Sub-processors
About this page
When you upload documents to Docoply for analysis, we generally act as a processor under UK GDPR and use carefully vetted sub-processors to help deliver the service. This page lists those sub-processors and the essentials of their role, locations and safeguards.
Open-source libraries used within our own environment (e.g., parsers) are not “sub-processors” because they do not receive personal data as an external organisation.
A) Current sub-processors (processor role)
| Provider | Purpose | Categories of data | Location(s) | Transfer & safeguards | Data retention by provider | Notes |
|---|---|---|---|---|---|---|
| OpenAI, L.L.C. and affiliates | LLM inference to generate risk flags, summaries and suggestions. | Document text, snippets, prompts/parameters, minimal technical metadata. | United States (and other regions as operated by provider) | UK Addendum to SCCs / SCCs; contractual no-training on API data; technical and organisational measures. | Transient processing; limited logs per provider policy. | API use only; we disable training where available. |
| [Cloud hosting / infrastructure] | Hosting of application and temporary processing/storage for analysis. | Uploaded documents, generated outputs, operational logs. | [UK/EU region(s)] | UK/EU data residency or SCCs/IDTA where applicable; encryption in transit; access controls. | [e.g., backups 30 days; logs 90–180 days] | Replace with your actual provider (e.g., AWS, GCP, Azure, DigitalOcean). |
| [Object storage / file processing] | Temporary object storage during parsing and report generation. | Uploaded documents and intermediate artifacts. | [UK/EU region(s)] | Data minimisation; short retention; SCCs/IDTA if outside UK/EEA. | Ephemeral; auto-deletion within [72h] by default. | Align with your retention defaults in the Privacy Policy. |
| [Email delivery (transactional)] | Send system notices (e.g., report ready) to your users. | Recipient email, name, message metadata. | [EU/US] | SCCs/IDTA if outside UK/EEA; TLS in transit. | Provider log retention per service policy (e.g., 30 days). | Replace with your provider (e.g., Postmark, SendGrid, SES) or remove if not used. |
B) Other service providers (controller role)
These vendors support our website, accounts, billing, analytics and marketing when we act as an independent controller (see Privacy Policy). They are not our sub-processors for your uploaded documents but are listed here for transparency.
| Provider | Purpose | Categories of data | Location(s) | Transfer & safeguards | Notes |
|---|---|---|---|---|---|
| Stripe | Payments processing, invoicing, billing. | Payer details, payment method tokens, transaction data. | UK/EU/US (as applicable to Stripe service) | Stripe’s controller terms; SCCs/IDTA where relevant; PCI-DSS compliance. | Stripe typically acts as an independent controller for payments. |
| Google Analytics (GA4) | Product and website analytics (with consent). | Pseudonymous online identifiers, device/usage data. | Global | IP masking; Consent Mode; SCCs/IDTA where applicable. | Runs only with Analytics consent (see Cookie Policy). |
| Google Ads | Advertising/measurement (with consent). | Ad identifiers, conversion events, attribution data. | Global | Consent Mode; SCCs/IDTA where applicable. | Runs only with Ads consent. |
| [CDN / WAF] | Performance and security (caching, DDoS mitigation). | IP addresses, request metadata. | [Global] | Standard contractual protections; regional routing where supported. | Replace with your provider (e.g., Cloudflare) if used. |
Change management & notifications
We provide reasonable advance notice (typically 30 days) for additions or replacements of sub-processors that may materially affect you, except where immediate use is necessary to maintain service continuity, comply with law, or address security/emergency needs. We will post updates on this page and may notify account admins by email or in-product notice.
You may object to a new sub-processor on reasonable grounds relating to data protection by emailing privacy@docoply.com. If we cannot reasonably accommodate your objection, you may terminate the affected service per our Terms/DPA.
Change log
| Date | Change | Details |
|---|---|---|
| 25 Aug 2025 | Initial publication | Listed OpenAI and placeholder infrastructure/storage/email; added controller-role providers (Stripe, GA4, Google Ads, CDN/WAF). |
Contact
Docoply — EDUCATIONAL WHITEBOARDS LIMITEDCompany number: 14554635
Registered office: Educational Whiteboards Limited, 124 City Road, London, England, EC1V 2NX
Email: privacy@docoply.com
Docoply
AI-powered legal document analysis for startups and growing businesses. Identify legal risks before they become costly problems.
© 2025 Docoply. All rights reserved. | Built for UK startups navigating complex compliance requirements.