Sub-processors
This is the live list of the third parties Vupiy uses to operate the service. We update it whenever a sub-processor is added or replaced. Our Data Processing Agreement gives you 30 days' notice before any change takes effect.
This page is published under Article 28(2) and Article 28(3)(d) of the UK GDPR. It supplements our Data Processing Agreement (DPA), which sets out the contractual terms governing how each sub-processor below handles your personal data. For questions, email [email protected].
Contents
1. About this list
A "sub-processor" is a third party that Vupiy engages to process personal data on Vupiy's behalf in the course of providing the service to you. Hosting providers, email delivery, error monitoring, customer support tooling — all sub-processors.
This is different from "independent controllers" (Section 5 below) — third parties that receive data because you instruct us to send it to them, but who then process that data under their own legal authority. HMRC is the most important example.
2. How we authorise sub-processors
When you accept our Terms of Service and our Data Processing Agreement, you give Vupiy a general authorisation to engage sub-processors. In return, we commit to:
- Maintaining this public list, including the legal entity, role, location, and purpose of each sub-processor.
- Giving you at least 30 days' prior notice by email (to your administrative contact) and via an in-app banner before any new or replacement sub-processor begins processing your personal data.
- Imposing data protection obligations on each sub-processor that are, in substance, the same as those imposed on Vupiy under our DPA — including UK GDPR Article 32 security measures.
- Remaining fully liable to you for each sub-processor's performance.
- Allowing you to object on reasonable, documented data protection grounds within the 30-day window (see Section 6).
3. Vupiy Group entities (affiliates)
At the date of this page, Vupiy is operated by a single legal entity (Octillionsoft LIMITED). There are no group affiliates that act as sub-processors. If that changes, we will list the affiliate, its jurisdiction, and the corporate purpose for which it accesses customer personal data here.
| Legal entity | Jurisdiction | Role |
|---|---|---|
| Octillionsoft LIMITED (trading as Vupiy) | England & Wales | Operator of the Vupiy Services. Data controller for your account data; processor for the personal data you upload. |
4. Sub-processors (third parties acting for Vupiy)
The third parties below process personal data on Vupiy's behalf to operate the service. Each is bound by a written Data Processing Agreement under Article 28 UK GDPR. Personal data is encrypted in transit and at rest.
4.1 Infrastructure & security
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Infrastructure Cloud hosting, managed databases, object storage, backups | United Kingdom (London — eu-west-2), with EEA (Ireland — eu-west-1) for redundancy | N/A (UK / EEA) |
| MongoDB Ltd (MongoDB Atlas) | Infrastructure Managed MongoDB database service | United Kingdom / EEA (Ireland) | N/A (UK / EEA) |
| Cloudflare, Inc. | Infrastructure / Security DNS, CDN, Web Application Firewall, DDoS protection | Global edge network; primary configuration for UK / EEA traffic | UK Extension to EU-US DPF + UK IDTA where applicable |
4.2 Communications
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| SendGrid (Twilio Inc.) or equivalent | Communications Transactional email — invoices, notifications, password resets | European region where available; US fallback | UK Extension to EU-US DPF + UK IDTA |
4.3 Payments (Vupiy's own subscription billing)
The provider below handles billing for Vupiy's own subscription fees that you pay to us. It is not the Stripe account you may connect to Vupiy to collect payment from your own customers — that is covered separately in Section 5.
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments UK Ltd | Payments Subscription billing for the Vupiy service itself | United Kingdom; with EEA processing for some operations | N/A (UK / EEA) |
4.4 Customer support
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Intercom Inc. or equivalent | Customer support Support ticketing, in-app chat, knowledge base | Ireland (EU) primary; US for control-plane | UK Extension to EU-US DPF + UK IDTA |
4.5 Observability and error monitoring
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Sentry (Functional Software, Inc.) or equivalent | Observability Error monitoring and application performance — to detect and fix bugs | EU region preferred; US | UK Extension to EU-US DPF + UK IDTA |
4.6 Analytics (consent-gated)
The provider below is used only on the marketing website (vupiy.co.uk) and only after you give cookie consent. We do not run analytics inside the product without explicit consent.
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Google Ireland Ltd (Google Analytics 4) | Analytics Aggregate website usage statistics with IP anonymisation | EU primary; US fallback | EU adequacy (Ireland) + UK Extension to EU-US DPF for any US fallback |
4.7 AI providers (opt-in only)
If we deploy AI-assisted features (e.g., bookkeeping suggestions, support copilot), the AI provider is listed below. AI features are opt-in, and we contract for "zero-retention" API plans where available — your data is not stored by the AI provider and not used to train their models. No AI provider is engaged at the date of this page.
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| No AI sub-processors engaged at this time. Updated here on launch of any AI feature, with at least 30 days' prior notice. | |||
5. Independent controllers — NOT sub-processors
| Party | Why independent | What flows to them |
|---|---|---|
| HM Revenue & Customs (HMRC) | Independent statutory controller under the Commissioners for Revenue and Customs Act 2005 and UK GDPR Art. 6(1)(e) (public task). | VAT 9-box returns, VAT obligation queries, ITSA / Self Assessment / CT submissions when those scopes are enabled, plus the fraud prevention headers required by SI 2019/360. |
| Companies House | Independent statutory controller for company information filings. | Confirmation statements, micro-entity accounts, director updates (where you use that integration). |
| Your own Stripe account (Stripe Connect) | You contract directly with Stripe under your Stripe Services Agreement. Stripe processes payments from your customers; Vupiy never takes custody of card data. | Customer name, billing address, amount, currency, invoice reference (no card numbers). |
| Open Banking AISPs and your bank | FCA-regulated Account Information Service Providers. You authorise them separately under Open Banking. | Bank transactions and account information you authorise. |
| Google / Microsoft OAuth providers | Independent controllers of the email / calendar / SSO data you authorise via OAuth. | OAuth tokens scoped to what you grant. |
| Amazon Services Europe S.à r.l. (and its affiliates, including Amazon UK Services Ltd.) | Independent controller of Amazon Selling Partner data that you authorise Vupiy to retrieve via OAuth. Amazon processes this data under its own Amazon Privacy Policy and Amazon Data Protection Policy. | Your marketplace orders, settlement reports, and — for tax-invoice generation only — buyer name, email, and shipping address fetched on-demand via Amazon's Restricted Data Token (RDT) system. |
6. Notification and objection
Whenever we intend to add or replace a sub-processor that will process customer personal data, we will:
- Update this page with the new entry and the planned start date.
- Email the administrative contact on your Vupiy account.
- Display an in-app banner to administrators.
You can object on reasonable, documented data protection grounds within 30 days of notification by emailing [email protected]. If we cannot resolve the objection (for example, by routing your data to a different sub-processor), you may terminate the affected service with a pro-rata refund of pre-paid unused fees.
For sub-processors that handle only aggregated or anonymised data (for example, public CDN nodes that never see personal data in clear text), we may engage the sub-processor with a shorter notice period; we will still update this page promptly.
7. International transfers and safeguards
Where a sub-processor is located outside the UK, the transfer is covered by one or more of:
- UK adequacy regulations — for transfers to countries the UK Government has determined provide adequate protection (including the EEA and other listed countries).
- UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge") — for transfers to recipients in the United States that are self-certified under the UK Extension.
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (ICO template B.1.0, issued under section 119A(1) DPA 2018) — for other restricted transfers, with transfer impact assessments retained internally.
Copies of the transfer safeguards in place for any sub-processor are available on written request to [email protected].
8. Change log
We log changes to this page below. The most recent change is shown at the top. Older versions are archived internally and available on request for due-diligence purposes.
| Date | Change | Effective from |
|---|---|---|
| 2026-06-05 | Version 1.1. Added Amazon Services Europe S.à r.l. to Section 5 (Independent controllers — NOT sub-processors), following Vupiy's submission of its Amazon Solution Provider Portal application on 5 June 2026. Amazon Selling Partner API is the source of marketplace data under the Customer's OAuth grant; Amazon is not a Vupiy sub-processor. | 2026-06-05 |
| 2026-05-19 | Initial publication. Version 1.0. | 2026-05-19 |
9. Contact
- Privacy and sub-processor objections: [email protected]
- Legal team: [email protected]
You can also lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint/.