This page lists the third parties we engage as processors to deliver our services. We use sub-processors to host our infrastructure, send transactional and marketing email, process payments, support customers, and analyse aggregated traffic. Each is contracted under a written Data Processing Agreement consistent with UK GDPR Art 28 and the EU GDPR equivalent.
1. Who this page is for
If you are an enterprise customer with a Data Processing Agreement in place with us, this page is your authoritative sub-processor inventory. If you are an individual customer or website visitor, this page tells you who handles your personal data when you use our services. The Privacy Policy at /legal-policies/privacy-policy/ describes what personal data we collect and why.
2. Definitions
A sub-processor is a third party engaged by The Spiritual Agency to process personal data on our behalf in the course of delivering a service to you. Processing means any operation performed on personal data, including storage, transmission, transformation, analysis, and deletion.
A processor is the party that processes personal data on instruction from a controller. A controller is the party that determines the purposes and means of the processing. We act as controller for our own customer and visitor data, and as processor where our enterprise customers engage us to handle their end-users’ data through our services.
3. Current sub-processors
The inventory below is current as of the last-updated date at the top of this page. For each sub-processor we list the legal entity name, the location of processing, the category of service, and the transfer mechanism where data leaves the United Kingdom.
3.1 Hosting and infrastructure
We operate across multiple hosting providers depending on the service. Each role is named here for clarity.
| Sub-processor | Country | Service | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Germany | Primary infrastructure: authentication server, internal Coolify-managed services | UK adequacy (Germany is in the EEA) |
| Incsub, LLC (trading as WPMU DEV) | United States | Managed WordPress hosting for client sites and active client-billing management through the WPMU DEV Hub. Customer personal data (client name, contact details, billing details, hosted-site usage data) is processed by WPMU DEV in the course of delivering the hosted-site service and the billing workflow | UK-US Data Bridge or ICO IDTA |
| Vultr Holdings, LLC | United States and global edge | Underlying hyperscaler infrastructure used by WPMU DEV for the hosted sites described above | UK-US Data Bridge or ICO IDTA |
| Hostbrr OÜ | Estonia (Frankfurt data centre) | Tertiary infrastructure: MCP server, the primary application server, n8n automation, staging environments, the community site at hub.spiritual.agency | UK adequacy (Estonia is in the EEA, processing in Germany) |
| Advin Servers | Germany (Nuremberg) | OpenLiteSpeed infrastructure for stack.spiritual.agency (microservices) | UK adequacy (Germany is in the EEA) |
| Cloudflare, Inc. | United States and global edge | DNS, content delivery network, security front-end. DNS is provided by Cloudflare for most sites; specific sites use QUIC.cloud DNS instead | UK-US Data Bridge (DPF UK Extension) |
We use xCloud (a server management platform operated by Startise) as a control-plane tool to administer the servers above. xCloud orchestrates the hosts but does not, in normal operation, store customer personal data itself; we list it here for transparency but do not classify it as a sub-processor.
Separate websites operated by The Spiritual Agency LLC may use additional hosting infrastructure in the United States. Those websites have their own sub-processor notice; this page covers The Spiritual Agency (UK) only.
3.2 Email delivery
| Sub-processor | Country | Service | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Ireland (with US sub-processing) | Transactional email (Amazon SES) | UK adequacy (Ireland) + UK-US Data Bridge for US infrastructure |
| Mailgun Technologies, Inc. | United States | Transactional email | UK-US Data Bridge or ICO IDTA |
| Sinch Email Sweden AB (Brevo) | Sweden | Transactional and marketing email | UK adequacy (Sweden is in the EEA) |
| Namecrane Ltd | United Kingdom | Domain email hosting | UK domestic, no transfer |
| Vbout, Inc. | United States | Marketing automation, list management | UK-US Data Bridge or ICO IDTA |
3.3 Payments
| Sub-processor | Country | Service | Transfer mechanism |
|---|---|---|---|
| Lemon Squeezy LLC | United States | Merchant of record, payment processing, tax | UK-US Data Bridge or ICO IDTA |
| Polar Software, Inc. | United States | Payment processing for select products | UK-US Data Bridge or ICO IDTA |
3.4 Analytics
| Sub-processor | Country | Service | Transfer mechanism |
|---|---|---|---|
| Google Ireland Limited | Ireland | Google Analytics 4, pseudonymised event data | UK adequacy (Ireland) |
| Rybbit Analytics | United Kingdom and EEA | Privacy-preserving analytics (currently being evaluated for production rollout) | UK adequacy or domestic |
3.5 Customer support and operations
| Sub-processor | Country | Service | Transfer mechanism |
|---|---|---|---|
| Anthropic, PBC | United States | AI assistance (Claude) for support drafting, content generation, and operational workflows. Customer personal data may be processed in this context | UK-US Data Bridge or ICO IDTA |
| FuseBase, Inc. | United States | Internal knowledge base and client portal hosting; customer-shared materials and project data are stored here for portal access | UK-US Data Bridge or ICO IDTA |
| Clientexec | United States | Hosting-business management platform at host.spiritwp.com: billing, account records, support tickets, product provisioning for hosting clients | UK-US Data Bridge or ICO IDTA |
We do not sell personal data to any sub-processor, and our agreements with sub-processors prohibit them from using personal data for any purpose other than delivering the contracted service.
4. International transfer mechanisms
Where personal data is transferred outside the United Kingdom to a country that has not received a UK adequacy decision, we put in place appropriate safeguards under UK GDPR Chapter V.
For US-based sub-processors certified under the EU-US Data Privacy Framework with the UK Extension (the UK-US Data Bridge, adopted September 2023), transfers rely on that adequacy mechanism.
For US-based sub-processors not certified under the Data Bridge, and for transfers to other third countries without UK adequacy, we rely on the International Data Transfer Agreement issued by the ICO, or the EU Standard Contractual Clauses supplemented by the UK International Data Transfer Addendum, alongside any supplementary technical and organisational measures required by the transfer risk assessment.
You can request a copy of the relevant transfer mechanism for a specific sub-processor by emailing privacy@spiritual.agency.
5. How we vet sub-processors
Before engaging a sub-processor we assess: their data protection and information security posture, their certifications (SOC 2, ISO 27001, equivalent), the location of processing, the legal regime that governs the processor in its jurisdiction, the contractual terms they offer (including Art 28 compliance), and the necessity of the engagement for the service we provide.
Where the assessment identifies elevated risk, we either decline the engagement, find an alternative provider, or accept the engagement with documented supplementary measures and an internal risk register entry.
6. Change notification
For enterprise customers under a Data Processing Agreement that includes prior-notice provisions, we notify in writing at least 30 days before adding or replacing a sub-processor, except where the change is urgent for security or continuity reasons. Customers may object to a proposed change in accordance with their DPA; if an objection cannot be resolved, the customer may terminate the affected service in accordance with the DPA’s termination provisions.
For all other customers and visitors, changes to this page are reflected by the last-updated date at the top. We recommend you subscribe to changes by emailing privacy@spiritual.agency with the request, or check this page periodically.
7. Removed sub-processors
We maintain an internal record of sub-processors we have engaged and subsequently removed, available on request to enterprise customers under DPA. This page reflects the current inventory only; historical entries are pruned at major version bumps.
8. Contact
Questions about this page or about a specific sub-processor: privacy@spiritual.agency.
