Sub-processors
Last updated: 5 June 2026
SummitBridge Horizon Ltd | Companies House: 16419201
The following third-party sub-processors are authorised to process personal data on behalf of SummitBridge Horizon Ltd in connection with our services. Each sub-processor is bound by a Data Processing Agreement with obligations no less protective than those described in our DPA.
We will notify customers at least 30 days before adding or replacing a sub-processor. To subscribe to sub-processor change notifications, email [email protected].
AI / LLM Sub-processors
| Sub-processor | Purpose | Location | Customer Data | DPA | Safeguard |
|---|---|---|---|---|---|
| Anthropic, PBC GPAI provider (EU AI Act Art. 53+) — SummitBridge downstream deployer of foundation model | Claude LLM API — assessment generation, chat advisor, content drafts (customer data anonymised before transmission) | United States | Limited | Signed | EU SCCs + UK IDTA + DPA signed + zero-retention API tier (no training on customer data) |
| Tavily AI, Inc. Search provider — not a GPAI; out of scope for AI Act provider obligations | Web search API — fact-checking and regulatory research (no customer PII transmitted) | United States | No PII | Signed | EU SCCs + UK IDTA + DPA signed + search queries do not contain customer PII |
| AssemblyAI, Inc. AI provider (limited-risk per EU AI Act Art. 50 — biometric-categorisation note for voice) | Speech-to-text transcription (where customer opts into voice features) | United States | Yes | Signed | EU SCCs + DPA signed + audio deleted post-processing + customer opt-in required |
| Affinda Pty Ltd EU AI Act Annex III (recruitment) high-risk relevance — Customer is deployer; SummitBridge facilitates | CV/document parsing — used in HR/recruitment features (HumanBaseIQ) with customer authorisation | Australia / EU (eu1.affinda.com region) | Yes | Signed | EU region selected + DPA signed + GDPR Art. 28 compliant — documents deleted within 30 days |
| OpenAI, LLC GPAI provider (EU AI Act Art. 53+) — SummitBridge downstream deployer | GPT models — embeddings fallback, occasional non-default inference (zero-retention enterprise tier configured) | United States | Limited | Signed | EU SCCs + DPA + Zero-Data-Retention enterprise tier (no training on customer data) + customer data anonymised before transmission |
| Voyage AI / Sage Future Inc. Embedding provider — not a GPAI; out of scope for Art. 50 transparency obligations | Text embeddings for semantic memory + similarity search — public/marketing content + operator memory only; NOT used for customer-supplied data | United States | No PII | In place | EU SCCs + DPA + scope limited to non-customer data (operator memory + public content) by design |
| Google LLC (Gemini) GPAI provider (EU AI Act Art. 53+) — SummitBridge downstream deployer of foundation model | Gemini models — used by selected SBH internal agents for classification + summarisation tasks (model selection rotated per task; not the default inference path) | United States / global | Limited | Signed | EU SCCs + DPA + customer data anonymised before transmission + Google Workspace data-processing terms |
| Deepgram Inc. AI provider (Article 50 voice disclosure — biometric-categorisation note when voice traits processed) | Speech-to-text — meetlens product line (real-time meeting transcription); processes meeting audio only when customer enables voice/video features | United States | Yes | Signed | EU SCCs + DPA + audio transcribed and discarded post-processing + customer opt-in required + zero-training tier |
| DeepL SE AI provider — translation falls outside Annex III categories; minimal-risk under EU AI Act | Machine translation — meetlens product line (real-time meeting translation EN↔TR↔DE↔others); only customer text strings transmitted, no audio | Germany (EU) — primary servers in Cologne, DE | Yes | Signed | GDPR Art. 28 DPA + EU data residency + DeepL Pro enterprise privacy terms (no training on customer data) |
Infrastructure
| Sub-processor | Purpose | Location | Customer Data | DPA | Safeguard |
|---|---|---|---|---|---|
| Hostinger International Ltd | VPS infrastructure — platform, agent system, database hosting (primary processing) | Frankfurt, Germany (EU) | Yes | Signed | GDPR Art. 28 DPA + EU data residency + ISO 27001 certified data centre |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, WAF, edge caching | Global (EU + UK edge preferred) | Limited | Signed | UK IDTA + EU SCCs + ISO 27001 + SOC 2 Type II |
Payment & Financial
| Sub-processor | Purpose | Location | Customer Data | DPA | Safeguard |
|---|---|---|---|---|---|
| Stripe Payments Europe Ltd | Payment processing + subscription billing | Ireland (EU) / United States | Limited | Signed | PCI-DSS Level 1 + EU SCCs + DPA signed + customer card data tokenised at Stripe (not on SummitBridge servers) |
| Wise Business (Wise Payments Ltd) | Multi-currency banking (GBP/USD/EUR invoicing and customer receipts) | United Kingdom / Belgium | Limited | In place | FCA regulated (UK) + ECB authorised (EU) + ISO 27001 |
Email & Communication
| Sub-processor | Purpose | Location | Customer Data | DPA | Safeguard |
|---|---|---|---|---|---|
| Resend, Inc. | Transactional + marketing email delivery (TurkTicaret MX for inbound, Resend for outbound) | United States | Limited | Signed | EU SCCs + DPA signed + opt-in required for marketing |
| TurkTicaret.net Bilişim A.Ş. | Inbound email hosting (canonical mailboxes — privacy@, contact@, etc.) | Turkey | Limited | In place | Local-region hosting + access control to authorised personnel only |
Public-data Lookup APIs
| Sub-processor | Purpose | Location | Customer Data | DPA | Safeguard |
|---|---|---|---|---|---|
| Companies House (UK Gov) | UK company registry lookup — AML / KYC / supplier risk checks | United Kingdom | No PII | N/A | Public-records API; no customer PII transmitted |
| Leak-Lookup | Breach exposure lookup — email/domain checks for compromise | United States | Limited | In place | Hashed queries where supported; opt-in customer feature; no raw PII stored at provider |
| HMRC Making Tax Digital API | UK VAT submission (where Customer enables MTD integration) | United Kingdom | Limited | N/A | UK Gov OAuth + customer-authorised access only |
| IPinfo.io | IP geolocation for fraud-risk scoring and region inference | United States | Limited | In place | EU SCCs + IP addresses only (no behavioural profiling) |
| exchangerate.host | Daily FX rates for multi-currency invoicing | European Union | No PII | N/A | Public API + no customer data transmitted |
Internal Operations
| Sub-processor | Purpose | Location | Customer Data | DPA | Safeguard |
|---|---|---|---|---|---|
| Buffer Inc. | Social media post scheduling (LinkedIn) — used for SBH marketing/outreach only; no customer PII | United States | No PII | In place | No customer PII transmitted — used solely for SBH-authored marketing content; OAuth-scoped LinkedIn integration |
| Telegram Messenger Inc. | Director-only operational alerts (system health, incident notifications) — INTERNAL USE ONLY | United Arab Emirates | No PII | N/A | No customer data transmitted; sole purpose is operator-side ops notifications |
| GitHub, Inc. | Source-code version control (no customer data in repositories) | United States | No PII | Signed | EU SCCs + DPA signed + private repositories + branch protection + no customer data in source control |
EU AI Act & DORA Context
SummitBridge's primary AI sub-processor (Anthropic / Claude) is a General-Purpose AI (GPAI) provider under EU AI Act Article 53+. SummitBridge operates as a downstream deployer; we publish per-product AI Act risk classifications at /trust.
Customers regulated under the Digital Operational Resilience Act (DORA, EU 2022/2554)may request the DORA Addendum to our Master Services Agreement, covering Articles 28–30 mandatory provisions (incident notification timelines, audit rights, exit strategy, sub-contracting chain). Contact [email protected].
Transfer Mechanisms
For international data transfers, we rely on the following mechanisms:
- UK IDTA — UK International Data Transfer Agreement for transfers from the United Kingdom
- EU SCCs — EU Standard Contractual Clauses for transfers from the European Economic Area
- Data anonymisation — where feasible, personal data is anonymised before transfer (e.g., Anthropic AI queries contain no personal identifiers)
- PCI-DSS — Payment Card Industry Data Security Standard for payment data (Stripe)
Objection Process
If you object to a new sub-processor on reasonable data protection grounds, you may notify us within 30 days of receiving our change notification. We will work with you in good faith to resolve any concerns. If we cannot reach a resolution, you may terminate the affected services without penalty as described in our Data Processing Agreement.