What this list covers
A sub-processor is a third-party service that processes personal data on hudall’s behalf. Under UK GDPR Article 28 + EU GDPR Article 28, hudall (as Processor) is required to disclose every sub-processor used in delivering the service. The list below is exhaustive at the date shown.
Tenant data is stored in the EU / UK (Supabase eu-west-2 London + Vercel lhr1 London). Several sub-processors are US-hosted; cross-border transfers rely on Standard Contractual Clauses (SCCs) under EU GDPR and the UK International Data Transfer Addendum (IDTA) where applicable. Each US sub-processor publishes their SCCs in their linked DPA.
Current sub-processors
01
Vercel, Inc.
(USA)- Purpose
- Application hosting, serverless functions, edge middleware.
- Data location
- UK — London (lhr1).
- Data processed
- Everything passing through compute: request bodies, sessions, API calls.
- Certifications
- SOC 2 Type II, ISO 27001.
- DPA
- vercel.com/legal/dpa
02
Supabase, Inc.
(USA)- Purpose
- PostgreSQL database, Storage, service-role auth.
- Data location
- EU — eu-west-2 (London, AWS).
- Data processed
- All tenant data at rest: users, agents, daily / weekly entries, audit logs, screenshot uploads.
- Certifications
- SOC 2 Type II, HIPAA-ready.
- DPA
- supabase.com/legal/dpa
03
Amazon Web Services, Inc.
(USA)- Purpose
- Underlying data centre for Supabase.
- Data location
- EU — eu-west-2 (London).
- Data processed
- All persisted tenant data (via Supabase).
- Certifications
- SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018.
- DPA
- aws.amazon.com/compliance/gdpr-center
04
Stripe Payments Europe Ltd / Stripe, Inc.
(Ireland / USA)- Purpose
- Subscription billing, payment processing.
- Data location
- Ireland + USA (EU dual-stack).
- Data processed
- Billing contact + subscription metadata. Card data is Stripe-hosted, never reaches hudall.
- Certifications
- PCI DSS Level 1, SOC 2 Type II, ISO 27001.
- DPA
- stripe.com/legal/dpa
05
Resend, Inc.
(USA)- Purpose
- Transactional email — verification, digests, reminders, PIN reset, broadcasts.
- Data location
- USA.
- Data processed
- Recipient email addresses + email bodies (may reference tenant data).
- Certifications
- SOC 2 Type II, GDPR-aligned.
- DPA
- resend.com/legal/dpa
06
Anthropic, PBC
(USA)- Purpose
- AI inference — AskAI, Insight daily exec brief, anomaly detection, sales chatbot. Models: claude-opus-4-7, claude-sonnet-4-6.
- Data location
- USA.
- Data processed
- Prompts containing tenant KPI data + agent names + scores; AI responses. Not used for model training under Anthropic's commercial API terms. Retained approx 30 days for safety review.
- Certifications
- SOC 2 Type II, ISO 27001.
- DPA
- trust.anthropic.com
07
Functional Software, Inc. (Sentry)
(USA)- Purpose
- Error monitoring (server + client).
- Data location
- EU — Germany (Sentry's German ingest).
- Data processed
- Error stack traces + request metadata. PII redacted at SDK level (sendDefaultPii: false).
- Certifications
- SOC 2 Type II, ISO 27001.
- DPA
- sentry.io/legal/dpa
08
Google Ireland Ltd — sub-processing with Google LLC (USA)
(Ireland)- Purpose
- Web analytics (Google Analytics 4) on the hudall.com marketing site.
- Data location
- EU primary, with US transfers under SCCs.
- Data processed
- Page-view events, anonymised visitor IP, device and browser metadata, referrer. Marketing-site visitors only — not tenant app users.
- Certifications
- SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018.
- DPA
- business.safety.google/adsprocessorterms/
09
Cloudflare, Inc.
(USA)- Purpose
- Email routing for inbound admin@hudall.com only.
- Data location
- USA + global edge.
- Data processed
- Inbound email metadata + body for messages addressed to admin@hudall.com. Does not handle customer or tenant email flow.
- Certifications
- SOC 2 Type II, ISO 27001.
- DPA
- cloudflare.com/cloudflare-customer-dpa
10
Tucows Domains Inc. / MelbourneIT
(Canada / Australia)- Purpose
- Domain registrar for hudall.com and admin.hudall.com.
- Data location
- Canada and Australia.
- Data processed
- WHOIS data for hudall's own registrant record only. No tenant data flows through this provider. Listed for transparency.
- Certifications
- ICANN-accredited registrar.
- DPA
- tucowsdomains.com/legal
Notification of changes
hudall will notify Customer via email or via this page at least 30 days before adding a new sub-processor. Customer may object to the addition by terminating their subscription before the new sub-processor’s processing commences.
The latest version of this list is always available at hudall.com/sub-processors.
Contact
For questions about this list or our data-protection posture, contact us at privacy@hudall.com.