Legal & Compliance
Sub-Processor List
Last updated: 23 May 2026
Under UK GDPR Article 28, we are required to disclose the third-party sub-processors that process personal data on our behalf. This page provides full transparency about who processes your data, what data they receive, and where processing occurs.
Key commitments:No sub-processor uses your content to train foundation AI models. Some sub-processors retain limited operational metadata (for example, to provide their service or to fulfil a billing record); where a sub-processor's own policy permits broader use of customer data to improve its service, we describe that below and pursue the available opt-out under UK / EU GDPR. We notify paying customers at least 30 days before adding a new sub-processor.
AI Inference
| Company | Service | Data Received | Location |
|---|---|---|---|
| Amazon Web Services EMEA SARL | AI processing services, hosted exclusively in the AWS London region | Query text, extracted document text, conversation context | UK (London region) |
- Does NOT receive: Your original documents (processed locally in your browser), personal details, payment information
- Training: Your data is NEVER used to train AI models. Contractually guaranteed under AWS Bedrock terms.
- Retention: Queries are processed in real time and not retained beyond the inference request.
Cloud Infrastructure
| Company | Service | Data Received | Location |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Application hosting and compute services (London region) | Application logs, service metadata | UK (London region) |
| MongoDB Atlas | Database hosting | User accounts, conversation metadata, token usage, matter management data (matter metadata, client/party information, time entries, key dates, conflict records, collaboration data) | EU (eu-west-2, London) |
Search Providers
| Company | Service | Data Received | Location |
|---|---|---|---|
| Brave Search | Web search API used as the legal-source discovery provider | Search queries (derived from your questions, not raw input) | EU/US |
| National Archives | UK Case Law API (court judgments) | Search queries only | United Kingdom |
| legislation.gov.uk | UK legislation search API | Search queries only | United Kingdom |
- Brave Search: Privacy-first search engine with independent index. Does not track or log API queries. SOC 2 Type II certified. Where Brave’s infrastructure processes data outside the UK, Writford relies on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
- National Archives & legislation.gov.uk: UK Government services. Open data under Open Justice / Open Government licence.
Payment Processing
| Company | Service | Data Received | Location |
|---|---|---|---|
| Stripe | Subscription billing, payment processing | Name, email, payment card details, billing address | EU/UK (with UK adequacy decision) |
- Does NOT receive: Chat content, documents, legal data, or any AI-processed information
- Security: PCI DSS Level 1 certified (highest level of payment security)
Communication
| Company | Service | Data Received | Location |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Transactional email delivery services (verification codes, account notifications) | Recipient email address, system-generated email content only | UK/EU (London region) |
Website Analytics
| Company | Service | Data Received | Location |
|---|---|---|---|
| Google LLC (Google Analytics 4) | Cookieless website analytics, page views, traffic sources, aggregate usage. Configured with client_storage: 'none' and anonymised IP. No cookies set on visitor devices. | Anonymised IP address, page URL, referrer, browser/device type | US (Google LLC, subject to EU–US Data Privacy Framework and UK adequacy decision) |
| Ahrefs Pte. Ltd. (Ahrefs Analytics) | Cookieless website analytics. No cookies set on visitor devices. | Anonymised page URL, referrer, aggregate traffic data | SG/US (Ahrefs Pte. Ltd.) |
- No user identifiers: Neither analytics provider receives account data, email addresses, legal content, or matter data.
- No cookies: Both providers are configured in cookieless mode, no analytics cookies are set on visitor devices. PECR consent is not required.
Sub-Processors We Do NOT Use
- No advertising networks or ad-tracking pixels (no Meta Pixel, LinkedIn Insight Tag)
- No behavioural analytics or session-recording tools (no Hotjar, Clarity, FullStory, Mixpanel)
- No email marketing platforms
- No customer data platforms
- No social media integrations
Changes to This List
We will update this page when we add or change sub-processors. Material changes will be notified to customers via email at least 30 days before the change takes effect. If you object to a new sub-processor on reasonable data protection grounds, you may terminate your subscription within 15 days of notification.
Contact
Questions about our sub-processors or data processing: info@writford.co.uk
See also: Privacy Policy | Terms of Service | Security