This Sub-processors List is published by [Whealbit Ltd OR sole trader - confirm legal entity & status] trading as WagePilot ("WagePilot", "we", "us"). It forms part of, and is incorporated by reference into, the Data Processing Agreement at /legal/dpa (the "DPA"), as that DPA and this list are in force from time to time, agreed between WagePilot (acting as processor) and each business customer (acting as controller of its staff personal data). It should be read together with our Privacy Policy, Terms of Service, Cookie Policy and Security page. Capitalised terms used but not defined here have the meaning given in the DPA; where a term is not defined in the DPA, it has the meaning given in the UK GDPR.
1. What a sub-processor is
A "sub-processor" is a third party engaged by WagePilot to process personal data on our behalf in the course of providing the WagePilot service to you, where that processing is carried out under our instructions and on behalf of you as controller. Under Article 28 of the UK GDPR we may only engage a sub-processor with your authorisation, and we must impose on each sub-processor, by written contract, data-protection obligations equivalent to those that apply to us under the DPA.
In accordance with Article 28(4) of the UK GDPR, where a sub-processor fails to fulfil its data-protection obligations we remain liable to you for the performance of that sub-processor's obligations. That liability applies to the same extent as, and is subject to the limitations and exclusions of liability set out in, the DPA and the Terms of Service; nothing in this list creates any liability beyond, or outside the caps and exclusions of, those documents, and nothing in this list excludes or limits any liability that cannot lawfully be excluded or limited.
This list does not include third parties that act as independent controllers in their own right (rather than as our sub-processors). Where a supplier acts as an independent controller for a defined set of data, that is noted in the table below and, for that data, the supplier's own terms and privacy notice apply.
2. Your authorisation of these sub-processors
By entering into the DPA, you give your general written authorisation to our use of the sub-processors listed in the table below to process personal data for the purposes described, on the basis of this list as in force at the time you enter into the DPA and as subsequently changed under sections 5 and 6. This authorisation is subject to the conditions in Articles 28(2) and 28(4) of the UK GDPR and to the notice and objection process set out in sections 5 and 6 below and in the DPA.
We engage each sub-processor under a written contract intended to impose the obligations required by Article 28(3) of the UK GDPR, including obligations of confidentiality, technical and organisational security measures appropriate to the risk under Article 32, and assistance with data-subject rights and personal-data-breach notification. Where a sub-processor carries out any processing in a country that is not covered by UK adequacy regulations, that processing is intended to be covered by an appropriate Article 46 transfer safeguard (for example the ICO International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the ICO UK Addendum), supported by a transfer risk assessment. The current contractual and transfer status for each sub-processor is recorded in the "Safeguards" column below; where a cell shows a bracketed placeholder, that item has not yet been confirmed and must be completed before this list is published or relied on.
3. Current sub-processors
The following third parties are engaged, or are intended to be engaged, by WagePilot as sub-processors. We will keep this list current and will update it before adding or replacing a sub-processor, in accordance with section 5. Supplier legal entity names are stated for identification only and [supplier legal entity names - verify against each supplier's current DPA at publication, as contracting entities change].
| Sub-processor | Purpose / processing | Personal data involved | Location / region | Safeguards |
|---|---|---|---|---|
| Supabase (Supabase, Inc.) | Primary application database (PostgreSQL), user authentication, and file storage (including any kiosk clock-event photos and CSV/export files). This is where the core service data is held and processed. | Account-holder name and email; business/organisation details; staff names and contact details; pay rates; rota and shift data; holiday and leave records (which may include free-text leave reasons that reveal health, that is, special-category data under Article 9); timesheets; clock-in/out location captured only at the clock event; optional kiosk clock-event photos; device and usage logs. | [Supabase processing region - confirm; intended to be a UK/EU region with no non-adequate failover] | [Supabase - confirm a signed Article 28(3) DPA is executed, the pinned region, and, for any restricted transfer, an IDTA or EU SCCs + UK Addendum and a transfer risk assessment] This is the row holding the highest-sensitivity data; heightened technical and organisational measures (access controls, encryption in transit and at rest, UK/EU residency) are intended to apply per the DPA TOMs schedule. |
| Vercel (Vercel, Inc.) | Hosting of the WagePilot web application and execution of serverless functions (including API endpoints for onboarding, billing and email), together with associated request, application and infrastructure logs. | Data submitted to or returned by the application during use, including account and staff data passing through requests; technical and usage data such as IP address, device/browser information, and application and access logs. | [Vercel processing region - confirm; US processing or support/backup is likely] | [Vercel - confirm a signed Article 28(3) DPA is executed and, for any processing, support or backup outside the UK/EEA (for example in the US), an IDTA or EU SCCs + UK Addendum and a transfer risk assessment] |
| Stripe (Stripe Payments UK, Ltd. and/or Stripe, Inc.) | Subscription billing and payment processing for paid plans, including handling of card details entered at checkout. WagePilot does not receive or store full payment card numbers; card data is captured and held directly by Stripe, which states that it operates to PCI-DSS Level 1 [PCI-DSS Level 1 - confirm against Stripe's current attestation]. | Account-holder name and email; billing contact details; subscription, plan and transaction records and identifiers. Full payment card data is processed by Stripe and is not received by WagePilot. | [Stripe processing region and contracting entity - confirm; UK customers typically contract with Stripe Payments UK, Ltd.] | [Stripe - confirm the contracting entity, the processing region, and, for any sub-processed data and restricted transfers, a signed DPA plus an IDTA or EU SCCs + UK Addendum and a transfer risk assessment] Stripe contracts on the basis that it acts as an independent controller (not our sub-processor) for the card and payment data it determines how to process, and Stripe's own terms and privacy notice apply to that data. We do not seek to disclaim responsibility for billing-data flows that we ourselves control. This characterisation is to be confirmed against Stripe's current DPA and aligned across our Privacy Policy and the DPA. |
| Resend (Resend, Inc.) | Delivery of transactional and service emails, such as account verification, employee login/credential emails, password resets, and billing and service notifications. | Recipient name and email address; email subject and message content (which may include a login link, set-up instructions, or a temporary credential); delivery metadata such as send, bounce and delivery status. | [Resend processing region - confirm; US processing is likely] | [Resend - confirm a signed Article 28(3) DPA is executed and, for any processing outside the UK/EEA, an IDTA or EU SCCs + UK Addendum and a transfer risk assessment] |
| Cloudflare (Cloudflare, Inc.) | Bot and abuse protection (Cloudflare Turnstile CAPTCHA) on authentication flows, including sign-in, the staff join/redeem flow and password reset, to protect accounts and the Service against automated abuse. | End-user IP address; browser and device challenge signals; the Turnstile challenge token. No staff timesheet, pay, leave or location data is sent to this service. | [Cloudflare processing region - confirm; processing is likely to occur on global/US infrastructure] | [Cloudflare - confirm a signed Cloudflare DPA is executed and, for any processing outside the UK/EEA, an IDTA or EU SCCs + UK Addendum and a transfer risk assessment] Cloudflare Turnstile must also be disclosed in our Privacy Policy and Cookie Policy. |
| Plausible (Plausible Insights OU) [confirm Plausible is engaged and its contracting entity] | Privacy-focused, aggregated website analytics on the WagePilot marketing site (loaded only where analytics is enabled and any required consent is given), to understand which pages are useful. Used in respect of marketing-site visitors, for whom WagePilot acts as controller rather than as a processor of customer staff data. | Aggregated usage and page-view data; IP address used transiently for visitor de-duplication and not stored as a persistent identifier. | [Plausible hosting region - confirm; Plausible offers EU hosting] | [Plausible - confirm whether engaged at all, the hosting region, and a signed DPA; if engaged only in WagePilot's own controller capacity for marketing-site visitors, confirm that scope] Plausible must also be named in our Cookie Policy. |
The descriptions above are provided to help you meet your own transparency and record-keeping obligations as controller. They do not vary the allocation of roles set out in the DPA. You remain the controller of your staff personal data and are responsible for your own privacy notices to your workers; WagePilot does not discharge that duty on your behalf.
Special-category and free-text data. The leave-reason field is free text. As controller, you are responsible for ensuring you have a lawful basis, including an Article 9(2) condition (for example the employment condition in Schedule 1 to the Data Protection Act 2018) and, where required, an appropriate policy document, before entering special-category data such as health information, and for instructing your workers accordingly. We process such data only on your documented instructions and apply our standard technical and organisational measures, with heightened measures for the Supabase row as noted above. We recommend using structured leave types rather than free text wherever possible, to support data minimisation under Article 5(1)(c).
No compliance guarantee. WagePilot is a record-keeping and calculation tool only. We do not provide legal, tax, payroll or employment-law advice, and we do not warrant that use of the Service ensures compliance with the National Minimum Wage or National Living Wage, the Working Time Regulations, holiday-pay rules or any other legal obligation; National Minimum Wage and similar checks are provided as guidance only. You remain solely responsible for verifying that pay, hours and leave outcomes meet applicable law. The substantive version of this carve-out is set out in the Terms of Service.
4. Retention
We retain personal data only for as long as needed to provide the Service and to meet legal and contractual obligations. In outline, and subject to the detail in the DPA and our Privacy Policy:
- Core service data held in Supabase (account, staff, rota, timesheet, leave and clock data) is retained for the life of your account and for any period you are required to keep it, then deleted or anonymised. Statutory minimums you may need to observe include National Minimum Wage records for [6 years - confirm], PAYE records for [3 years - confirm] and Working Time Regulations records for [2 years - confirm]; you, as controller, set the applicable retention rule.
- Kiosk clock-event photos are retained according to the configurable product retention setting [confirm default retention period and that the purge job runs], then purged.
- Operational logs (for example Vercel request/infrastructure logs and Resend email delivery logs) and backups are retained for limited periods [confirm log and backup retention periods per supplier], then deleted or overwritten.
5. International transfers
We aim to keep staff and account personal data stored and processed within the UK or another country covered by UK adequacy regulations (which currently includes the EEA). Where a sub-processor carries out any restricted transfer to a country that is not covered by UK adequacy regulations, we rely on a valid Article 46 transfer mechanism (such as the ICO IDTA, or the EU Standard Contractual Clauses together with the ICO UK Addendum), supported by a documented transfer risk assessment. The specific mechanism relied on for each sub-processor is recorded in the "Safeguards" column above and, where it remains a placeholder, has not yet been confirmed. We have re-verified, and will continue to keep under review, our transfer and adequacy positions under the Data (Use and Access) Act 2025 (including its amendments to the UK GDPR), as in force [confirm the position has been re-verified under the DUAA as in force]. The transfer position for each sub-processor must also be reflected in our Privacy Policy, which is to be updated to name all sub-processors and the mechanisms relied on so that the documents are consistent.
6. How we notify you of changes to sub-processors
We may add a new sub-processor, or replace an existing one, from time to time as the service evolves. Before a new or replacement sub-processor begins processing personal data on our behalf, we will:
- update this page to reflect the addition or change and update the "last updated" date in section 9; and
- provide advance notice to customers of at least [notice period - confirm, e.g. 30 days; must match the DPA] by email to the account-holder and/or by an in-product or website notice, in accordance with the DPA.
To receive notice of changes, you can subscribe to updates at [subscribe-to-updates mechanism - confirm and wire up before go-live, e.g. a mailing-list sign-up URL, or "email the privacy contact below to be added to the notification list"]. We recommend that you also check this page periodically and keep your account-holder contact details up to date so that you receive notices. We will not rely on a notification channel that is not actually operational; if the subscribe mechanism is not yet live, the advance-notice email described above is the operative method.
We may make an urgent change to a sub-processor on shorter notice where this is reasonably required to maintain the security or continuity of the Service, or where an existing sub-processor ceases to provide the relevant service. In that case we will give notice as soon as reasonably practicable and your objection right in section 7 continues to apply.
7. Your right to object
If you have a reasonable, good-faith data-protection objection to a new or replacement sub-processor, you may object by giving us written notice within [objection window - confirm, e.g. 30 days from notice; must match the DPA], setting out the grounds for your objection.
If you object, we will work with you in good faith to address your concern. Where we are reasonably able to do so, we will seek to make the Service available to you in a manner that avoids the use of the objected-to sub-processor for your data. If we are unable to provide a reasonable alternative within a reasonable period, you may terminate the affected service in accordance with the DPA and the Terms of Service, and, where the DPA so provides, receive a pro-rata refund of fees paid in advance for the unused portion of the affected service [confirm the DPA grants this termination and pro-rata-refund right and cross-reference the specific clause]. To the extent permitted by law and subject to our Article 28(4) liability, such termination is your sole and exclusive remedy where an unresolved good-faith objection prevents us from providing the affected service, and we are not liable for any resulting interruption that is beyond our reasonable control or caused by a sub-processor's outage or force-majeure event. Nothing in this section limits any rights you may have that cannot lawfully be excluded or limited; and, where you are a consumer, nothing in this section affects your statutory rights under the Consumer Rights Act 2015 or the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013.
8. Contact
If you have any questions about our sub-processors, this list, or the safeguards described here, please contact us at [data protection / privacy contact email], or write to [registered office / trading address]. Our ICO registration reference is [ICO registration reference], our company registration number (if a company) is [company registration number if a company], and our VAT number (if VAT-registered) is [VAT number if VAT-registered]. The marketing site is wagepilot.co.uk and the app is at app.wagepilot.co.uk; the domain and any contact email referenced in our documents are provisional pending confirmation: [the domain wagepilot.co.uk and any contact email are provisional - confirm].
9. Changes to this list
This Sub-processors List forms part of the DPA and may be updated from time to time as described in section 6. The version published on this page at any given time is the current list, and we maintain an archive of prior versions so that the version in force when you entered into the DPA can be identified. This list was last updated on [last-updated date - confirm and maintain on each change].