Every third party who touches your data.
This is the canonical, public list of sub-processors Yiontech LTD engages to deliver YionStack. Every entry has a written data-protection agreement, a known region, and a documented transfer safeguard. The change-log at the bottom is the authoritative record of additions and removals.
- Version
- v1.1
- Effective
- 11 May 2026
- Total vendors
- 12
- Notice period
- 30 days
Article 28(2) commitment
We will not engage a new sub-processor without giving you 30 days' notice via the change-log below and an email to the controller contact on your account. Object in writing within those 30 days and we will work with you to find a path forward.
UK / EEA-first
Every vendor we can keep in the UK or EEA, we do. Where a vendor is US-based (LLM providers, Postmark) we use SCCs with the UK Addendum (IDTA) and the vendor's most data-minimising tier — typically zero-retention APIs.
Subscribe to changes
Email subprocessors@yionstack.co.uk to receive an email the day we publish a change. The list itself is also versioned in this page's source so legal teams can diff it over time.
Active sub-processors
12 vendors · grouped by category- Google Cloud (UK / EU regions)
Application hosting, database (Cloud SQL Postgres), object storage, queue infrastructure
CategoryInfrastructureRegionUnited Kingdom · europe-west2TransferNo outbound transfer — data stays in the UK regionApplication hosting, database (Cloud SQL Postgres), object storage, queue infrastructure - Cloudflare
DNS, CDN, edge caching, WAF, DDoS mitigation, bot management
CategoryEdge / networkRegionGlobal edge · UK PoPs prioritisedTransferIDTA + Cloudflare Data Processing Addendum (UK Addendum to EU SCCs)DNS, CDN, edge caching, WAF, DDoS mitigation, bot management - Cloudflare R2
Object storage for user-uploaded files (images, PDFs, design exports)
CategoryStorageRegionCloudflare automatic distribution · default ENAM/EEURTransferIDTA + Data Processing AddendumObject storage for user-uploaded files (images, PDFs, design exports) - Stripe Payments UK Ltd
Card / direct-debit processing, billing, tax calculation, customer portal
CategoryPaymentsRegionUnited Kingdom (controller for payment data)TransferUK GDPR Article 28 + Stripe Data Processing AgreementCard / direct-debit processing, billing, tax calculation, customer portal - Postmark (ActiveCampaign)
Transactional email (magic links, receipts, system notifications)
CategoryEmailRegionUnited States · Postmark EU region opt-in availableTransferEU SCCs + UK Addendum (IDTA)Transactional email (magic links, receipts, system notifications) - OpenAI, L.L.C.
Large-language-model inference for the YionAI operator
CategoryAI / inferenceRegionUnited States · zero-retention APITransferEU SCCs + UK Addendum · OpenAI Enterprise DPA · 0-day retention enabledLarge-language-model inference for the YionAI operator - Anthropic, PBC
Large-language-model inference for the YionAI operator (fallback / Claude tier)
CategoryAI / inferenceRegionUnited States · zero-retention APITransferEU SCCs + UK Addendum · Anthropic Commercial Terms · 0-day retention enabledLarge-language-model inference for the YionAI operator (fallback / Claude tier) - BetterStack
Uptime monitoring, public status page, on-call alerting
CategoryObservabilityRegionEuropean Union · FrankfurtTransferNo outbound transfer — EU-hostedUptime monitoring, public status page, on-call alerting - Sentry (Functional Software, Inc.)
Application error monitoring, release tracking
CategoryObservabilityRegionEuropean Union region (sentry.io eu1)TransferEU-hosted; SCCs in place for any incidental US support accessApplication error monitoring, release tracking - Yiontech personnel & contractors located outside the UK
Yiontech personnel and contracted staff based outside the UK who access personal data to do their jobs — currently customer-support handling (phone, email, chat, tickets) and the related in-product support access, and operational / platform support tasks where required
CategoryPersonnel · all rolesRegionOutside the UK (specific country named in our IDTA & Transfer Risk Assessment — available to customers on request)TransferUK IDTA + completed Transfer Risk Assessment for the destination country · supplementary measures: encryption in transit & at rest, role-based access + row-level data isolation, access logging, data minimisation, managed-device controls, written data-protection & confidentiality undertakingYiontech personnel and contracted staff based outside the UK who access personal data to do their jobs — currently customer-support handling (phone, email, chat, tickets) and the related in-product support access, and operational / platform support tasks where required - Companies House (Crown — UK Government)
Director and registered-address lookups during business onboarding
CategoryUK government dataRegionUnited KingdomTransferNo transfer — public-register data, UK CrownDirector and registered-address lookups during business onboarding - HMRC (Crown — UK Government)
Making Tax Digital VAT submissions and registration checks
CategoryUK government dataRegionUnited KingdomTransferNo transfer — direct HMRC API; OAuth2 user consentMaking Tax Digital VAT submissions and registration checks
The “Yiontech personnel & contractors located outside the UK” entry covers everyone who works for us from outside the UK in any role that involves seeing personal data — today that is customer support (and the in-product support access that goes with it) and operational / platform support where it is needed; any other role or country is covered by the same framework and listed here when it is added. Whenever a team member outside the UK looks at a record, that is a restricted transfer under UK GDPR Chapter V, and it is governed by the same machinery as any other non-UK processing in this list: the UK International Data Transfer Agreement, a completed Transfer Risk Assessment for the destination country, and a set of supplementary measures — data stays on UK / EEA infrastructure and is accessed record-by-record through the product (no bulk export), every access is logged, role-based access plus row-level isolation means a person only ever sees data for the businesses or systems their role covers, data is minimised, and the person works from a managed device under a written data-protection and confidentiality undertaking. If a team member is engaged as an independent contractor they are a sub-processor under our DPA; if engaged directly by Yiontech they are personnel — either way the transfer safeguard and the supplementary measures are the same.
Change-log
Every change to the list above appears here, oldest at the bottom.
- 2026-05-11v1.1
Added "Yiontech personnel & contractors located outside the UK" — Yiontech personnel and contracted staff based outside the UK who access personal data to do their jobs, currently customer-support handling and the related in-product support access, and operational / platform support tasks where required. Any future role or destination country is covered by the same framework and added here with notice. Transfers are safeguarded by the UK International Data Transfer Agreement and a completed Transfer Risk Assessment for the destination country, with supplementary technical and organisational measures (encryption in transit & at rest, role-based access + row-level data isolation, access logging, data minimisation, managed-device controls, written data-protection & confidentiality undertaking). The specific destination country is named in those documents and is available to customers on request. Notice period applies as set out above.
- 2026-04-26v1.0
Initial publication of the sub-processor register. All vendors listed were in use at launch — this is not a notification of new vendors, this is the baseline.