The third-party service providers PerkIQ uses to deliver its platform.
PerkIQ Ltd (the "Processor") uses the third-party service providers listed below (the "Sub-processors") to deliver the platform to customers ("Controllers"). This list is published in line with UK GDPR Article 28 transparency requirements and forms part of the PerkIQ Data Processing Agreement (DPA).
Each Sub-processor has been assessed against our security and data-protection requirements, and has a Data Processing Agreement in place with PerkIQ.
We will give at least 14 days' prior written notice before engaging a new Sub-processor or replacing an existing one. Customers may object on reasonable data protection grounds within that period by contacting info@perkiq.co.uk; where an objection cannot be reasonably addressed the customer may terminate their subscription in line with the DPA.
To receive change notifications by email, write to info@perkiq.co.uk with the subject line "Sub-processor notifications".
| Sub-processor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Vercel Inc. | Application hosting, serverless compute, edge network, cron scheduling | All platform traffic (request metadata, IP addresses). No persistent customer data storage. | United States (EU edge regions for traffic) | UK IDTA + EU SCCs; DPF-certified |
| Supabase Inc. | Primary database (Postgres), authentication, file storage, row-level security | All customer platform data: company details, benefits configuration, survey responses, employee portal records, audit logs | Ireland (AWS eu-west-1) | EU-hosted; no third-country transfer in normal operation |
| Stripe Payments UK, Ltd. | Subscription billing, payment processing, invoicing | Billing contact details, subscription status, card metadata (PerkIQ does not receive full card numbers) | United Kingdom | UK-controlled; any onward transfers to Stripe group entities covered by Stripe's DPA |
| Resend, Inc. | Transactional email delivery (team invitations, employee portal invites, password resets, magic links) | Recipient email address, name where provided, email subject and body content | United States | UK IDTA + EU SCCs; DPF-certified |
| Upstash, Inc. | Distributed rate limiting (Redis) | Truncated IP addresses and request keys. No PII. | Ireland (AWS eu-west-1); provider entity is US-incorporated | EU-hosted at rest; UK IDTA + EU SCCs with provider as back-stop |
| Functional Software, Inc. (Sentry) | Error tracking and performance monitoring | Error stack traces, request metadata, user ID (UUID only — no email in events) | United States | UK IDTA + EU SCCs; DPF-certified |
| HubSpot, Inc. | Customer relationship management, lead nurturing, account tier synchronisation | Admin user name, email, company name, signup source, signup date, marketing consent status, subscription tier | United States | UK IDTA + EU SCCs; DPF-certified |
| Google LLC (Google Analytics) | Marketing website analytics (consent-gated; not active on the authenticated platform) | Anonymised page view data, referrer, device class. Only after explicit consent via the cookie banner. | United States | UK IDTA + EU SCCs; DPF-certified |
| Slack Technologies, LLC | Internal operational notifications (new signups, security alerts). PerkIQ employees only — not a customer-facing data path. | Aggregate signup counts and abuse-detection summaries. No raw customer records. | United States | UK IDTA + EU SCCs; DPF-certified |
Where a Sub-processor is located outside the United Kingdom, personal data is transferred under one or more of the following safeguards in line with UK GDPR Articles 45-46:
PerkIQ Ltd
167-169 Great Portland Street, 5th Floor, London, W1W 5PF
Company number: 17102662 | VAT: GB 516 4012 29 | ICO: ZC108098
Email: info@perkiq.co.uk