Subprocessors and Data Processors
Last Updated: October 7, 2025
Effective Date: October 7, 2025
Introduction
This page provides detailed information about all third-party service providers (subprocessors) that process data on behalf of Review Runner. All subprocessors listed below are contractually bound to GDPR-equivalent data protection standards through Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where applicable.
For information about how we use your data and your privacy rights, please see our Privacy Policy.
Why We Share This Information
Under UK GDPR Article 28, we are required to:
- Maintain records of all subprocessors
- Ensure appropriate safeguards are in place
- Provide transparency about data processing activities
- Give you the opportunity to object to changes
Data Storage Infrastructure
Primary Data Storage
Supabase (supabase.com)
Purpose: PostgreSQL database hosting (primary data store)
Company: Supabase, Inc. (United States)
Data Location: AWS eu-west-2 (London, UK)
Data Stored:
- All business account information
- Customer contact records
- Review request campaigns
- User accounts and authentication data
- System events and audit logs
- Suppression lists
Safeguards:
- Data hosted in UK (London)
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- SOC 2 Type II certified
- ISO 27001 certified
- Regular security audits
Documentation: https://supabase.com/security
Underlying Infrastructure: Amazon Web Services (AWS) eu-west-2
Note: While Supabase is a US company, all data is physically stored and processed in UK data centers under UK data protection laws.
Application Hosting
Vercel (vercel.com)
Purpose: Application hosting, edge caching, CDN
Company: Vercel Inc. (United States)
Data Location: AWS eu-west-1 (Dublin, Ireland)
Data Processed:
- Application code and static assets
- Cached API responses
- Deployment logs
- Edge function execution logs
- Performance metrics
Safeguards:
- Data hosted in EU (Dublin)
- Standard Contractual Clauses
- SOC 2 Type II certified
- Encryption at rest and in transit
- Edge network security
Documentation: https://vercel.com/legal/privacy-policy
International Transfer: Yes - Vercel is a US company subject to US jurisdiction
Transfer Mechanism: Standard Contractual Clauses (SCCs)
Message Queue
Upstash (upstash.io)
Purpose: Redis message queue for background job processing
Company: Upstash, Inc. (United States)
Data Location: AWS eu-west-1 (Dublin, Ireland)
Data Processed:
- Scheduled message delivery jobs
- Background task queue data
- Job processing results
- Retry attempt information
- Job metadata (timestamps, status)
Safeguards:
- Data hosted in EU (Dublin)
- Encryption in transit (TLS 1.3)
- Encryption at rest
- Isolated Redis instances per customer
- Automatic data expiration (jobs purged after completion)
Documentation: https://upstash.com/docs/common/help/security
International Transfer: Yes - Upstash is a US company
Transfer Mechanism: Data hosted in EU infrastructure with appropriate contractual safeguards
Communication Services
SMS Delivery
Twilio (twilio.com)
Purpose: SMS message delivery for review requests
Company: Twilio Inc. (United States)
Headquarters: San Francisco, California, USA
Data Processed:
- Customer phone numbers (UK mobile numbers)
- SMS message content (review request text)
- Message delivery status
- Delivery timestamps
- Opt-out (STOP) requests
- Message logs and metadata
Safeguards:
- Standard Contractual Clauses (SCCs)
- GDPR-compliant Data Processing Agreement
- Encryption in transit (TLS 1.2+)
- SOC 2 Type II certified
- ISO 27001 certified
- Message content not stored by Twilio after delivery
- Opt-out management and suppression list sync
International Transfer: Yes - Data processed in US and transits carrier networks globally
Transfer Mechanism: Standard Contractual Clauses (SCCs)
Data Retention: Message content not retained after delivery; message logs retained 30-90 days; opt-out records retained indefinitely
Email Delivery
SendGrid by Twilio (sendgrid.com)
Purpose: Email delivery for review requests
Company: Twilio Inc. (United States) - SendGrid Division
Headquarters: San Francisco, California, USA
Data Processed:
- Customer email addresses
- Email content (review request messages)
- Email subject lines
- Engagement data (opens, clicks, bounces, spam complaints, unsubscribes)
- Delivery timestamps and status
Safeguards:
- Standard Contractual Clauses (SCCs) via Twilio DPA
- GDPR-compliant Data Processing Agreement
- Encryption in transit (TLS 1.2+)
- SOC 2 Type II certified
- Email authentication (SPF, DKIM, DMARC)
- Suppression list management
- Unsubscribe link enforcement
International Transfer: Yes - SendGrid is owned by US-based Twilio Inc.
Transfer Mechanism: Standard Contractual Clauses (SCCs)
Data Retention: Email content not retained after delivery; engagement events retained for 90 days; suppression lists retained indefinitely
Business Information Services
Google Cloud Platform (cloud.google.com)
Purpose: Business verification and location data
Company: Google LLC (United States)
Headquarters: Mountain View, California, USA
Services Used:
- Google Places API - Business information and review data
- Google Fonts API - Web font delivery for application
Safeguards:
- Google Cloud Data Processing Agreement with Standard Contractual Clauses
- Encryption in transit (TLS 1.3)
- ISO 27001, SOC 2, SOC 3 certified
- Data minimization (only necessary queries made)
- API key restrictions (limited to our domains/IPs)
- Request rate limiting
International Transfer: Yes - Google is a US company with global infrastructure
Transfer Mechanism: Standard Contractual Clauses (SCCs)
Authentication Services
Clerk (clerk.com)
Purpose: User authentication, session management, access control
Company: Clerk, Inc. (United States)
Headquarters: San Francisco, California, USA
Data Processed:
- User email addresses
- User passwords (hashed and salted - never plaintext)
- Session tokens and JWT claims
- User profile information (name, business ID)
- Authentication logs (login attempts, timestamps)
- Multi-factor authentication data (if enabled)
- OAuth connection data (if third-party login used)
Safeguards:
- Standard Contractual Clauses (SCCs)
- Data Processing Agreement
- Passwords hashed with bcrypt (never stored in plaintext)
- SOC 2 Type II certified
- Encryption at rest and in transit
- Rate limiting on authentication attempts
- Automatic session expiration
- Suspicious login detection
International Transfer: Yes - Clerk is a US company
Transfer Mechanism: Standard Contractual Clauses (SCCs)
Data Retention: Active accounts retained while active; authentication logs typically 90 days; deleted accounts purged within 30 days
Marketing and Analytics (Marketing Website Only)
The following services are used only on our marketing website (reviewrunner.co.uk), not within the Review Runner application itself. These services require user consent via our cookie consent banner.
Website Analytics
Google Analytics / Google Tag Manager
Purpose: Website traffic analysis and tag management
Company: Google LLC (United States)
User Control:
- Requires consent - Not loaded until user accepts analytics cookies
- Users can opt out via cookie banner or browser settings
- IP anonymization enabled
- Data retention set to 14 months (minimum)
Vercel Analytics
Purpose: Privacy-friendly website performance monitoring
Company: Vercel Inc. (United States)
User Control:
- No cookies used - Privacy-friendly analytics
- No personal identifiers collected
- Data anonymized by default
Advertising and Remarketing
The following advertising services require user consent and are not loaded until users accept advertising cookies via our cookie banner.
- Meta Pixel (Facebook) - Conversion tracking and targeted advertising
- LinkedIn Insight Tag - B2B advertising and conversion tracking
- Google Ads / Google Remarketing - Search advertising and conversion tracking
Subprocessor Changes
Notification Process
If we add, remove, or change subprocessors, we will:
- Update this page with new information
- Update the "Last Updated" date at the top
- Notify you via email at least 30 days before the change takes effect (for material changes)
- Provide opportunity to object to the new subprocessor
Your Right to Object
If you object to a new subprocessor:
- Email us at matt@review-runner.co.uk within 30 days of notification
- We will work with you to find an alternative solution
- If no alternative is acceptable, you may terminate your account without penalty
Compliance and Audits
Our Commitments
We ensure all subprocessors:
- Maintain appropriate technical and organisational security measures
- Honour Standard Contractual Clause obligations
- Process data only as instructed by Review Runner
- Facilitate data subject rights requests (access, deletion, etc.)
- Notify us promptly of any data breaches
- Allow audits of their data processing activities
Audit Rights
You have the right to request:
- Copies of Data Processing Agreements
- Copies of Standard Contractual Clauses
- Evidence of subprocessor compliance
- Transfer Impact Assessments (TIAs)
To exercise these rights, contact us at matt@review-runner.co.uk.
Data Processing Hierarchy
Understanding the data flow (see our Privacy Policy for more details on how we process data):
You (Data Controller)
↓
Review Runner (Data Processor)
↓
├─ Supabase (Sub-processor) → AWS (Infrastructure)
├─ Twilio (Sub-processor) → Mobile Carriers
├─ SendGrid (Sub-processor) → Email Providers
├─ Clerk (Sub-processor)
└─ Google Cloud (Sub-processor)Your Role: Data Controller for your customer data
Our Role: Data Processor acting on your instructions
Subprocessors: Sub-processors acting on our instructions
Questions or Concerns
If you have questions about our subprocessors or data processing practices, please contact us:
Email: matt@review-runner.co.uk
Subject Line: "Subprocessor Inquiry"
We aim to respond to all inquiries within 5 business days.