Skip to main content

Sub-processors

Last updated: 5 June 2026

SummitBridge Horizon Ltd | Companies House: 16419201

The following third-party sub-processors are authorised to process personal data on behalf of SummitBridge Horizon Ltd in connection with our services. Each sub-processor is bound by a Data Processing Agreement with obligations no less protective than those described in our DPA.

We will notify customers at least 30 days before adding or replacing a sub-processor. To subscribe to sub-processor change notifications, email [email protected].

AI / LLM Sub-processors

Sub-processorPurposeLocationCustomer DataDPASafeguard
Anthropic, PBC
GPAI provider (EU AI Act Art. 53+) — SummitBridge downstream deployer of foundation model
Claude LLM API — assessment generation, chat advisor, content drafts (customer data anonymised before transmission)United StatesLimitedSignedEU SCCs + UK IDTA + DPA signed + zero-retention API tier (no training on customer data)
Tavily AI, Inc.
Search provider — not a GPAI; out of scope for AI Act provider obligations
Web search API — fact-checking and regulatory research (no customer PII transmitted)United StatesNo PIISignedEU SCCs + UK IDTA + DPA signed + search queries do not contain customer PII
AssemblyAI, Inc.
AI provider (limited-risk per EU AI Act Art. 50 — biometric-categorisation note for voice)
Speech-to-text transcription (where customer opts into voice features)United StatesYesSignedEU SCCs + DPA signed + audio deleted post-processing + customer opt-in required
Affinda Pty Ltd
EU AI Act Annex III (recruitment) high-risk relevance — Customer is deployer; SummitBridge facilitates
CV/document parsing — used in HR/recruitment features (HumanBaseIQ) with customer authorisationAustralia / EU (eu1.affinda.com region)YesSignedEU region selected + DPA signed + GDPR Art. 28 compliant — documents deleted within 30 days
OpenAI, LLC
GPAI provider (EU AI Act Art. 53+) — SummitBridge downstream deployer
GPT models — embeddings fallback, occasional non-default inference (zero-retention enterprise tier configured)United StatesLimitedSignedEU SCCs + DPA + Zero-Data-Retention enterprise tier (no training on customer data) + customer data anonymised before transmission
Voyage AI / Sage Future Inc.
Embedding provider — not a GPAI; out of scope for Art. 50 transparency obligations
Text embeddings for semantic memory + similarity search — public/marketing content + operator memory only; NOT used for customer-supplied dataUnited StatesNo PIIIn placeEU SCCs + DPA + scope limited to non-customer data (operator memory + public content) by design
Google LLC (Gemini)
GPAI provider (EU AI Act Art. 53+) — SummitBridge downstream deployer of foundation model
Gemini models — used by selected SBH internal agents for classification + summarisation tasks (model selection rotated per task; not the default inference path)United States / globalLimitedSignedEU SCCs + DPA + customer data anonymised before transmission + Google Workspace data-processing terms
Deepgram Inc.
AI provider (Article 50 voice disclosure — biometric-categorisation note when voice traits processed)
Speech-to-text — meetlens product line (real-time meeting transcription); processes meeting audio only when customer enables voice/video featuresUnited StatesYesSignedEU SCCs + DPA + audio transcribed and discarded post-processing + customer opt-in required + zero-training tier
DeepL SE
AI provider — translation falls outside Annex III categories; minimal-risk under EU AI Act
Machine translation — meetlens product line (real-time meeting translation EN↔TR↔DE↔others); only customer text strings transmitted, no audioGermany (EU) — primary servers in Cologne, DEYesSignedGDPR Art. 28 DPA + EU data residency + DeepL Pro enterprise privacy terms (no training on customer data)

Infrastructure

Sub-processorPurposeLocationCustomer DataDPASafeguard
Hostinger International LtdVPS infrastructure — platform, agent system, database hosting (primary processing)Frankfurt, Germany (EU)YesSignedGDPR Art. 28 DPA + EU data residency + ISO 27001 certified data centre
Cloudflare, Inc.CDN, DNS, DDoS protection, WAF, edge cachingGlobal (EU + UK edge preferred)LimitedSignedUK IDTA + EU SCCs + ISO 27001 + SOC 2 Type II

Payment & Financial

Sub-processorPurposeLocationCustomer DataDPASafeguard
Stripe Payments Europe LtdPayment processing + subscription billingIreland (EU) / United StatesLimitedSignedPCI-DSS Level 1 + EU SCCs + DPA signed + customer card data tokenised at Stripe (not on SummitBridge servers)
Wise Business (Wise Payments Ltd)Multi-currency banking (GBP/USD/EUR invoicing and customer receipts)United Kingdom / BelgiumLimitedIn placeFCA regulated (UK) + ECB authorised (EU) + ISO 27001

Email & Communication

Sub-processorPurposeLocationCustomer DataDPASafeguard
Resend, Inc.Transactional + marketing email delivery (TurkTicaret MX for inbound, Resend for outbound)United StatesLimitedSignedEU SCCs + DPA signed + opt-in required for marketing
TurkTicaret.net Bilişim A.Ş.Inbound email hosting (canonical mailboxes — privacy@, contact@, etc.)TurkeyLimitedIn placeLocal-region hosting + access control to authorised personnel only

Public-data Lookup APIs

Sub-processorPurposeLocationCustomer DataDPASafeguard
Companies House (UK Gov)UK company registry lookup — AML / KYC / supplier risk checksUnited KingdomNo PIIN/APublic-records API; no customer PII transmitted
Leak-LookupBreach exposure lookup — email/domain checks for compromiseUnited StatesLimitedIn placeHashed queries where supported; opt-in customer feature; no raw PII stored at provider
HMRC Making Tax Digital APIUK VAT submission (where Customer enables MTD integration)United KingdomLimitedN/AUK Gov OAuth + customer-authorised access only
IPinfo.ioIP geolocation for fraud-risk scoring and region inferenceUnited StatesLimitedIn placeEU SCCs + IP addresses only (no behavioural profiling)
exchangerate.hostDaily FX rates for multi-currency invoicingEuropean UnionNo PIIN/APublic API + no customer data transmitted

Internal Operations

Sub-processorPurposeLocationCustomer DataDPASafeguard
Buffer Inc.Social media post scheduling (LinkedIn) — used for SBH marketing/outreach only; no customer PIIUnited StatesNo PIIIn placeNo customer PII transmitted — used solely for SBH-authored marketing content; OAuth-scoped LinkedIn integration
Telegram Messenger Inc.Director-only operational alerts (system health, incident notifications) — INTERNAL USE ONLYUnited Arab EmiratesNo PIIN/ANo customer data transmitted; sole purpose is operator-side ops notifications
GitHub, Inc.Source-code version control (no customer data in repositories)United StatesNo PIISignedEU SCCs + DPA signed + private repositories + branch protection + no customer data in source control

EU AI Act & DORA Context

SummitBridge's primary AI sub-processor (Anthropic / Claude) is a General-Purpose AI (GPAI) provider under EU AI Act Article 53+. SummitBridge operates as a downstream deployer; we publish per-product AI Act risk classifications at /trust.

Customers regulated under the Digital Operational Resilience Act (DORA, EU 2022/2554)may request the DORA Addendum to our Master Services Agreement, covering Articles 28–30 mandatory provisions (incident notification timelines, audit rights, exit strategy, sub-contracting chain). Contact [email protected].

Transfer Mechanisms

For international data transfers, we rely on the following mechanisms:

  • UK IDTA — UK International Data Transfer Agreement for transfers from the United Kingdom
  • EU SCCs — EU Standard Contractual Clauses for transfers from the European Economic Area
  • Data anonymisation — where feasible, personal data is anonymised before transfer (e.g., Anthropic AI queries contain no personal identifiers)
  • PCI-DSS — Payment Card Industry Data Security Standard for payment data (Stripe)

Objection Process

If you object to a new sub-processor on reasonable data protection grounds, you may notify us within 30 days of receiving our change notification. We will work with you in good faith to resolve any concerns. If we cannot reach a resolution, you may terminate the affected services without penalty as described in our Data Processing Agreement.

Related Documents