Legal

Sub-processors

Last updated: March 2026

The third-party service providers PerkIQ uses to deliver its platform.

1 About this list

PerkIQ Ltd (the “Processor”) uses the third-party service providers listed below (the “Sub-processors”) to deliver the platform to customers (“Controllers”). This list is published in line with UK GDPR Article 28 transparency requirements and forms part of the PerkIQ Data Processing Agreement (DPA).

Each Sub-processor has been assessed against our security and data-protection requirements, and has a Data Processing Agreement in place with PerkIQ.

2 Change notifications

We will give at least 14 days' prior written notice before engaging a new Sub-processor or replacing an existing one. Customers may object on reasonable data protection grounds within that period by contacting info@perkiq.co.uk; where an objection cannot be reasonably addressed the customer may terminate their subscription in line with the DPA.

To receive change notifications by email, write to info@perkiq.co.uk with the subject line “Sub-processor notifications”.

3 Current Sub-processors

Sub-processor	Purpose	Data processed	Location	Transfer mechanism
Vercel Inc.	Application hosting, serverless compute, edge network, cron scheduling	All platform traffic (request metadata, IP addresses). No persistent customer data storage.	United States (EU edge regions for traffic)	UK IDTA + EU SCCs; DPF-certified
Supabase Inc.	Primary database (Postgres), authentication, file storage, row-level security	All customer platform data: company details, benefits configuration, survey responses, employee portal records, audit logs	Ireland (AWS eu-west-1)	EU-hosted; no third-country transfer in normal operation
Stripe Payments UK, Ltd.	Subscription billing, payment processing, invoicing	Billing contact details, subscription status, card metadata (PerkIQ does not receive full card numbers)	United Kingdom	UK-controlled; any onward transfers to Stripe group entities covered by Stripe's DPA
Resend, Inc.	Transactional email delivery (team invitations, employee portal invites, password resets, magic links)	Recipient email address, name where provided, email subject and body content	United States	UK IDTA + EU SCCs; DPF-certified
Upstash, Inc.	Distributed rate limiting (Redis)	Truncated IP addresses and request keys. No PII.	Ireland (AWS eu-west-1); provider entity is US-incorporated	EU-hosted at rest; UK IDTA + EU SCCs with provider as back-stop
Functional Software, Inc. (Sentry)	Error tracking and performance monitoring	Error stack traces, request metadata, user ID (UUID only, no email in events)	United States	UK IDTA + EU SCCs; DPF-certified
HubSpot, Inc.	Customer relationship management, lead nurturing, account tier synchronisation	Admin user name, email, company name, signup source, signup date, marketing consent status, subscription tier	United States	UK IDTA + EU SCCs; DPF-certified
Google LLC (Google Analytics)	Marketing website analytics (consent-gated; not active on the authenticated platform)	Anonymised page view data, referrer, device class. Only after explicit consent via the cookie banner.	United States	UK IDTA + EU SCCs; DPF-certified
Slack Technologies, LLC	Internal operational notifications (new signups, security alerts). PerkIQ employees only; not a customer-facing data path.	Aggregate signup counts and abuse-detection summaries. No raw customer records.	United States	UK IDTA + EU SCCs; DPF-certified

4 International data transfers

Where a Sub-processor is located outside the United Kingdom, personal data is transferred under one or more of the following safeguards in line with UK GDPR Articles 45-46:

UK International Data Transfer Addendum (IDTA) appended to the EU Standard Contractual Clauses
EU-US Data Privacy Framework (DPF), UK Extension, for Sub-processors that are DPF-certified
Adequacy decisions where the UK has determined the recipient country provides equivalent protection

Our primary region for both Supabase (customer database) and Upstash (rate limiting) is Ireland (AWS eu-west-1). Data at rest for those services does not leave the EU in normal operation.

5 Contact

PerkIQ Ltd

167-169 Great Portland Street, 5th Floor, London, W1W 5PF

Company number: 17102662 · VAT: GB 516 4012 29 · ICO: ZC108098

Email: info@perkiq.co.uk

See also Platform Privacy and Platform Terms

1 About this list

Each Sub-processor has been assessed against our security and data-protection requirements, and has a Data Processing Agreement in place with PerkIQ.

2 Change notifications

To receive change notifications by email, write to info@perkiq.co.uk with the subject line “Sub-processor notifications”.

3 Current Sub-processors

Sub-processor	Purpose	Data processed	Location	Transfer mechanism
Vercel Inc.	Application hosting, serverless compute, edge network, cron scheduling	All platform traffic (request metadata, IP addresses). No persistent customer data storage.	United States (EU edge regions for traffic)	UK IDTA + EU SCCs; DPF-certified
Supabase Inc.	Primary database (Postgres), authentication, file storage, row-level security	All customer platform data: company details, benefits configuration, survey responses, employee portal records, audit logs	Ireland (AWS eu-west-1)	EU-hosted; no third-country transfer in normal operation
Stripe Payments UK, Ltd.	Subscription billing, payment processing, invoicing	Billing contact details, subscription status, card metadata (PerkIQ does not receive full card numbers)	United Kingdom	UK-controlled; any onward transfers to Stripe group entities covered by Stripe's DPA
Resend, Inc.	Transactional email delivery (team invitations, employee portal invites, password resets, magic links)	Recipient email address, name where provided, email subject and body content	United States	UK IDTA + EU SCCs; DPF-certified
Upstash, Inc.	Distributed rate limiting (Redis)	Truncated IP addresses and request keys. No PII.	Ireland (AWS eu-west-1); provider entity is US-incorporated	EU-hosted at rest; UK IDTA + EU SCCs with provider as back-stop
Functional Software, Inc. (Sentry)	Error tracking and performance monitoring	Error stack traces, request metadata, user ID (UUID only, no email in events)	United States	UK IDTA + EU SCCs; DPF-certified
HubSpot, Inc.	Customer relationship management, lead nurturing, account tier synchronisation	Admin user name, email, company name, signup source, signup date, marketing consent status, subscription tier	United States	UK IDTA + EU SCCs; DPF-certified
Google LLC (Google Analytics)	Marketing website analytics (consent-gated; not active on the authenticated platform)	Anonymised page view data, referrer, device class. Only after explicit consent via the cookie banner.	United States	UK IDTA + EU SCCs; DPF-certified
Slack Technologies, LLC	Internal operational notifications (new signups, security alerts). PerkIQ employees only; not a customer-facing data path.	Aggregate signup counts and abuse-detection summaries. No raw customer records.	United States	UK IDTA + EU SCCs; DPF-certified

4 International data transfers

Where a Sub-processor is located outside the United Kingdom, personal data is transferred under one or more of the following safeguards in line with UK GDPR Articles 45-46:

UK International Data Transfer Addendum (IDTA) appended to the EU Standard Contractual Clauses

EU-US Data Privacy Framework (DPF), UK Extension, for Sub-processors that are DPF-certified

Adequacy decisions where the UK has determined the recipient country provides equivalent protection

Our primary region for both Supabase (customer database) and Upstash (rate limiting) is Ireland (AWS eu-west-1). Data at rest for those services does not leave the EU in normal operation.