Sub-processors
Document reference: ISO_webpage_legal-sub-processors_v1
Last modified: 28 March 2026
1. Introduction
Coaley Peak Limited (“we”, “us”, “our”) acts as a data processor for personal data entrusted to us by our clients. In delivering our services, we engage third-party organisations to carry out specific processing activities on our behalf. These organisations are referred to as sub-processors.
In accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU GDPR, we are required to ensure that sub-processors provide sufficient guarantees that they will implement appropriate technical and organisational measures to protect personal data. We are also required to make information about our sub-processors available to our clients.
This page constitutes our public sub-processor disclosure. Clients who have entered into a Data Processing Agreement (DPA) with Coaley Peak Limited may rely on this disclosure as the authoritative list of sub-processors engaged in the processing of their data.
2. How to Object to a Sub-processor
Clients may object to the appointment of a new or replacement sub-processor by contacting us at compliance@coaleypeak.co.uk within 30 days of receiving notification of the proposed change (see Section 5 below). Objections must be made in writing and must set out the grounds for objection. We will work with you in good faith to resolve the concern; where resolution is not possible, either party may terminate the relevant services on reasonable notice without penalty.
3. Sub-processor Register
The following tables list all sub-processors currently engaged by Coaley Peak Limited, grouped by category. Where personal data is transferred outside the UK or the European Economic Area (EEA), we rely on one of the following transfer mechanisms:
- Adequacy decision — the destination country has been deemed adequate by the UK Government or the European Commission.
- UK IDTA — the UK International Data Transfer Agreement, incorporating the relevant supplementary information for the transfer.
- SCCs — the EU Standard Contractual Clauses (2021) where EU personal data is involved, supplemented as necessary.
3.1 Cloud Infrastructure & Hosting
| Sub-processor | Country of incorporation | Processing location(s) | Purpose | Transfer basis |
|---|---|---|---|---|
| Vercel Inc. | United States | US; EU (Frankfurt) | Website and application hosting; serverless compute; edge delivery of web assets | UK IDTA / SCCs |
| Cloudflare, Inc. | United States | Global edge network (including UK and EU nodes) | Content delivery network (CDN); DDoS mitigation; DNS resolution; bot management | UK IDTA / SCCs |
3.2 Analytics
| Sub-processor | Country of incorporation | Processing location(s) | Purpose | Transfer basis |
|---|---|---|---|---|
| Google LLC | United States | US; EU (where regional data residency is configured) | Website analytics via Google Analytics. IP addresses are anonymised prior to processing. No personally identifiable information (PII) is deliberately collected or transmitted. | UK IDTA / SCCs |
3.3 Communication & Collaboration
| Sub-processor | Country of incorporation | Processing location(s) | Purpose | Transfer basis |
|---|---|---|---|---|
| Microsoft Corporation | United States | UK; EU (where tenant region is configured) | Business email, calendar, and video conferencing (Microsoft 365 / Exchange Online); document creation and storage (SharePoint, OneDrive); internal collaboration (Teams) | UK IDTA / SCCs |
3.4 CRM & Business Operations
| Sub-processor | Country of incorporation | Processing location(s) | Purpose | Transfer basis |
|---|---|---|---|---|
| HubSpot, Inc. | United States | US; EU (where EU data hosting is enabled) | Customer relationship management; contact and deal tracking; business development pipeline. Data processed includes business contact details of client personnel only. | UK IDTA / SCCs |
3.5 Payment Processing
Coaley Peak Limited operates exclusively on pay-on-results contracts billed via invoice. We do not use an online payment gateway or card-processing platform. Accordingly, no payment card data or payment account data is processed by any sub-processor on our behalf. Invoices are issued and settled via bank transfer.
3.6 Security Monitoring
| Sub-processor | Country of incorporation | Processing location(s) | Purpose | Transfer basis |
|---|---|---|---|---|
| Microsoft Corporation | United States | UK; EU | Security information and event monitoring (SIEM) via Microsoft Defender and Microsoft Sentinel; endpoint protection; identity and access management (Azure Active Directory / Entra ID) | UK IDTA / SCCs |
3.7 AI Tooling
Where Coaley Peak Limited uses AI-assisted tooling in the delivery of client services, we take care to ensure that no personal data from client engagements is submitted to external AI platforms without an appropriate contractual basis and data processing agreement in place. Our current practice is as follows:
| Sub-processor | Country of incorporation | Processing location(s) | Purpose | Transfer basis |
|---|---|---|---|---|
| Microsoft Corporation (Azure OpenAI Service) | United States | UK; EU (subject to region selection) | AI-assisted analysis and drafting support used internally by Coaley Peak staff. Inputs are reviewed before submission; personal data is minimised or pseudonymised where processing cannot be avoided. | UK IDTA / SCCs |
| Anthropic PBC | United States | United States | AI-assisted research and drafting support via the Claude API, used internally by Coaley Peak staff under an enterprise agreement with data-processing commitments. Personal data is minimised prior to submission. | UK IDTA / SCCs |
4. Sub-processor Due Diligence
Before appointing any sub-processor, we carry out proportionate due diligence to satisfy ourselves that the sub-processor can provide sufficient guarantees regarding data protection. Our assessment process includes:
- Review of the sub-processor’s published privacy and security documentation, including their DPA or data processing addendum.
- Review of relevant certifications (such as ISO 27001, SOC 2 Type II) and independent audit reports where available.
- Confirmation that an appropriate international data transfer mechanism is in place where data leaves the UK or EEA.
- Execution of a signed Data Processing Agreement (or acceptance of the sub-processor’s standard DPA where it meets UK GDPR requirements).
- Periodic review of sub-processor compliance at least annually, or following any material change to the sub-processor’s services or terms.
5. Notification of Sub-processor Changes
We will provide clients with at least 30 days’ written notice prior to appointing a new sub-processor or making a material change to an existing sub-processor engagement. Notification will be issued by email to the primary compliance or data protection contact specified in the client’s DPA.
In addition, this page is updated whenever the sub-processor register changes. Clients are encouraged to subscribe to notifications or check this page periodically.
Where a change is required urgently for security or legal compliance reasons, we may appoint a new sub-processor immediately and provide notice as soon as reasonably practicable, subject to a maximum delay of 48 hours.
6. Contact
For queries relating to our sub-processors, data processing agreements, or to exercise your right to object to a sub-processor appointment, please contact our compliance function:
Email: compliance@coaleypeak.co.uk
Subject: Sub-processor Query
We aim to respond to all compliance queries within five working days.
7. Date of Last Review
This sub-processor register was last reviewed and updated on 28 March 2026. It is reviewed at least annually, and whenever a material change to our sub-processor arrangements occurs.
Document reference: ISO_webpage_legal-sub-processors_v1
Last modified: 28 March 2026
Legal & Compliance·Sub-processors