Sub-processors.

The third parties that touch your data, the data they see, and the region they hold it in. We notify customers in writing 30 days before a new sub-processor enters scope.

Vendor	Purpose	Data	Region
Vercel, Inc. SOC 2 Type II, ISO 27001, GDPR DPA available.	Application hosting (Next.js) + serverless function execution.	Application logs, request metadata. Customer-uploaded creative assets do not transit Vercel egress.	EU (fra1, lhr1) primary. Failover to US East under outage.
Supabase Inc. SOC 2 Type II, HIPAA-eligible, GDPR DPA available.	Primary application database (Postgres), authentication, file storage, Vault for OAuth tokens.	All structured customer data: org records, agent outputs, action logs, comments, OAuth tokens (encrypted via Vault).	eu-west-2 (London). No replication outside EU/UK.
Google Cloud (BigQuery) SOC 2 Type II, ISO 27001/27017/27018, GDPR DPA available.	Performance data warehouse — Funnel exports + derived views.	Campaign-level paid media performance, GA4 export, demographic stats. No PII.	europe-west2 (London).
Anthropic, PBC SOC 2 Type II, ISO 27001, EU SCCs in place.	Claude API for agent reasoning, AI-Read, strategy chat.	Aggregated metrics + redacted descriptions sent to the model. No customer PII; PII redaction layer strips emails, phone numbers, postcodes, names.	EU API endpoint when available, US otherwise. Zero-retention contract; no model training on customer data.
Funnel.io AB SOC 2 Type II, ISO 27001, GDPR DPA available.	Source-of-truth ingestion for paid-media platforms (Google Ads, Meta, Bing, TikTok) into BigQuery.	OAuth refresh tokens, raw platform exports.	EU.
Stripe Payments Europe Ltd. PCI-DSS Level 1, SOC 2 Type II, GDPR DPA available.	Subscription billing, setup-fee invoicing.	Billing email, organisation name, payment method (held by Stripe — never stored on Equaliser systems).	Ireland (EU).
Resend, Inc. SOC 2 Type II, GDPR DPA available.	Transactional email delivery (weekly digests, NPS surveys, alerts).	Recipient email, message body. Logs purged at 30 days.	EU.
GitHub, Inc. SOC 2 Type II, ISO 27001/27018.	Source code hosting + CI/CD. No customer data.	None — code only.	US.
PostHog Inc. SOC 2 Type II, GDPR DPA available.	Product analytics — feature usage, page-view metrics, AI Read engagement, error monitoring.	User UUID, organisation UUID, event metadata (page path, action name, latency), session-replay frames with PII masking.	EU (eu.posthog.com). Zero replication outside EU.

Storage regions in scope: EU · UK · US (failover only)

Updated 19 June 2026. Sub-processor change notifications: subscribe at legal@equaliser.co.uk.

Sub-processors.

The third parties that touch your data, the data they see, and the region they hold it in. We notify customers in writing 30 days before a new sub-processor enters scope.

Vendor	Purpose	Data	Region
Vercel, Inc. SOC 2 Type II, ISO 27001, GDPR DPA available.	Application hosting (Next.js) + serverless function execution.	Application logs, request metadata. Customer-uploaded creative assets do not transit Vercel egress.	EU (fra1, lhr1) primary. Failover to US East under outage.
Supabase Inc. SOC 2 Type II, HIPAA-eligible, GDPR DPA available.	Primary application database (Postgres), authentication, file storage, Vault for OAuth tokens.	All structured customer data: org records, agent outputs, action logs, comments, OAuth tokens (encrypted via Vault).	eu-west-2 (London). No replication outside EU/UK.
Google Cloud (BigQuery) SOC 2 Type II, ISO 27001/27017/27018, GDPR DPA available.	Performance data warehouse — Funnel exports + derived views.	Campaign-level paid media performance, GA4 export, demographic stats. No PII.	europe-west2 (London).
Anthropic, PBC SOC 2 Type II, ISO 27001, EU SCCs in place.	Claude API for agent reasoning, AI-Read, strategy chat.	Aggregated metrics + redacted descriptions sent to the model. No customer PII; PII redaction layer strips emails, phone numbers, postcodes, names.	EU API endpoint when available, US otherwise. Zero-retention contract; no model training on customer data.
Funnel.io AB SOC 2 Type II, ISO 27001, GDPR DPA available.	Source-of-truth ingestion for paid-media platforms (Google Ads, Meta, Bing, TikTok) into BigQuery.	OAuth refresh tokens, raw platform exports.	EU.
Stripe Payments Europe Ltd. PCI-DSS Level 1, SOC 2 Type II, GDPR DPA available.	Subscription billing, setup-fee invoicing.	Billing email, organisation name, payment method (held by Stripe — never stored on Equaliser systems).	Ireland (EU).
Resend, Inc. SOC 2 Type II, GDPR DPA available.	Transactional email delivery (weekly digests, NPS surveys, alerts).	Recipient email, message body. Logs purged at 30 days.	EU.
GitHub, Inc. SOC 2 Type II, ISO 27001/27018.	Source code hosting + CI/CD. No customer data.	None — code only.	US.
PostHog Inc. SOC 2 Type II, GDPR DPA available.	Product analytics — feature usage, page-view metrics, AI Read engagement, error monitoring.	User UUID, organisation UUID, event metadata (page path, action name, latency), session-replay frames with PII masking.	EU (eu.posthog.com). Zero replication outside EU.

Storage regions in scope: EU · UK · US (failover only)

Updated 19 June 2026. Sub-processor change notifications: subscribe at legal@equaliser.co.uk.