Sub-processor List
Last updated: June 2026 · Version 1.0
Please note: This list has been prepared in good faith and is pending formal legal review before launch. The live infrastructure (regions and providers) must be re-verified against the running deployment before publishing.
This is the canonical list of third-party sub-processors SectorBoard engages to provide SectorBoard. It is referenced by the Privacy Policy, the Data Processing Agreement and the Security & Trust page. Where any other page lists sub-processors, this list prevails.
Current sub-processors
| Sub-processor | Purpose | Data processed | Location | Transfer safeguard |
|---|---|---|---|---|
| Supabase | Primary database & authentication | Account, organisation, KPI and credential data (credentials encrypted) | EU (Ireland, eu-west-1) | UK/EEA — no transfer out |
| Netlify | Application hosting & CI/CD (CDN) | Served application content; request metadata | Global CDN (US-headquartered) | UK IDTA / SCCs as applicable |
| Stripe | Billing & payment processing | Billing contact + payment data (card data handled by Stripe directly) | United States | UK IDTA / SCCs; Stripe adequacy mechanisms |
| Google Workspace | Transactional email delivery | Recipient email address + email content | Global (US-headquartered) | UK IDTA / SCCs as applicable |
| Anthropic | AI processing — SectorBoard Intelligence (AI add-on) only | KPI values + organisational context (no model training on inputs) | United States | UK IDTA / SCCs as applicable |
Anthropic is engaged only for Organisations on the AI add-on. If your Organisation does not use SectorBoard Intelligence, no data is sent to Anthropic.
Changes & notifications
We give reasonable prior notice of any new or replacement sub-processor by updating this page and, where appropriate, by email. Customers may object on reasonable data-protection grounds as set out in the DPA (section 6).