Sub-processors
Every service that processes personal data on our behalf, plus the safeguards that protect transfers outside the UK/EEA. 30 days' email notice before changes.
Sub-processors — RentersActReady
Last updated: 24 April 2026.
This page lists the sub-processors Crocker Digital Ltd uses to deliver the RentersActReady service. UK GDPR Article 28(2) requires prior authorisation from the Customer (as controller) for each sub-processor. By using RentersActReady you authorise the sub-processors listed below under the general authorisation at DPA §5.1 (the DPA auto-attaches to every business account through our Terms of Service — there is no signup-time acceptance click).
We commit to giving you 30 days' notice by email before adding or replacing a sub-processor. If you object, you may terminate the affected service under clause 5 of the DPA.
Current sub-processors
| Sub-processor | Role | Data categories | Processing location |
|---|---|---|---|
| Supabase Inc. (Delaware, USA) | Managed Postgres + Auth + Storage + Row-level security infrastructure | Profile + account data, readiness assessments, property + tenancy details, uploaded documents, audit logs, RLS-scoped | UK (London) — eu-west-2 region. Some administrative metadata (e.g. billing, support) may be processed by Supabase Inc. in the USA under its Data Processing Addendum + Standard Contractual Clauses / UK IDTA. |
| Stripe Payments UK Ltd (United Kingdom, FCA-authorised) | Subscription billing, payment processing, Customer Portal | Name, billing email, payment method (tokenised — we never see PAN), subscription + invoice records | UK contracting entity; Stripe group support operations may process data in the EU and USA under its DPA + UK Addendum to EU SCCs. PCI-DSS Level 1. |
| Netlify Inc. (California, USA) | CDN, edge functions, serverless backend (including scheduled crons + webhook handlers) | Request logs, function execution metadata, IP addresses (short-term retention for abuse mitigation) | USA; covered by Data Processing Addendum + Standard Contractual Clauses + UK IDTA |
| Resend Inc. (Delaware, USA) | Transactional + service-notification email delivery (lifecycle + digest + regulatory update) | Recipient email, message content, delivery metadata | USA; covered by Data Processing Addendum + Standard Contractual Clauses + UK IDTA |
| Functional Software Inc. ("Sentry") (California, USA) | Error + performance diagnostics | Request context, stack traces; PII scrubbed from events before capture | EU — de.sentry.io region is selected for this project. Sentry's own DPA + SCCs apply; the contracting entity is the US parent. |
| Upstash Inc. (California, USA) | Rate limiting (ephemeral Redis for per-IP + per-user quotas) | IP addresses + user ids with short TTL (minutes) | EU (Ireland) — eu-west-1 |
| Cloudflare Inc. (California, USA) | Turnstile bot challenge on signup + login | Device fingerprint token, IP address (seen by Cloudflare only) | Global edge; GDPR-compliant per Cloudflare's standard DPA |
| Microsoft Ireland Operations Limited (Microsoft 365) | Shared support mailbox hosting | Inbound support emails, replies | EU (UK region); Microsoft's Online Services DPA |
| GoatCounter (Martin Tournoij — managed service) | Cookie-free privacy-friendly analytics | Page URL, referrer, country, browser family — no cookies, no personal identifiers | EU |
How transfers outside the UK/EEA are protected
Every sub-processor operating outside the UK/EEA is covered by one of:
- The International Data Transfer Agreement issued by the ICO on 2 February 2022, or
- The UK Addendum to the European Commission's Standard Contractual Clauses,
in each case incorporated into our contract with the sub-processor. We have completed a transfer-risk assessment for each such transfer and a summary is available on request to privacy@rentersactready.co.uk.
Change notification
New sub-processors are announced via email to the primary email address on your account, at least 30 days before processing begins. Historical changes are appended to this page rather than overwritten.
Change log
| Date | Change |
|---|---|
| 2026-04-22 | Initial public sub-processor list published. |
| 2026-04-23 | Reconciliation pass: Supabase region corrected to UK (London) eu-west-2 (matching live project metadata); Stripe entity aligned to Stripe Payments UK Ltd (matching Terms + DPA); Sentry region narrowed to EU de.sentry.io (matching DSN); duplicate Sentry row removed; Microsoft legal entity specified as Microsoft Ireland Operations Limited. No new sub-processor added. |
| 2026-04-23 (PM) | Second reconciliation pass (cohesive review P1 #3/#6): Upstash region corrected to EU (Ireland) eu-west-1 (verified via Upstash API — prior "Frankfurt" label was legacy); GoatCounter attribution corrected to "Martin Tournoij — managed service" (prior "self-hosted by Crocker Digital" was factually incorrect; analytics beacons target rentersactready.goatcounter.com). No new sub-processor added. |
Crocker Digital Ltd, Company No. 17008789. ICO registration ZC128626. Contact: privacy@rentersactready.co.uk.