We use a small number of carefully-selected sub-processors to deliver the Supplio platform. This page is the live, authoritative list. Updates take effect 30 days after this page is updated, in accordance with section 5 of our Data Processing Addendum.
To receive email notifications when this list changes, email privacy@supplio.co.ukwith the subject "Sub-processor notifications — subscribe" and tell us the email address to use.
Current sub-processors
| Sub-processor | Service provided | Data processed | Region | Transfer safeguard |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. and affiliates Privacy | Subscription billing, payment processing, payment-method storage, invoice generation, fraud screening, checkout cookies. | Cardholder name, billing email, billing address, payment-method details, IP address, device data, subscription metadata (organisation ID, plan ID). | Ireland (controller for EEA / UK acquiring) with onward processing in the United States by Stripe, Inc. | UK International Data Transfer Addendum to the EU SCCs for UK → US transfers; EU SCCs for EEA → US transfers; PCI-DSS Level 1. |
| Resend Inc. Privacy | Transactional email delivery for contact-form responses sent from the marketing site. | Recipient email, sender email, subject, message body and attachments as entered into the contact form. | United States. | UK Addendum to the EU SCCs / EU SCCs; encryption of message content in transit. |
| Cloudflare, Inc. Privacy | Content delivery network, DDoS protection and TLS termination for supplio.co.uk and app.supplio.co.uk. | IP address, request headers, user-agent, request paths, cookies (passed through), TLS handshake metadata. | Global edge network. Primary processing in the United States with EU/UK edge nodes. | UK Addendum to the EU SCCs / EU SCCs; logs minimised; Cloudflare is a signed Data Privacy Framework participant where applicable. |
| Hosting & infrastructure provider (cloud and managed PostgreSQL) Privacy | Compute, storage, managed PostgreSQL databases and object storage hosting the Supplio platform and its data. | All personal data processed by Supplio, including account data, billing references, supplier and supplier-portal data, Customer Data uploaded into the platform, and operational logs. | United Kingdom and/or European Economic Area. The specific region is confirmed in the order form; Enterprise customers may select UK-only data residency. | Provider-level encryption at rest (AES-256 or equivalent), TLS in transit, role-based access. Adequate-region storage by default; where any onward transfer to a third country is required, the UK Addendum / EU SCCs apply. |
| Object storage provider (file uploads) Privacy | Storage of documents, certificates, logos and other files uploaded to the Supplio platform. | Uploaded files and their metadata (filename, MIME type, size, uploader identifier, upload timestamp). | United Kingdom or European Economic Area. | Server-side encryption at rest, signed URL access, audit logging via internal storage-event ledger. |
| SMTP / transactional email provider for in-platform email Privacy | Delivery of platform emails: supplier invitations, user invitations, password resets, notifications. | Recipient email, sender email, subject line, HTML body containing names, organisation name, invite link tokens, custom message. | United Kingdom or European Economic Area where available; otherwise the provider's primary region with the safeguards below. | TLS for SMTP submission and delivery; UK Addendum / EU SCCs for any onward transfer to a third country. |
| Cloudflare, Inc. — Pwned Passwords API Privacy | Privacy-preserving check on whether a candidate password hash appears in known breach corpora (k-anonymity model — only the first five characters of the SHA-1 hash are sent). | The first five hexadecimal characters of the SHA-1 hash of the candidate password. | United States (edge-cached globally). | The five-character prefix is not personal data on its own (covers ~1,000 candidate passwords); no account identifier is sent with the request. |
| Photon (komoot GmbH) and postcodes.io Privacy | Address autocomplete and UK postcode validation used during supplier and organisation onboarding. | The partial address string typed by the user. No account identifier is sent with the request. | Germany (Photon) / United Kingdom (postcodes.io). | Adequate jurisdictions; the request itself is the user's search string and does not identify the searcher. |
Affiliates and infrastructure detail
Some sub-processors above operate through affiliates within the same group (for example, Stripe Payments Europe, Ltd. and Stripe, Inc.). References to a sub-processor include its affiliates that are necessary to deliver the relevant service.
The specific hosting region and object-storage provider used for an Enterprise customer is confirmed in the relevant order form. Self-serve customers (Starter, Growth, Scale plans) are hosted in the default region described in the DPA.
Changes to this list
We will give at least 30 days' advance notice on this page of any new or replacement sub-processor that processes Customer Personal Data, except where a shorter notice period is necessary to address a security or legal need (in which case we will explain the reason and give as much notice as is reasonable).
Questions
Sub-processor questions? Email privacy@supplio.co.uk.