Legal
Subprocessors
Last updated: May 2026
What a subprocessor is
A subprocessor is any company we use to help deliver Intervyo that processes our users' personal data on our behalf. Each subprocessor is bound by a Data Processing Agreement (DPA) and may only process data for the purpose we have specified.
We list them here so users can see exactly who has access to their data and for what.
Status legend
- In use, actively processing user data today
- Approved, not yet in use, DPA signed, integration in progress
- Planned, likely to be added; DPA not yet executed
Current subprocessors
For each subprocessor we document its purpose, the data it accesses, the location of processing, the transfer mechanism (UK → non-UK), and its current status.
Infrastructure
| Subprocessor | Purpose | Location | Status |
|---|---|---|---|
| Supabase Inc. | Primary database, authentication, real-time, edge functions | EU and US regions; Intervyo runs on eu-west-1 for primary | In use |
| Cloudflare, Inc. | Edge network, DNS, R2 object storage (recordings + uploads), bot protection | Global edge; primary R2 bucket region European | In use (infrastructure); R2 approved (Block 7) |
| Vercel, Inc. | Marketing-site hosting (intervyo.co.uk, useintervyo.com Next.js apps) | US (with optional EU edge) | In use |
Payment processing
| Subprocessor | Purpose | Location | Status |
|---|---|---|---|
| Stripe Payments Europe Ltd / Stripe, Inc. | Subscription billing, payment processing, invoicing | UK + IE for UK customers; US for US customers | In use |
AI inference
These are the AI models that power feedback, scoring, generation, and Vyo.
| Subprocessor | Purpose | Location | Status |
|---|---|---|---|
| Anthropic, PBC | Claude AI for coaching, feedback, generative tools | US | In use |
| OpenAI, L.L.C. | GPT models for some generative tools, Whisper for speech-to-text | US | In use |
| Google LLC (Gemini API) | Gemini for some content generation and analysis | US | In use |
Communications
| Subprocessor | Purpose | Location | Status |
|---|---|---|---|
| Resend, Inc. | Transactional email (firm alerts, weekly digest, signup welcome) | US | In use |
| Twilio, Inc. | SMS phone verification at signup, OTP delivery | US | Approved (phone-verification rollout) |
Identity and verification
| Subprocessor | Purpose | Location | Status |
|---|---|---|---|
| Stripe Identity / Onfido | Optional government-ID verification for "Verified" badge | EU + US per provider | Planned |
Marketing and tracking
We do not currently use:
- Meta Pixel
- Google Analytics with advertising features
- LinkedIn Insight Tag
- Twitter / X conversion tag
- TikTok pixel
- Any ad-targeting third party
If we ever introduce any of these, they will be added here with at least 30 days' notice.
Data Processing Agreements
We have a signed DPA with every subprocessor in the "In use" category above. The DPA specifies:
- The purpose and scope of processing
- The categories of personal data being processed
- The duration of processing
- The technical and organisational security measures
- The subprocessor's obligations on confidentiality, breach notification, and audit
- The terms for further sub-subprocessors
- Termination and data return / deletion
For a copy of the DPA executed with a specific subprocessor, contact admin@intervyo.co.uk.
International transfers
For each subprocessor located outside the UK, we rely on one of the following transfer mechanisms:
- UK International Data Transfer Agreement (IDTA), for transfers from the UK
- Standard Contractual Clauses (SCCs), module 2 (controller-to-processor) for transfers from the EEA
- Adequacy decisions, for transfers to countries with current adequacy:
- UK → US under the UK-US Data Bridge (Data Privacy Framework adequacy)
- EEA → US under the EU-US Data Privacy Framework
- UK → EEA (no transfer mechanism needed)
- EEA → UK (no transfer mechanism needed)
Where adequacy is the primary mechanism, we maintain a parallel signed SCC / IDTA as a backup.
Notification of changes
We will update this list when we add or remove a subprocessor. Material changes (a new subprocessor with access to a new data category) trigger:
- An update to the "Last updated" date at the top
- Email notification to active users
Sub-subprocessors
Many of our subprocessors use their own subprocessors (for example, AWS or GCP infrastructure beneath the SaaS layer). Where Article 28 GDPR applies, we require our subprocessors to:
- Maintain a list of their own subprocessors
- Notify us of new sub-subprocessors with reasonable lead time
- Object-and-terminate where we cannot accept a new sub-subprocessor
The full sub-subprocessor map is large and changes frequently; per-subprocessor lists are linked from each subprocessor's own DPA / privacy policy.
Contact
For subprocessor queries, DPA copies, or to object to a specific subprocessor, contact admin@intervyo.co.uk. See also our Privacy Policy §9 and Data Retention Policy.