Sub-processors

Version 1.0 · Last updated 13 May 2026 · Effective 13 May 2026

This page lists the third parties (“sub-processors”) that process personal data on behalf of Safe and Sorted Ltd when you and your team use the Safe and Sorted app. We publish this so you can carry out your own controller-side compliance under UK GDPR.

If we add or change a sub-processor, we’ll update this page and email every active customer at least 30 days before the change goes live. If you object to a new sub-processor on legitimate grounds, you can terminate your subscription within the notice period without further fee.

How to read this list

A sub-processor is a third party that handles your data (or your employees’ / subcontractors’ data) on our behalf as part of providing the Service. We’ve listed only sub-processors here — not every vendor we use internally. Anything that touches the data you enter into Safe and Sorted appears below.

Current sub-processors

Supabase, Inc.

  • What they do for us: Primary database, authentication, file storage and edge functions. The bulk of customer data lives here.
  • Data they process: Everything you enter into the Service — site records, RAMS, sign-ins, accident reports, signatures, photographs, training records.
  • Where: European Union (Ireland — AWS Dublin region).
  • Their sub-processors: supabase.com/legal/subprocessors
  • Their privacy policy: supabase.com/privacy

Resend, Inc.

  • What they do for us: Sends transactional email — team invites, document-share emails, password resets, signup confirmations.
  • Data they process: Recipient email addresses, sender details, subject lines and the body of the message (which may include names of people you’ve invited or document titles).
  • Where: European Union (Ireland).
  • Their privacy policy: resend.com/legal/privacy

Netlify, Inc.

  • What they do for us: Hosts the Safe and Sorted web app (app.safeandsorted.com) and marketing site (safeandsorted.com).
  • Data they process: HTTP request metadata — IP addresses, user agents, requested URLs — kept transit-only for ~30 days. Customer data entered into the Service never lands on Netlify’s infrastructure; it goes directly from your browser to Supabase.
  • Where: Global content delivery network (US-headquartered).
  • Their privacy policy: netlify.com/privacy

Stripe Payments UK Ltd

  • What they do for us: Subscription billing and the Customer Portal where you manage your plan and update payment methods.
  • Data they process: The name and email of the person paying, billing address, and card details. We never see or hold your card number — it goes directly from your browser to Stripe via Stripe Elements. Stripe is PCI-DSS Level 1 certified.
  • Where: Stripe Payments Europe Ltd (Ireland) for UK and EU customers.
  • Their privacy policy: stripe.com/privacy

Vendors that do not process customer data

For completeness, the following third parties support our business but don’t handle data you enter into the Service:

  • Microsoft 365 — our internal email and Office tools. Holds our company’s own correspondence; never your data.
  • GitHub — source code hosting. Holds our code; never customer data.
  • Hover — domain name registrar. Holds our registration metadata only.
  • Bitwarden — operational password manager. Holds our credentials, encrypted client-side; never customer data.
  • 1st Formations — registered office mail-forwarding service for the Ltd company; never customer data.

Coming soon

We’ll update this page and notify customers 30 days before any of these go live:

  • Anthropic PBC — to power an in-app AI help chat. Data processed: whatever a user types into the help-chat panel (intended for general “how do I…” questions about the app, not customer records). Hosted in the US under Anthropic’s standard data-processing terms, with the zero-retention option enabled. Anthropic privacy policy
  • Tapfiliate B.V. — for the affiliate referral programme (2-tier tracking). Will process email addresses of affiliates and referred customers, plus the referral chain (who recruited whom). Hosted in the EU (Netherlands / Amsterdam) — no UK-to-third-country transfer. Tapfiliate privacy policy

Notifications when this list changes

By default, every active customer is emailed whenever this list changes — at the email address on the account’s primary owner. If you’d like to nominate a different email address for sub-processor notifications (for example, your DPO or in-house counsel), email privacy@safeandsorted.com and we’ll add it to the notification list.

Questions

For any privacy or sub-processor enquiry, email privacy@safeandsorted.com. We aim to respond within one working day.

Safe and Sorted Ltd · Company no. 17214001 · Registered in England and Wales
Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ