Navigate Trust Centre

Sub-processors

List current as of 5 July 2026 (pass 3 — full confirmed list). 30-day advance notice will be given of material changes.

What this page is

Under UK GDPR Article 28, when a data controller (QSECDEF) engages a sub-processor — a third party that processes personal data on its behalf — it must ensure an appropriate data processing agreement (DPA) is in place with that sub-processor.

This page lists the sub-processors QSECDEF currently uses. It is published in the interest of transparency and to fulfil our commitment to inform members and site visitors about how their data is handled.

QSECDEF will give 30 days' advance notice of any material change to this sub-processor list. The process for delivering this notice is to be implemented before publication.

Direct sub-processors

These providers process personal data directly on behalf of QSECDEF under Data Processing Agreements or equivalent mechanisms.

Direct sub-processors — providers that process data on behalf of QSECDEF
Provider Role Country of processing Transfer mechanism Privacy policy / DPA
Cloudflare, Inc. Web hosting (Cloudflare Pages), edge CDN, DNS, DDoS protection, Cloudflare Access Zero Trust, D1, R2, Workers Global anycast. EU/UK edge nodes used for EU/UK visitors where available. Provider DPA incorporating Standard Contractual Clauses (SCCs) and UK Addendum as default. Data Privacy Framework (DPF) listed as additional mechanism. Privacy policy · Customer DPA
Brevo (Sendinblue SAS) Transactional email delivery France / EU EU-based processing. UK-to-EU transfers covered by UK adequacy decision for EEA. No US transfer concern. Privacy policy · Terms (DPA included)
PostHog, Inc. Product analytics — EU-hosted instance. Session data, feature flags, A/B testing. Frankfurt, Germany (EU) EU-hosted instance. No transfer outside EEA for analytics data. UK-to-EU covered by adequacy decision. DPA included in PostHog Terms of Service. Privacy policy · DPA
GitHub, Inc. (Microsoft) Source code repository and CMS storage USA (Microsoft Azure) Provider DPA incorporating SCCs and DPF. Privacy statement · DPA
Google LLC — Search Console Search analytics (aggregated, non-personal search performance data) USA Provider DPA incorporating SCCs and DPF. Data submitted is aggregated search performance data; individual personal data is not transmitted. Google Privacy Policy
Alibaba Cloud — Qwen AI AI-assisted research and discovery tasks. Non-personal-data tasks only. Generic queries — neither personal data nor identifiable company-specific data is transmitted. Singapore (Alibaba international region — not mainland China) Provider DPA (Alibaba Cloud international customer agreement). [TBD — SCC enrolment confirmation — operational follow-up. Owner: Steven.] Privacy policy
Mighty Networks Community platform, LMS, member profiles, course delivery, payment routing for membership subscriptions United States — AWS US East (Virginia / DC metro area). Mighty Networks plan: Business. SOC 2 Type II attestation. Member data portability under GDPR Article 20: supported via Mighty Networks sub-processor export tooling. US DPA in force (effective 1 September 2025). Key provisions: security standard ISO 27001/2 certified OR SOC 2 Type 2 compliant minimum; security incident notification within 24 hours; annual independent third-party audit; member data deletion on QSECDEF request. Personal data categories: name, gender, occupation, email, title, interests/preferences, social profile info if integrated, IP addresses, usage data, cookies, navigation, location data, browser information.

EU DPA in force (effective 1 September 2025). Mighty Networks EU Data Processing Addendum Schedule 1 incorporates the EU Standard Contractual Clauses (SCCs) Module 2 — Controller-to-Processor — under Regulation (EU) 2016/679 Article 46(2)(c) and Article 28(7). Data importer: Mighty Software, Inc., 530 Lytton Ave 2nd Fl, Office #208, Palo Alto, CA 94301. Sub-processor changes: 10 days advance notice required. Governing law: Netherlands. Competent supervisory authority: Autoriteit Persoonsgegevens (Dutch DPA). Onward transfers from MN to its own sub-processors are bound by equivalent safeguards under the SCCs.
Privacy policy · Trust page

Downstream-inherited sub-processors (via Mighty Networks)

Mighty Networks uses its own sub-processors to deliver the QSECDEF community platform. QSECDEF does not have a direct contractual relationship with these providers, but they process member data on behalf of Mighty Networks, which processes it on behalf of QSECDEF. QSECDEF exercises oversight through Mighty Networks' DPA and their published sub-processor disclosure at trust.mightynetworks.com.

Downstream-inherited sub-processors — contracted by Mighty Networks, not directly by QSECDEF
Provider Role (via Mighty Networks) Notes
Amazon Web Services (AWS)* Hosts Mighty Networks community and LMS data, including QSECDEF member data AWS region not disclosed by Mighty Networks to QSECDEF. Reference: trust.mightynetworks.com
Stripe* Payment processing (routed via Mighty Networks — not a direct QSECDEF-Stripe relationship) Confirmed by Steven Vaile 2026-05-20. Stripe's PCI DSS compliance governs card data. Stripe is not a direct QSECDEF sub-processor.
Other MN downstream processors* Email delivery and other infrastructure services engaged by Mighty Networks Per Mighty Networks' published sub-processor declarations at trust.mightynetworks.com. QSECDEF has requested the current list from MN support.

* These sub-processors are contracted by Mighty Networks, not directly by QSECDEF. QSECDEF inherits obligations under Mighty Networks' DPA.

Changes to this list

QSECDEF will update this page when sub-processors are added, changed, or removed. We aim to provide 30 days' advance notice of material changes (process to be implemented).

If you object to a proposed new sub-processor, please contact us at info@qsecdef.com within 30 days of the notice.

Data processing agreement requests

Enterprise members or organisational customers who require a Data Processing Agreement with QSECDEF under UK GDPR Article 28 should contact: info@qsecdef.com