Trust
Sub-processors
Last updated: 3 May 2026 · Version 1.2
This page lists the third-party services BuiltByGo Ltd uses to deliver our work — the “sub-processors” who may handle personal data on our clients' behalf in the course of providing our services.
We publish this register publicly because we think transparency is the right default. The contractual version of this list lives in Schedule 3 of our Data Processing Agreement; this page is the canonical reference between contract updates.
If you're evaluating BuiltByGo for an institutional engagement, this is what your procurement or risk team will want to see.
What “sub-processor” means
Under UK GDPR, a sub-processor is any third party that processes personal data on behalf of a data processor (us) on behalf of a data controller (the client). In practice: anywhere client data flows through a third-party service we use to deliver work, that service is a sub-processor.
We treat this question conservatively. If a service could see real user data, we list it.
For services that don't process personal data (source-control hosts, build pipelines, internal documentation tools), we explain why they're excluded at the bottom of this page.
Active sub-processors
These services are actively used in the delivery of BuiltByGo's services and may process client personal data.
Infrastructure and hosting
| Sub-processor | Purpose | Data processed | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | CDN, DNS, edge security, Pages hosting, R2 backup storage | Anonymous request data, encrypted database backups, static assets | Global edge network; data centres across EU, UK, US | UK IDTA / EU SCCs (Cloudflare DPA in place) |
| Railway Corp. | Container hosting (search infrastructure, application services) | Search queries, API request payloads, application logs | US (default); EU available per engagement | UK IDTA / EU SCCs |
| Supabase, Inc. | PostgreSQL database, authentication services | All client user data, form submissions, application data at rest | UK / EU / Latam / US — selected per engagement based on data subject geography | UK IDTA / EU SCCs where applicable |
| Sanity (Sanity.io) | Headless content management system | Content drafts, media assets, editor metadata | EU (Frankfurt, Germany) | Within EEA — no transfer mechanism required for EU data |
Email and communications
| Sub-processor | Purpose | Data processed | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Resend (Resend Inc.) | Transactional email delivery (contact forms, application emails) | Sender name, email address, message body, delivery metadata | EU region | Within EEA |
Analytics and monitoring
| Sub-processor | Purpose | Data processed | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| PostHog Inc. | Product analytics | Page views, feature usage events, anonymised IP addresses, browser/device info | EU (Frankfurt) — selected for GDPR alignment | Within EEA for EU-region data |
| Functional Software, Inc. (Sentry) | Error monitoring and crash reporting | Stack traces, browser/OS information, URL at time of error | EU region | Within EEA for EU-region data |
| Better Stack (Better Uptime) | Uptime and availability monitoring | HTTP status codes, response times, SSL certificate metadata; no user data | EU | Within EEA |
Translation (conditional)
| Sub-processor | Purpose | Data processed | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| DeepL SE | Machine translation via DeepL API (when enabled per engagement) | Text strings sent for translation; configured for the DeepL API tier with the no-training data-handling commitment | EU (Germany) | Within EEA |
DeepL is enabled only for engagements that opt in to multi-language translation tooling. We use the DeepL API tier with its no-training data-handling commitment — translated text is not used for DeepL model training.
Conditional sub-processors — AI-assisted internal tooling
The following AI tools are listed as conditional sub-processors. They may process data only under our internal AI usage policy, which prohibits production personal data being passed to AI APIs without prior anonymisation. See our AI Usage Policy for the full operational rules.
We list these proactively because we believe modern data-protection practice requires it, even where their use is governed by anonymisation policy.
| Sub-processor | Purpose | Data processed | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Anthropic PBC (Claude) | AI-assisted internal tooling via MCP and equivalent integrations under Anthropic Commercial Terms | Anonymised data only, per BuiltByGo policy | US | Anthropic DPA with Standard Contractual Clauses, published at anthropic.com/legal/data-processing-addendum |
| DeepSeek | AI-assisted internal tooling | Anonymised data only, per BuiltByGo policy | International | Subject to BuiltByGo's anonymisation policy and contractual safeguards |
Excluded — services that are NOT sub-processors
The following services are used by BuiltByGo but are not sub-processors of client personal data, because under our standard internal policies, they do not handle production client personal data.
| Provider | Service | Why excluded |
|---|---|---|
| GitHub, Inc. | Source code repositories | Repositories hold code only. Production personal data is never committed to repositories under standard BuiltByGo policy. Build artefacts must contain no production data. |
| Cloudflare Pages CI | Build pipeline (built into Cloudflare Pages) | Build artefacts must contain no production data; deployment logs must not capture user-submitted content. Standard policy applies. |
| Standard runtime dependencies | Language runtimes, package managers (Node.js, npm, PyPI, etc.) | Software dependencies licensed and used under their respective open-source licences; no client personal data flows through these. |
If client engagement-specific use ever takes any of these outside their standard policy boundary (for example, real production data in test fixtures), that use becomes a sub-processing relationship and is documented in the engagement Statement of Work and disclosed to the client at that point.
How we manage changes
We follow a transparent process for adding, removing, or replacing sub-processors:
- Notification. We notify clients in writing at least 30 days before adding or replacing any sub-processor that processes their personal data, with sufficient detail to enable assessment of the change.
- Objection window. Clients may object on reasonable grounds within 14 days of notification. Where an objection is raised, we discuss alternative arrangements in good faith.
- Termination right. Where no reasonable alternative is available and the client cannot accept the new sub-processor, the affected services may be terminated on written notice without liability.
- Equivalent obligations. All sub-processors we engage are contractually bound to data protection obligations equivalent to those in our DPA, including security measures, breach notification, and confidentiality.
How we choose sub-processors
We assess every sub-processor against:
- Data protection compliance — UK GDPR, EU GDPR, and other applicable Data Protection Laws as relevant to the data subjects served
- Security posture — published certifications (ISO 27001, SOC 2, HIPAA, etc.), encryption standards, access controls, breach history
- Data residency — region selection that matches data subject geography and regulatory requirements
- Contractual safeguards — DPAs, Standard Contractual Clauses, IDTA, or equivalent transfer mechanisms in place
- Operational maturity — financial stability, support quality, transparency about subprocessing chains
Region selection
Our default for client engagements is the United Kingdom region of our primary database provider (Supabase London / eu-west-2). Alternative regions — EU-West, Latin American regions, or US — are selected per engagement based on:
- Data subject geography — where the people whose data is being processed actually live
- Regulatory requirements — record-keeping rules in the client's industry (FCA, FDA, Latam reinsurance regulators, etc.)
- Performance and latency — proximity of data to the predominant user base
- Cost and scaling — provider tier and feature parity across regions
The chosen region for each engagement is documented in the relevant Statement of Work.
Questions
For data-protection enquiries about sub-processors: privacy@builtbygo.com
For general questions: hello@builtbygo.com
Document history
| Version | Date | Changes |
|---|---|---|
| 1.0 | 3 May 2026 | Initial publication. Comprehensive register of 9 active sub-processors, 2 conditional AI sub-processors, and 3 excluded services. Replaces the prior brief mention of “Cloudflare and Google Analytics” on the /security and /procurement pages. Aligned with DPA v2.0 Schedule 3. |
| 1.1 | 3 May 2026 | Sentry and Resend confirmed as EU-region deployments. DeepL clarified as DeepL API tier (not Pro tier) with the API's no-training data-handling commitment. |
| 1.2 | 3 May 2026 | Anthropic DPA referenced explicitly by URL (anthropic.com/legal/data-processing-addendum); Anthropic Commercial Terms basis clarified for AI sub-processor row. |