Sub-processors

Last updated: 21 March 2026

SafeGuard Workers engages the following third-party sub-processors. Each has a Data Processing Agreement in place as required by UK GDPR Article 28.

Supabase

DPA signed

Database and authentication — stores all user data, incident reports, and files

Data shared: All personal data and special category data (incident reports, health data, immigration status)

Location: EU / US (configurable)

DPA signed

Transactional email — welcome emails, report confirmations, legal case notifications

Data shared: User name, email address, report reference IDs, case type

Location: United States

DPA signed

Payment processing for organisation subscriptions

Data shared: Organisation billing contact name, email, address, Stripe customer ID

Location: United States / EU

DPA signed

Error monitoring (session replay only with explicit analytics consent)

Data shared: Error traces, anonymised user ID, masked email. Session replay requires opt-in.

Location: United States

DPA signed

Frontend hosting and serverless compute

Data shared: Request logs (IP addresses, URLs) — retained ≤30 days per Vercel policy

Location: EU / US (configurable)

DPA signed

Police station lookup for generating police report guidance

Data shared: Location query (city/postcode only — no personally identifiable information)

Location: United States

Data residency

Primary data is stored by Supabase in EU data centres where possible. For specific residency requirements contact privacy@safeguardworkers.co.uk.

To exercise your GDPR rights, visit Account Settings or email privacy@safeguardworkers.co.uk.