Subprocessors
Last updated: 6 June 2026
This page lists the third-party service providers ("subprocessors") that Graded Prompts Ltd uses to operate the Graded Prompts platform at gradedprompts.com, and separately lists the independent controllers we share data with. It supplements our Privacy Policy and is maintained as a separate page so it can be kept up to date independently. A subprocessor is a third party that processes personal data on our behalf to help us deliver the Platform. We share only the data each subprocessor needs to perform its specific function, and each is bound by contractual data-protection terms. Some parties we work with are independent controllers rather than subprocessors — they receive personal data but determine their own purposes and means of processing under their own legal obligations. They are listed separately in Section 2.
1. Current Subprocessors
These parties process personal data on our behalf, under our instructions, pursuant to a Data Processing Agreement.
Infrastructure
| Subprocessor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting (Elastic Beanstalk, database, storage) and internal admin tooling used by Graded Prompts staff | All Platform data | us-east-1 (Virginia, USA) | UK–US data bridge — the US recipient, Amazon Web Services, Inc., holds an active UK Extension to the EU–US DPF; UK Addendum to the EU SCCs / IDTA per the AWS GDPR DPA as fallback |
| Amazon CloudFront (Amazon Web Services EMEA SARL / Amazon Web Services, Inc.) | Content delivery and edge caching (CDN) for the Platform | IP addresses, network and request metadata, and cached static content | Global edge locations (US-routed traffic may be served from US edge locations) | UK–US data bridge for US-routed traffic (Amazon Web Services, Inc. holds an active UK Extension certification); UK Addendum to the EU SCCs / IDTA as fallback for traffic routed via other non-UK/EEA edge locations |
Security and Anti-Abuse
| Subprocessor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Cloudflare, Inc. (Turnstile) | Bot and abuse protection on sign-up, login, and other public-facing forms | IP address, browser and device signals, interaction data, and a widget verification token | USA (delivered via Cloudflare's global network) | UK–US data bridge (Cloudflare, Inc. holds an active UK Extension certification); UK Addendum to the EU SCCs per the Cloudflare DPA as fallback |
Communications
| Subprocessor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Postmark (operated by ActiveCampaign, LLC) | Transactional email delivery (password resets, OTPs, order confirmations, payout notifications) | Email address, message content | USA | UK–US data bridge (ActiveCampaign, LLC holds an active UK Extension certification); UK Addendum to the EU SCCs per the ActiveCampaign DPA as fallback |
| Note on transfer instruments: For transfers to the USA, our primary mechanism is the UK–US data bridge (the UK Extension to the EU–US Data Privacy Framework) where the US recipient holds an active | ||||
| certification under it — which each US subprocessor above currently does. Where the data bridge is not available, the ICO recognises two Article 46 instruments for restricted transfers: the standalone International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs. We confirm | ||||
| each provider's certification status against the public DPF list and the applicable instrument against its | ||||
| published DPA, and we update this page if either changes. |
2. Independent Controllers
The following parties receive personal data but act as independent data controllers for that data, because they have their own legal obligations (under PSD2, anti-money-laundering rules, card-network rules, and similar). They are not our subprocessors. Their own privacy policies govern how they handle your data, and we encourage you to review them.
Payments and Payouts
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd / Stripe, Inc. | Processing buyer card payments for Graded Prompts as merchant of record; seller payout-account onboarding, identity verification (Stripe Connect), and seller payouts | Card details, billing address, transaction data, payout account details, identity data for KYC | Ireland / USA |
Banking and Network Operators
- Wise Payments Limited (Wise Business) — our operating bank. Wise receives aggregate settlements paid to Graded Prompts Ltd and does not process personal data of individual buyers or sellers on our behalf. Wise acts as an independent data controller for any data we provide to it.
- Card networks (Visa, Mastercard, etc.) — payment-network operators that route transactions; they are independent controllers.
Because these parties are independent controllers, the international transfers of personal data they make are governed by their own transfer arrangements and privacy policies, not by our processor safeguards. Where we provide them with data, that disclosure is a controller-to-controller sharing covered by Section 4 of our Privacy Policy.
3. Other Parties (Not Processors of User Data)
For clarity, the following are involved in operating Graded Prompts but do not process buyer or seller personal data:
- Our UK formation agent and Companies House — these relate to corporate registration, not user data processing.
4. Analytics, Advertising, and Tracking
We do not currently use third-party analytics, advertising, or cross-site tracking providers. If this changes, we will update this page and the Privacy Policy before the new subprocessor goes live, and we will request consent where required.
5. Updates to This List
We may add or change subprocessors as the Platform evolves. When we do:
- We will update this page with the new entry and the "Last Updated" date.
- If a future enterprise or team customer has a Data Processing Agreement with us that requires advance notice, we will follow the notice period agreed in that DPA.
6. Where Your Data Is Hosted
Primary Platform data is hosted with AWS in us-east-1 (Virginia, USA). Some of our subprocessors and independent controllers are also located outside the UK and EEA. Where personal data is transferred to the USA, we rely on the UK–US data bridge (the UK Extension to the EU–US Data Privacy Framework) for recipients that hold an active certification under it. For any transfer to a country without a UK adequacy decision, or to a recipient not covered by the data bridge, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment and supplementary measures where appropriate. These Article 46 safeguards are also kept in place as a fallback should a recipient's DPF certification lapse.
7. Contact
Questions about our subprocessors, transfer safeguards, or to request copies of the relevant data protection terms:
Email: privacy@gradedprompts.com Company details and registered office: gradedprompts.com/legal/company-information
This page was last reviewed and updated on 3 June 2026.