Article 28 UK GDPR
Data Processor & Sub-Processor Register
CourtCraft Advocate Ltd — ICO Registration No. ZB812547
Version 1.0 | Prepared: May 2026 | Next Review: May 2027 | Living Document
Article 28 Obligation
Under Article 28 of the UK GDPR, CourtCraft Advocate Ltd may only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures. All processing by sub-processors must be governed by a contract imposing the same data protection obligations as the controller-processor contract. Sub-processors may only process data on documented instructions from CourtCraft Advocate Ltd.
9
Total Processors
2 processors
Special Category
6 processors
DPA Pending
UK GDPR Art. 28
Legal Framework
Article 28 Mandatory Contract Requirements
All Data Processing Agreements with processors must include the following mandatory provisions under Article 28(3) UK GDPR:
Art. 28(3)(a)
Process personal data only on documented instructions from CourtCraft Advocate Ltd
Art. 28(3)(b)
Ensure persons authorised to process personal data are bound by confidentiality
Art. 28(3)(c)
Implement all security measures required under Article 32
Art. 28(3)(d)
Respect conditions for engaging sub-processors — prior written authorisation required
Art. 28(3)(e)
Assist CourtCraft in responding to data subject rights requests
Art. 28(3)(f)
Assist CourtCraft in ensuring compliance with Articles 32–36 (security, breach notification, DPIA)
Art. 28(3)(g)
Delete or return all personal data at end of service and delete existing copies
Art. 28(3)(h)
Make available all information necessary to demonstrate compliance; allow audits
ICO Enforcement Reference — DPP Law Ltd, £60,000 Fine (April 2025)
The ICO fined DPP Law Ltd £60,000 in April 2025 for inadequate security of special category data in a legal context. This register documents CourtCraft Advocate's Article 28 compliance posture to demonstrate that all processors handling special category data are subject to documented processing instructions and adequate contractual safeguards.
Registered Processors
Supabase Inc.
Database, Authentication & Storage Provider
Processing Activity
Stores all user account data, case data, documents, AI conversation history, audit logs, and vault data. Provides authentication services.
Data Categories
Location & Transfer Mechanism
Location: USA (data hosted EU — eu-west-2 London, confirmation required)
Transfer: Standard Contractual Clauses (SCCs) + UK Addendum (IDTA)
Article 28(3)(a) — Documented Processing Instructions
Process only on documented instructions from CourtCraft Advocate Ltd. No sub-processing of personal data without prior written authorisation. Data must remain in eu-west-2 (London) region. Row-level security must be maintained at all times.
Sub-Processors
- AWS (eu-west-2 — infrastructure)
- Cloudflare (CDN — no personal data stored)
Retention by Processor
Deleted on account termination + 30 days. Backups purged within 90 days of deletion instruction.
Last reviewed: May 2026
View DPA →Anthropic PBC
AI Language Model Provider (Claude)
Processing Activity
Processes user queries and case data to generate AI-assisted legal guidance, court documents, and case analysis. Processes special category data including domestic abuse disclosures and family law proceedings data.
Data Categories
Location & Transfer Mechanism
Location: USA
Transfer: IDTA (International Data Transfer Agreement) — PENDING EXECUTION
Article 28(3)(a) — Documented Processing Instructions
Process only on documented instructions. No use of personal data for AI model training. No retention of personal data beyond active API session. Special category data (Article 9) must not be used for any purpose other than the active case query. Processing basis: Article 9(2)(f) — legal claims.
Sub-Processors
- AWS (infrastructure — USA)
Retention by Processor
No retention beyond active API session per Anthropic DPA. Logs retained for security purposes only (30 days maximum).
Last reviewed: May 2026
View DPA →OpenAI LLC
AI Language Model & Image Generation Provider
Processing Activity
Processes user queries for AI-assisted legal guidance and generates images. Used as secondary AI provider.
Data Categories
Location & Transfer Mechanism
Location: USA
Transfer: Standard Contractual Clauses (SCCs) + UK Addendum — PENDING EXECUTION
Article 28(3)(a) — Documented Processing Instructions
Process only on documented instructions. No use of personal data for AI model training (zero data retention API tier required). Special category data must not be transmitted to OpenAI without explicit user consent and Article 9(2)(f) basis confirmed.
Sub-Processors
- Microsoft Azure (infrastructure)
Retention by Processor
Zero data retention API tier — no retention beyond active session.
Last reviewed: May 2026
View DPA →Perplexity AI Inc.
AI-Assisted Legal Research Provider
Processing Activity
Processes PII-stripped legal research queries to retrieve UK family law information. Personal data is stripped before transmission.
Data Categories
Location & Transfer Mechanism
Location: USA
Transfer: Standard Contractual Clauses (SCCs) + PII-stripping as additional safeguard
Article 28(3)(a) — Documented Processing Instructions
All queries must be PII-stripped before transmission. No personal identifiers, case numbers, or party names may be transmitted. Processing basis: Article 6(1)(b) — contract performance for anonymised research queries only.
Sub-Processors
- AWS (infrastructure)
Retention by Processor
No personal data retained (PII-stripped queries only).
Last reviewed: May 2026
View DPA →Stripe Inc.
Payment Processing Provider
Processing Activity
Processes subscription payments, McKenzie Friend session payments, and manages billing. Handles payment card data under PCI DSS.
Data Categories
Location & Transfer Mechanism
Location: USA / EU (data localisation available)
Transfer: Covered by Stripe Services Agreement (includes SCCs)
Article 28(3)(a) — Documented Processing Instructions
Process payment data only for subscription and session payment purposes. No card data stored by CourtCraft. Webhook signature verification required on all Stripe events.
Sub-Processors
- Various financial institution sub-processors (listed in Stripe DPA)
Retention by Processor
Financial records retained 7 years (HMRC requirement). Card data not retained by Stripe beyond transaction.
Last reviewed: May 2026
View DPA →Resend Inc.
Transactional Email Delivery Provider
Processing Activity
Delivers account verification emails, GDPR confirmation emails, payment receipts, trial countdown notifications, and court date reminders.
Data Categories
Location & Transfer Mechanism
Location: USA
Transfer: Standard Contractual Clauses (SCCs)
Article 28(3)(a) — Documented Processing Instructions
Send transactional emails only on documented instructions. No marketing emails without separate consent. Email content must not include special category data. Logs retained for delivery confirmation only.
Sub-Processors
- AWS SES (email infrastructure)
Retention by Processor
Email send logs retained 30 days. Email content not retained beyond delivery.
Last reviewed: May 2026
View DPA →Calendly LLC
McKenzie Friend Session Scheduling Provider
Processing Activity
Manages booking and scheduling of paid McKenzie Friend support sessions. Processes booking data including name, email, and session type.
Data Categories
Location & Transfer Mechanism
Location: USA
Transfer: Standard Contractual Clauses (SCCs) + UK Addendum
Article 28(3)(a) — Documented Processing Instructions
Process booking data only for McKenzie Friend session scheduling. No special category data to be transmitted via Calendly. Booking data used solely for session management.
Sub-Processors
- AWS (infrastructure)
- Stripe (payment processing for paid bookings)
Retention by Processor
Booking records retained per Calendly standard terms. CourtCraft instructs deletion on account termination.
Last reviewed: May 2026
View DPA →Vercel Inc.
Platform Hosting & Deployment Provider
Processing Activity
Hosts the CourtCraft Advocate web application. Processes HTTP request logs and edge function execution. No personal data stored by Vercel beyond standard access logs.
Data Categories
Location & Transfer Mechanism
Location: USA / EU (edge network)
Transfer: Standard Contractual Clauses (SCCs)
Article 28(3)(a) — Documented Processing Instructions
Process only HTTP request and deployment data. No personal data stored beyond standard access logs. Edge functions must not log personal data content.
Sub-Processors
- AWS (infrastructure)
- Cloudflare (CDN)
Retention by Processor
Access logs retained 30 days per Vercel standard terms.
Last reviewed: May 2026
View DPA →Google LLC
Analytics Provider (consent-gated)
Processing Activity
Collects anonymised usage analytics where user consent has been given. IP anonymisation enabled. No special category data processed.
Data Categories
Location & Transfer Mechanism
Location: USA
Transfer: Standard Contractual Clauses (SCCs) + UK Addendum
Article 28(3)(a) — Documented Processing Instructions
Analytics only active with explicit user consent. IP anonymisation must remain enabled at all times. No cross-site tracking. No special category data to be transmitted.
Sub-Processors
- Google Cloud (infrastructure)
Retention by Processor
26 months (Google Analytics default). Anonymised aggregate data retained indefinitely.
Last reviewed: May 2026
View DPA →⚠️ Action Required — DPA Execution
The following processors require formal Data Processing Agreements before processing live user data at commercial scale. This is a pre-launch compliance requirement under Article 28 UK GDPR.
Supabase Inc.
Database, Authentication & Storage Provider
Anthropic PBC
AI Language Model Provider (Claude)
OpenAI LLC
AI Language Model & Image Generation Provider
Perplexity AI Inc.
AI-Assisted Legal Research Provider
Resend Inc.
Transactional Email Delivery Provider
Calendly LLC
McKenzie Friend Session Scheduling Provider
© 2024–2026 CourtCraft Advocate™ Ltd. All rights reserved.
ICO Registration No. ZB812547 | Article 28 UK GDPR | Living Document — updated on any change to processor relationships