Sub-Processor List

Last updated: 9 April 2026

Under UK GDPR Article 28, we are required to disclose the third-party sub-processors that process personal data on our behalf. This page provides full transparency about who processes your data, what data they receive, and where processing occurs.

Key commitments: All sub-processors are contractually prohibited from using your data for AI model training. All sub-processors must delete data after processing. We notify customers at least 30 days before adding new sub-processors.

AI Model Providers

Company	Service	Data Received	Location
Anthropic (via AWS Bedrock)	Claude AI model inference (Haiku, Sonnet)	Query text, extracted document text, conversation context	EU (eu-west-2, London)

Does NOT receive: Your original documents (processed locally in your browser), personal details, payment information
Training: Your data is NEVER used to train AI models — contractually guaranteed under AWS Bedrock terms
Retention: Queries are processed in real-time and not stored by Anthropic beyond the inference request

Cloud Infrastructure

Company	Service	Data Received	Location
Amazon Web Services (AWS)	Bedrock AI inference, application hosting	Query text for AI processing	EU (eu-west-2, London)
Railway	Application hosting (frontend + backend)	Application logs, deployment data	EU (europe-west4)
MongoDB Atlas	Database hosting	User accounts, conversation metadata, token usage	EU

Search Providers

Company	Service	Data Received	Location
Brave Search	Web search API for legal research	Search queries (derived from your questions, not raw input)	EU/US
National Archives	UK Case Law API (court judgments)	Search queries only	United Kingdom
legislation.gov.uk	UK legislation search API	Search queries only	United Kingdom

Brave Search: Privacy-first search engine with independent index. Does not track or log API queries. SOC 2 Type II certified.
National Archives & legislation.gov.uk: UK Government services. Open data under Open Justice / Open Government licence.

Payment Processing

Company	Service	Data Received	Location
Stripe	Subscription billing, payment processing	Name, email, payment card details, billing address	EU/UK (with UK adequacy decision)

Does NOT receive: Chat content, documents, legal data, or any AI-processed information
Security: PCI DSS Level 1 certified (highest level of payment security)

Communication

Company	Service	Data Received	Location
Resend	Transactional email (verification codes, notifications)	Email address, email content (system-generated only)	EU/US

Sub-Processors We Do NOT Use

No analytics or tracking providers (no Google Analytics, no Mixpanel)
No advertising networks
No email marketing platforms
No customer data platforms
No social media integrations

Changes to This List

We will update this page when we add or change sub-processors. Material changes will be notified to customers via email at least 30 days before the change takes effect. If you object to a new sub-processor on reasonable data protection grounds, you may terminate your subscription within 15 days of notification.

Contact

Questions about our sub-processors or data processing: [email protected]