Sub-processors
What this page is
Under UK GDPR Article 28, when a data controller (QSECDEF) engages a sub-processor — a third party that processes personal data on its behalf — it must ensure an appropriate data processing agreement (DPA) is in place with that sub-processor.
This page lists the sub-processors QSECDEF currently uses. It is published in the interest of transparency and to fulfil our commitment to inform members and site visitors about how their data is handled.
QSECDEF will give 30 days' advance notice of any material change to this sub-processor list. The process for delivering this notice is to be implemented before publication.
[TBD — pending operational confirmation: 30-day advance notice mechanism (email to subscribers, page update, or both) must be confirmed and implemented before this commitment is published. Owner: Steven.]
Direct sub-processors
These providers process personal data directly on behalf of QSECDEF under Data Processing Agreements or equivalent mechanisms.
| Provider | Role | Country of processing | Transfer mechanism | Privacy policy / DPA |
|---|---|---|---|---|
| Cloudflare, Inc. | Web hosting (Cloudflare Pages), edge CDN, DNS, DDoS protection, Cloudflare Access Zero Trust, D1, R2, Workers | Global anycast. EU/UK edge nodes used for EU/UK visitors where available. | Provider DPA incorporating Standard Contractual Clauses (SCCs) and UK Addendum as default. Data Privacy Framework (DPF) listed as additional mechanism. | Privacy policy · Customer DPA |
| Brevo (Sendinblue SAS) | Transactional email delivery | France / EU | EU-based processing. UK-to-EU transfers covered by UK adequacy decision for EEA. No US transfer concern. | Privacy policy · Terms (DPA included) |
| PostHog, Inc. | Product analytics — EU-hosted instance. Session data, feature flags, A/B testing. | Frankfurt, Germany (EU) | EU-hosted instance. No transfer outside EEA for analytics data. UK-to-EU covered by adequacy decision. DPA included in PostHog Terms of Service. | Privacy policy · DPA |
| GitHub, Inc. (Microsoft) | Source code repository and CMS storage | USA (Microsoft Azure) | Provider DPA incorporating SCCs and DPF. | Privacy statement · DPA |
| Google LLC — Search Console | Search analytics (aggregated, non-personal search performance data) | USA | Provider DPA incorporating SCCs and DPF. Data submitted is aggregated search performance data; individual personal data is not transmitted. | Google Privacy Policy |
| Alibaba Cloud — Qwen AI | AI-assisted research and discovery tasks. Non-personal-data tasks only. Generic queries — neither personal data nor identifiable company-specific data is transmitted. | Singapore (Alibaba international region — not mainland China) | Provider DPA (Alibaba Cloud international customer agreement). [TBD — SCC enrolment confirmation — operational follow-up. Owner: Steven.] | Privacy policy |
| Mighty Networks | Community platform, LMS, member profiles, course delivery, payment routing for membership subscriptions | United States — AWS US East (Virginia / DC metro area). Mighty Networks plan: Business. SOC 2 Type II attestation. Member data portability under GDPR Article 20: supported via Mighty Networks sub-processor export tooling. | US DPA in force (effective 1 September 2025). Key provisions: security standard ISO 27001/2 certified OR SOC 2 Type 2 compliant minimum; security incident notification within 24 hours; annual independent third-party audit; member data deletion on QSECDEF request. Personal data categories: name, gender, occupation, email, title, interests/preferences, social profile info if integrated, IP addresses, usage data, cookies, navigation, location data, browser information. EU DPA in force (effective 1 September 2025). Mighty Networks EU Data Processing Addendum Schedule 1 incorporates the EU Standard Contractual Clauses (SCCs) Module 2 — Controller-to-Processor — under Regulation (EU) 2016/679 Article 46(2)(c) and Article 28(7). Data importer: Mighty Software, Inc., 530 Lytton Ave 2nd Fl, Office #208, Palo Alto, CA 94301. Sub-processor changes: 10 days advance notice required. Governing law: Netherlands. Competent supervisory authority: Autoriteit Persoonsgegevens (Dutch DPA). Onward transfers from MN to its own sub-processors are bound by equivalent safeguards under the SCCs. | Privacy policy · Trust page |
Downstream-inherited sub-processors (via Mighty Networks)
Mighty Networks uses its own sub-processors to deliver the QSECDEF community platform. QSECDEF does not have a direct contractual relationship with these providers, but they process member data on behalf of Mighty Networks, which processes it on behalf of QSECDEF. QSECDEF exercises oversight through Mighty Networks' DPA and their published sub-processor disclosure at trust.mightynetworks.com.
| Provider | Role (via Mighty Networks) | Notes |
|---|---|---|
| Amazon Web Services (AWS)* | Hosts Mighty Networks community and LMS data, including QSECDEF member data | AWS region not disclosed by Mighty Networks to QSECDEF. Reference: trust.mightynetworks.com |
| Stripe* | Payment processing (routed via Mighty Networks — not a direct QSECDEF-Stripe relationship) | Confirmed by Steven Vaile 2026-05-20. Stripe's PCI DSS compliance governs card data. Stripe is not a direct QSECDEF sub-processor. |
| Other MN downstream processors* | Email delivery and other infrastructure services engaged by Mighty Networks | Per Mighty Networks' published sub-processor declarations at trust.mightynetworks.com. QSECDEF has requested the current list from MN support. |
* These sub-processors are contracted by Mighty Networks, not directly by QSECDEF. QSECDEF inherits obligations under Mighty Networks' DPA.
Changes to this list
QSECDEF will update this page when sub-processors are added, changed, or removed. We aim to provide 30 days' advance notice of material changes (process to be implemented).
If you object to a proposed new sub-processor, please contact us at info@qsecdef.com within 30 days of the notice.
Data processing agreement requests
Enterprise members or organisational customers who require a Data Processing Agreement with QSECDEF under UK GDPR Article 28 should contact: info@qsecdef.com