Data Residency & Subprocessors
This page describes where ThirdSectorIntel.ai stores and processes data, and which third parties act as subprocessors on our behalf. It is intended to pre-answer the data-protection and security questions UK charity-sector buyers ask during procurement. A signed copy with effective dates is available under NDA — contact [email protected].
1. Primary data residency
All customer data — user accounts, session state, CRM records synced from Loxo, saved searches, shortlists, exports, and audit logs — is stored at rest in the United Kingdom.
| Data category | Location at rest |
|---|---|
| Application database (SQLite, primary) | AWS Lightsail, eu-west-2 (London) |
| Analytical data store (DuckDB / Parquet) | AWS Lightsail, eu-west-2 (London) |
| Object storage (parquet bundles, backups) | AWS Lightsail Object Storage, eu-west-2 (London) |
| Customer CRM sync (Loxo records) | AWS Lightsail, eu-west-2 (London) |
| Session cookies / identity tokens | Customer browser + UK-region server memory |
| Application logs | AWS Lightsail, eu-west-2 (London) |
Encryption in transit is TLS 1.2+ everywhere. Encryption at rest is provided by AWS block-storage encryption (AES-256) on the underlying Lightsail volumes.
2. International transfers
Two categories of subprocessor process data outside the UK:
- AI model providers (US) — prompts and the immediate context required to answer them are sent to large-language-model APIs for enrichment of public charity-sector data and for user-facing natural-language search.
- Public-data / enrichment APIs (US, EU) — for sector signals (news, regulatory, sanctions, government datasets).
All transfers outside the UK rely on UK adequacy regulations where available, or on the International Data Transfer Agreement (IDTA) / EU Standard Contractual Clauses together with the UK Addendum and any supplementary measures required after the Schrems II decision. We do not transfer customer CRM records, candidate records, or identity data to AI model providers.
3. Subprocessor list
The table below names every third party that processes personal data on our behalf, the purpose, and the location of processing. We notify customers under contract of any material change before a new subprocessor goes live.
3.1 Infrastructure & identity
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services (Lightsail, S3-compatible object storage) | Application hosting, primary database, backups | UK (eu-west-2, London) |
| Cloudflare | DNS, CDN, DDoS protection, WAF | Global edge; UK ingress |
| Google (OAuth 2.0) | Sign-in identity provider | US / EU |
| Google Workspace (Gmail API, Drive API) | Customer-authorised mailbox and document ingest | US / EU |
3.2 AI model providers
We use third-party large-language-model APIs to enrich public charity-sector data (annual reports, news, public profiles) and to power natural-language search inside the product. The provider in active use today is Anthropic; OpenAI and Google AI are listed below as named alternates so we can route to whichever model is best-suited to a given task without a separate disclosure cycle. Adding any provider not listed here triggers customer notice under contract.
| Subprocessor | Status | Purpose | Region | Data sent |
|---|---|---|---|---|
| Anthropic (Claude) | In use | Document enrichment, summarisation, natural-language search | US (no-training API terms) | Public charity data + the user's query text |
| OpenAI (GPT) | Named alternate | Same as above; fallback / task-specific routing | US (no-training API terms) | Public charity data + the user's query text |
| Google AI (Gemini, via Google Cloud / Vertex) | Named alternate | Same as above; long-context tasks | US / EU (Vertex AI region pinning where available) | Public charity data + the user's query text |
For every AI provider in active use we operate under their no-training API terms — prompts and completions are not used to train their models. Provider-side retention follows each vendor's standard API terms. We do not send customer CRM records, candidate identity data, or any data marked private in your Loxo sync to any AI provider. Enterprise customers may, by contract, pin processing to a single named provider.
3.3 Data sources & enrichment
| Subprocessor | Purpose | Region |
|---|---|---|
| Charity Commission for England and Wales | Public charity register, accounts, trustee data | UK |
| OSCR (Scotland) · CCNI (Northern Ireland) | Public charity registers | UK |
| Companies House | Public company register, accounts, officers | UK |
| NewsAPI | News aggregation for sector signals | EU |
| Derrick | B2B contact enrichment for public professional profiles | EU / US |
| Loxo | Customer-authorised CRM sync — data flows in from the customer's tenancy at their direction | US |
4. Backups, retention, and deletion
- Backups — daily snapshots of the primary database and object storage, retained 30 days, stored in the same UK region as production.
- Logs — application and access logs retained 90 days.
- Account deletion — on customer request or contract termination, we delete or return customer data within 30 days. AI provider-side retention follows each vendor's published API terms.
- Data subject requests — subject access, rectification, and erasure requests are handled within the statutory 30-day window. See our Privacy Policy for the process.
5. Changes to this page
Material changes — a new subprocessor, a change of processing region, or a change in the categories of data sent to an AI provider — are notified to customers under contract at least 30 days before they take effect. The “Last updated” date at the top of this page reflects any non-material change (clarifications, typo fixes, links).
6. Contact
For data-protection questions, security review, or a signed copy of this statement under NDA: [email protected]. See also our Privacy Policy and Data Processing Agreement.