Sub-processors
About this page
When you upload documents to Docoply for analysis, we generally act as a processor under UK GDPR and use carefully vetted sub-processors to help deliver the service. This page lists those sub-processors and the essentials of their role, locations and safeguards.
Open-source libraries used within our own environment (e.g., parsers) are not “sub-processors” because they do not receive personal data as an external organisation.
A) Current sub-processors (processor role)
| Provider | Purpose | Categories of data | Location(s) | Transfer & safeguards | Data retention by provider | Notes |
|---|---|---|---|---|---|---|
| OpenAI, L.L.C. and affiliates | LLM inference to generate risk flags, summaries and suggestions. | Document text, snippets, prompts/parameters, minimal technical metadata. | United States (and other regions as operated by provider) | UK Addendum to SCCs / SCCs; contractual no-training on API data; technical and organisational measures. | Transient processing; limited logs per provider policy. | API use only; we disable training where available. |
| Google Cloud Platform (Google LLC) | Hosting/infrastructure for docoply.com (WordPress) and service operations. | Uploaded documents, generated outputs, operational logs. | UK/EEA (depending on deployment region) | SCCs/IDTA where applicable; encryption in transit; access controls. | Backups/log retention per our configuration. | We host on Google Cloud Compute Engine. |
| Google Cloud Storage / Compute Engine disk (Google LLC) | Temporary storage during parsing and report/SDS generation. | Uploaded documents and intermediate artefacts. | UK/EEA (depending on deployment region) | Short retention; encryption at rest where supported; SCCs/IDTA if outside UK/EEA. | Ephemeral; auto-deletion per our retention settings. | Used only for processing and delivery of outputs. |
| Transactional email (SMTP) — provider varies | Send transactional notices (e.g., payment or download links). | Recipient email, name, message metadata. | Varies by SMTP provider | TLS in transit; SCCs/IDTA where applicable. | Per provider policy. | If you configure a dedicated email provider, this entry should be updated accordingly. |
B) Other service providers (controller role)
These vendors support our website, accounts, billing, analytics and marketing when we act as an independent controller (see Privacy Policy). They are not our sub-processors for your uploaded documents but are listed here for transparency.
| Provider | Purpose | Categories of data | Location(s) | Transfer & safeguards | Notes |
|---|---|---|---|---|---|
| Stripe | Payments processing, invoicing, billing. | Payer details, payment method tokens, transaction data. | UK/EU/US (as applicable to Stripe service) | Stripe’s controller terms; SCCs/IDTA where relevant; PCI-DSS compliance. | Stripe typically acts as an independent controller for payments. |
| Google Analytics (GA4) | Product and website analytics (with consent). | Pseudonymous online identifiers, device/usage data. | Global | IP masking; Consent Mode; SCCs/IDTA where applicable. | Runs only with Analytics consent (see Cookie Policy). |
| Google Ads | Advertising/measurement (with consent). | Ad identifiers, conversion events, attribution data. | Global | Consent Mode; SCCs/IDTA where applicable. | Runs only with Ads consent. |
| Cloudflare | Performance and security (caching, WAF, DDoS mitigation). | IP addresses, request metadata. | Global | Standard contractual protections; regional routing where supported. | Used to improve performance and help protect against abuse and attacks. |
Change management & notifications
We provide reasonable advance notice (typically 30 days) for additions or replacements of sub-processors that may materially affect you, except where immediate use is necessary to maintain service continuity, comply with law, or address security/emergency needs. We will post updates on this page and may notify account admins by email or in-product notice.
You may object to a new sub-processor on reasonable grounds relating to data protection by emailing privacy@docoply.com. If we cannot reasonably accommodate your objection, you may terminate the affected service per our Terms/DPA.
Change log
| Date | Change | Details |
|---|---|---|
| 25 Aug 2025 | Initial publication | Listed OpenAI and placeholder infrastructure/storage/email; added controller-role providers (Stripe, GA4, Google Ads, CDN/WAF). |
Contact
Docoply — EDUCATIONAL WHITEBOARDS LIMITEDCompany number: 14554635
Registered office: Educational Whiteboards Limited, 124 City Road, London, England, EC1V 2NX
Email: privacy@docoply.com
Docoply
AI-powered legal document analysis for startups and growing businesses. Identify legal risks before they become costly problems.
© 2025 Docoply. All rights reserved. | Built for UK startups navigating complex compliance requirements.