic Cloud | Search and analytics engine, data indexing | Indexed copies of platform data for search functionality, including customer records, quotes, projects, and user activity logs | EU (London) |
| Stripe | Payment processing and billing management | Billing contact details, payment card information (tokenised), invoicing records, subscription data | EU/US (EU data residency) |
| SendGrid (Twilio) | Transactional email delivery | Recipient email addresses, email subject lines, email content for transactional notifications (e.g. quote approvals, password resets) | US (Standard Contractual Clauses in place) |
| Mailgun (Sinch) | Email delivery service | Recipient email addresses, email content for bulk and transactional communications | EU/US (Standard Contractual Clauses in place) |
| Vonage (Ericsson) | SMS and communication services | Recipient phone numbers, SMS message content for notifications and verification codes | EU/US (Standard Contractual Clauses in place) |
| Sentry | Error monitoring and performance tracking | Application error logs, performance metrics, device and browser metadata; may incidentally include user identifiers or IP addresses | US (Standard Contractual Clauses in place) |
| Google Maps Platform | Location and mapping services | Address lookups, geocoding requests, map tile requests; may include IP addresses and approximate location data | Global (Google Cloud, Standard Contractual Clauses in place) |
| Cloudflare | CDN, DDoS protection, and DNS services | HTTP request metadata, IP addresses, TLS certificates; acts as a reverse proxy for web traffic | Global (edge network, UK and EU processing) |
| AI Language Model Provider | AI-powered quote generation and content analysis | Site photographs, project descriptions, measurements, and specifications submitted for AI analysis. Data is processed transiently and not retained by the provider for model training. | US (Standard Contractual Clauses and UK IDTA in place) |
3. International Transfer Safeguards
Where personal data is transferred outside the United Kingdom, ScopeKit ensures that appropriate safeguards are in place in accordance with UK GDPR Article 46, including:
UK Adequacy Decisions — transfers to countries or territories that the UK Secretary of State has determined provide an adequate level of data protection.
International Data Transfer Agreement (IDTA)— the UK's replacement for Standard Contractual Clauses, as approved by the ICO.
Standard Contractual Clauses (SCCs) — EU Commission-approved clauses with the UK Addendum where applicable.
Supplementary measures — additional technical and organisational safeguards such as encryption in transit and at rest, pseudonymisation, and access controls.
4. Changes to Sub-Processors
ScopeKit will provide at least 30 days' prior written notice before engaging any new sub-processor or replacing an existing one. Customers who have entered into a Data Processing Agreement with us will be notified directly of any proposed changes.
If you object to a new or replacement sub-processor on reasonable data protection grounds, please contact us within 14 days of receiving notice. We will work with you in good faith to find a mutually acceptable resolution. If no resolution can be reached, you may terminate the affected services without penalty.
5. Due Diligence
Before engaging any sub-processor, ScopeKit carries out a thorough due diligence assessment to ensure that the sub-processor:
- Can provide sufficient guarantees to implement appropriate technical and organisational measures in accordance with UK GDPR.
- Holds relevant security certifications (e.g. ISO 27001, SOC 2, PCI DSS) where applicable.
- Has appropriate data processing agreements and international transfer mechanisms in place.
- Can meet data deletion and return obligations upon termination.
6. Contact
If you have any questions about our sub-processors, wish to be notified of future changes, or would like to raise an objection, please contact our Data Protection Officer:
Data Protection Officer
Email: dpo@scopekit.co.uk
ScopeKit, 14th Floor, The Plaza, Old Hall St, Liverpool, L3 9QJ, United Kingdom
Company No. 16168944
For our full privacy practices, please see our Privacy Policy and Data Processing Agreement.