Sub-Processor Register
A public register of all third-party sub-processors used by Automate Labs in the delivery of the Care Home Platform.
1. Introduction
Under Article 28 of the UK General Data Protection Regulation (UK GDPR), a data processor may only engage a sub-processor with the prior authorisation of the data controller. Where Automate Labs acts as a data processor on behalf of care home organisations (data controllers), we are required to:
- Maintain a register of all sub-processors engaged in processing personal data on behalf of our customers
- Notify customers before making any changes to the list of sub-processors
- Give customers the opportunity to object to any new sub-processor
- Impose equivalent data protection obligations on each sub-processor by contract
This register is maintained by Automate Labs and updated whenever our sub-processor arrangements change. Customers will be notified of any changes at least 30 days in advance.
2. Current Sub-Processors
The following sub-processors are currently engaged in the delivery of the Care Home Platform.
| Sub-Processor | Role | Data Categories | Location | Security | Transfer Mechanism |
|---|---|---|---|---|---|
|
Stripe Inc.
stripe.com
|
Payment processing and subscription billing |
|
United States |
PCI DSS Level 1
SOC 2 Type II
|
UK IDTA Addendum |
|
VPS Hosting Provider
Server infrastructure
|
Server infrastructure hosting all platform data |
|
UK / EU | ISO 27001 (TBC) | No transfer (UK/EU) |
|
Email Service Provider
Transactional email
|
Transactional email delivery (invites, MFA codes, notifications) |
|
UK / EU | TBC | No transfer (UK/EU) |
Stripe Inc.
stripe.com
- Role
- Payment processing and subscription billing
- Data
- Billing contact email, subscription data, Stripe customer ID
- Security
- PCI DSS Level 1SOC 2 Type II
- Transfer Mechanism
- UK IDTA Addendum
VPS Hosting Provider
Server infrastructure
- Role
- Server infrastructure hosting all platform data
- Data
- All platform data, database backups, application logs
- Security
- ISO 27001 (TBC)
- Transfer Mechanism
- No transfer (UK/EU)
Email Service Provider
Transactional email
- Role
- Transactional email delivery (invites, MFA codes, notifications)
- Data
- Email addresses, display names, one-time passcodes
- Security
- TBC
- Transfer Mechanism
- No transfer (UK/EU)
3. Changes to This Register
We will notify all customers by email at least 30 days before adding any new sub-processor or making material changes to an existing sub-processor's role or data access.
Upon receipt of such a notification, customers have a 14-day objection window in which to raise concerns. If a customer objects to a new sub-processor and we are unable to resolve the concern, the customer may terminate their subscription without penalty.
To raise an objection or request further information about any sub-processor, please contact chp@automatelabs.co.uk.
4. Last Updated
16 June 2026
Version 1.0.0 — initial release
This register is reviewed and updated at minimum every 12 months, and whenever our sub-processor arrangements change. The date above reflects the most recent substantive update.
Document
Sub-Processor Register