Sub-Processor Register
About This Register
VaultifyUK Labs ("we", "us", "our") is operated by VaultifyUK Limited (Company Number: 16878679). This register lists the sub-processors we engage to provide our Services.
"Services" has the same meaning as in our Privacy Policy and Terms of Service.
This register is maintained in accordance with our commitment under our Privacy Policy (Section 8) to publish a current list of sub-processors. It is updated whenever a sub-processor is added, removed, or materially changes.
What Is a Sub-Processor?
A sub-processor is a third-party company that VaultifyUK Labs engages to process personal data on our behalf, or on behalf of our customers, in connection with the delivery of our Services.
Not every third party we work with is a sub-processor. A sub-processor:
- processes personal data (not just anonymised or aggregated data),
- does so under our instruction and on our behalf, and
- is part of the technical infrastructure through which our Services are delivered.
Third-party platforms that our customers independently choose to integrate with our Services (such as Shopify) operate under separate agreements with those customers and are not sub-processors of VaultifyUK Labs in that capacity.
How We Select and Monitor Sub-Processors
Before engaging a sub-processor, we carry out appropriate due diligence to confirm that they:
- provide sufficient guarantees regarding technical and organisational security measures,
- maintain appropriate certifications or audit reports (such as ISO 27001 or SOC 2) where relevant,
- process personal data only for the purposes we have specified, and
- are bound by a written data processing agreement or equivalent contractual safeguards.
We re-evaluate sub-processors periodically and whenever a material change occurs to their services or security practices.
Changes to This Register
We may add, remove, or change sub-processors from time to time. Where a change would materially affect the security or privacy protections applicable to personal data we process, we will provide advance notice by email or through a notice published to our Services before the change takes effect, in accordance with our Privacy Policy.
Customers who have entered into a Data Processing Agreement with us should refer to the notification procedures in that agreement.
Current Sub-Processors
Infrastructure Sub-Processors
These providers form the core technical infrastructure through which our Services are hosted and operated.
| Provider | Service | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| [APPLICATION_HOSTING_PROVIDER] | Application hosting — runs the web server and background worker processes that deliver our Services | All data processed by our Services in transit and at rest during application execution | [LOCATION] | [DPA / SCCs / Adequacy Decision] |
| [POSTGRESQL_PROVIDER] | Relational database — stores all persistent application data including account configurations, sync history, and OAuth session identifiers | Account information, configuration data, sync run records, session identifiers, billing tier | [LOCATION] | [DPA / SCCs / Adequacy Decision] |
| [REDIS_PROVIDER] | In-memory data store — operates as the BullMQ job queue broker for asynchronous background processing | Job payloads containing store identifiers and collection identifiers; no customer end-user personal data | [LOCATION] | [DPA / SCCs / Adequacy Decision] |
Publication blocker — infrastructure providers not confirmed from repository evidence.
The three infrastructure rows above cannot be completed from the repository. Investigation confirms:
- No deployment platform configuration files are committed (
railway.toml,render.yaml,heroku.yml,fly.toml, and equivalents are all absent).- The
README.mdnames Railway, Render, and Heroku only as examples of compatible Procfile-based deployment patterns — not as confirmed production providers.SPEC.mdmentions Railway and Supabase only as development suggestions, not production commitments.- The
.env.examplecontains local development defaults (localhost:5432,localhost:6379) with no production values.- The Dockerfile and Procfile are platform-agnostic.
The technologies are confirmed: PostgreSQL 16 (relational database) and Redis 7 (cache and queue broker). The specific cloud providers, data centre locations, and transfer mechanisms must be obtained from the production deployment configuration and added here before publication.
Delete this note once all three rows are complete.
Platform Integrations
The following platform providers are involved in the delivery of certain Services. These providers are not sub-processors in the traditional sense — they are independent controllers with whom data is shared or exchanged as part of operating the integration — but they are listed here for transparency.
| Provider | Role | Data Involved | Location | Privacy Policy |
|---|---|---|---|---|
| Shopify Inc. | Commerce platform — provides the OAuth authentication mechanism, billing system, webhook infrastructure, and Admin GraphQL API through which Shopify-integrated Services operate. | Store domain and identifiers, OAuth access tokens (stored in our database), billing confirmation events, Shopify product and collection data accessed via API on behalf of the merchant. | United States (with Standard Contractual Clauses for UK/EEA transfers) | shopify.com/legal/privacy |
Shopify merchants who use our Shopify-integrated Services already have a direct contractual relationship with Shopify. VaultifyUK Labs accesses merchant data through the Shopify API only to the extent authorised by the merchant, and only for the purposes of providing the Service the merchant has subscribed to.
Contact
For questions about our sub-processing arrangements or to request a Data Processing Agreement:
VaultifyUK Labs Email: privacy@labs.vaultifyuk.co.uk