Sub-processors
A sub-processor is a third party that Simpled Tech Limited engages to process personal data on your behalf as part of delivering the SimpledAId service. Under UK and EU GDPR Art 28, we are required to be transparent about who these parties are. Each sub-processor below processes data on our behalf under written data-processing terms that incorporate Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum (IDTA) where data leaves the UK or EEA.
We give customers advance notice of any changes to this list and the right to object to a new sub-processor before it is engaged. If you have concerns, please contact us at [email protected].
| Sub-processor | Purpose | Personal data processed | Hosting / location | Transfer safeguard |
|---|---|---|---|---|
| Supabase | Primary database and backend (stores account data, KB vectors, chat data; tenant-isolated with row-level security) | Account data, end-customer chat data | Hosted on AWS (region available on request) | SCCs + UK Addendum (Supabase DPA) |
| Cloudflare | Edge hosting (Cloudflare Pages), CDN, DNS, security and WAF | Site visitor IP addresses and technical request metadata | Global edge network; US-incorporated | SCCs + UK Addendum; EU-US DPF certified |
| OpenAI | Large language model that generates chatbot replies | Relevant conversation text (transient; used only to generate the reply) | US | SCCs + UK Addendum; EU-US DPF certified; API terms prohibit training; abuse-monitoring retention ≤30 days (zero-data-retention option available) |
| Anthropic | Large language model that generates chatbot replies | Relevant conversation text (transient; used only to generate the reply) | US | SCCs + UK Addendum; commercial terms prohibit training; 7–30-day retention (zero-data-retention option available) |
| Chatwoot | Human-handoff helpdesk and agent inbox for escalated chats | End-customer chat data, agent correspondence | Self-hosted on our own infrastructure | We control the infrastructure; no third-party sub-processor engaged for this component |
| Third-party payment provider (added when billing goes live) | Subscription billing and card processing | Customer billing data; card data (we do not store full card numbers) | To be confirmed when billing is activated | Provider DPA + SCCs / DPF |
| Microsoft 365 | Transactional and marketing email to customers | Customer name and email address | EU and UK data centres on the Microsoft cloud | Microsoft DPA + SCCs + UK Addendum; EU-US DPF certified |
| Google (Analytics 4) | Website analytics on simpledaid.com (consent-gated; does not touch customer or shopper chat data) | Pseudonymous usage and device data of site visitors | US | SCCs; Google Consent Mode; EU-US DPF certified |
| Microsoft (Clarity) | Website heatmaps and session replay on simpledaid.com (consent-gated; does not touch customer or shopper chat data) | Pseudonymous usage and session data of site visitors | US | SCCs; EU-US DPF certified; consent signal required for EEA, UK and Switzerland visitors |
Note on analytics sub-processors: Google Analytics 4 and Microsoft Clarity only process data from visitors to our own website (simpledaid.com). They do not process your customers' shopper chat data.
Note on LLM providers: Both OpenAI and Anthropic may be used to generate chatbot replies. In both cases, conversation text is sent transiently to generate a response and is not retained to train or fine-tune any AI model.
Related: Privacy Policy · Data Processing Addendum.