Article 28 UK GDPR

Data Processor & Sub-Processor Register

CourtCraft Advocate Ltd — ICO Registration No. ZB812547

Version 1.0 | Prepared: May 2026 | Next Review: May 2027 | Living Document

Article 28 Obligation

Under Article 28 of the UK GDPR, CourtCraft Advocate Ltd may only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures. All processing by sub-processors must be governed by a contract imposing the same data protection obligations as the controller-processor contract. Sub-processors may only process data on documented instructions from CourtCraft Advocate Ltd.

9

Total Processors

2 processors

Special Category

6 processors

DPA Pending

UK GDPR Art. 28

Legal Framework

Article 28 Mandatory Contract Requirements

All Data Processing Agreements with processors must include the following mandatory provisions under Article 28(3) UK GDPR:

Art. 28(3)(a)

Process personal data only on documented instructions from CourtCraft Advocate Ltd

Art. 28(3)(b)

Ensure persons authorised to process personal data are bound by confidentiality

Art. 28(3)(c)

Implement all security measures required under Article 32

Art. 28(3)(d)

Respect conditions for engaging sub-processors — prior written authorisation required

Art. 28(3)(e)

Assist CourtCraft in responding to data subject rights requests

Art. 28(3)(f)

Assist CourtCraft in ensuring compliance with Articles 32–36 (security, breach notification, DPIA)

Art. 28(3)(g)

Delete or return all personal data at end of service and delete existing copies

Art. 28(3)(h)

Make available all information necessary to demonstrate compliance; allow audits

ICO Enforcement Reference — DPP Law Ltd, £60,000 Fine (April 2025)

The ICO fined DPP Law Ltd £60,000 in April 2025 for inadequate security of special category data in a legal context. This register documents CourtCraft Advocate's Article 28 compliance posture to demonstrate that all processors handling special category data are subject to documented processing instructions and adequate contractual safeguards.

Registered Processors

P-001Article 9 Data

Supabase Inc.

Database, Authentication & Storage Provider

DPA Pending

Processing Activity

Stores all user account data, case data, documents, AI conversation history, audit logs, and vault data. Provides authentication services.

Data Categories

Account dataCase dataAI conversation historyDocument contentAudit logsSession data

Location & Transfer Mechanism

Location: USA (data hosted EU — eu-west-2 London, confirmation required)

Transfer: Standard Contractual Clauses (SCCs) + UK Addendum (IDTA)

Article 28(3)(a) — Documented Processing Instructions

Process only on documented instructions from CourtCraft Advocate Ltd. No sub-processing of personal data without prior written authorisation. Data must remain in eu-west-2 (London) region. Row-level security must be maintained at all times.

Sub-Processors

  • AWS (eu-west-2 — infrastructure)
  • Cloudflare (CDN — no personal data stored)

Retention by Processor

Deleted on account termination + 30 days. Backups purged within 90 days of deletion instruction.

Last reviewed: May 2026

View DPA →
P-002Article 9 Data

Anthropic PBC

AI Language Model Provider (Claude)

DPA Pending

Processing Activity

Processes user queries and case data to generate AI-assisted legal guidance, court documents, and case analysis. Processes special category data including domestic abuse disclosures and family law proceedings data.

Data Categories

Chat messagesLegal queriesCase contextDocument generation instructions

Location & Transfer Mechanism

Location: USA

Transfer: IDTA (International Data Transfer Agreement) — PENDING EXECUTION

Article 28(3)(a) — Documented Processing Instructions

Process only on documented instructions. No use of personal data for AI model training. No retention of personal data beyond active API session. Special category data (Article 9) must not be used for any purpose other than the active case query. Processing basis: Article 9(2)(f) — legal claims.

Sub-Processors

  • AWS (infrastructure — USA)

Retention by Processor

No retention beyond active API session per Anthropic DPA. Logs retained for security purposes only (30 days maximum).

Last reviewed: May 2026

View DPA →
P-003

OpenAI LLC

AI Language Model & Image Generation Provider

DPA Pending

Processing Activity

Processes user queries for AI-assisted legal guidance and generates images. Used as secondary AI provider.

Data Categories

Chat messagesLegal queriesImage generation prompts

Location & Transfer Mechanism

Location: USA

Transfer: Standard Contractual Clauses (SCCs) + UK Addendum — PENDING EXECUTION

Article 28(3)(a) — Documented Processing Instructions

Process only on documented instructions. No use of personal data for AI model training (zero data retention API tier required). Special category data must not be transmitted to OpenAI without explicit user consent and Article 9(2)(f) basis confirmed.

Sub-Processors

  • Microsoft Azure (infrastructure)

Retention by Processor

Zero data retention API tier — no retention beyond active session.

Last reviewed: May 2026

View DPA →
P-004

Perplexity AI Inc.

AI-Assisted Legal Research Provider

DPA Pending

Processing Activity

Processes PII-stripped legal research queries to retrieve UK family law information. Personal data is stripped before transmission.

Data Categories

Anonymised legal research queries (PII stripped before transmission)

Location & Transfer Mechanism

Location: USA

Transfer: Standard Contractual Clauses (SCCs) + PII-stripping as additional safeguard

Article 28(3)(a) — Documented Processing Instructions

All queries must be PII-stripped before transmission. No personal identifiers, case numbers, or party names may be transmitted. Processing basis: Article 6(1)(b) — contract performance for anonymised research queries only.

Sub-Processors

  • AWS (infrastructure)

Retention by Processor

No personal data retained (PII-stripped queries only).

Last reviewed: May 2026

View DPA →
P-005

Stripe Inc.

Payment Processing Provider

Covered by Service Agreement

Processing Activity

Processes subscription payments, McKenzie Friend session payments, and manages billing. Handles payment card data under PCI DSS.

Data Categories

Email addressSubscription tierPayment statusStripe customer IDInvoice records

Location & Transfer Mechanism

Location: USA / EU (data localisation available)

Transfer: Covered by Stripe Services Agreement (includes SCCs)

Article 28(3)(a) — Documented Processing Instructions

Process payment data only for subscription and session payment purposes. No card data stored by CourtCraft. Webhook signature verification required on all Stripe events.

Sub-Processors

  • Various financial institution sub-processors (listed in Stripe DPA)

Retention by Processor

Financial records retained 7 years (HMRC requirement). Card data not retained by Stripe beyond transaction.

Last reviewed: May 2026

View DPA →
P-006

Resend Inc.

Transactional Email Delivery Provider

DPA Pending

Processing Activity

Delivers account verification emails, GDPR confirmation emails, payment receipts, trial countdown notifications, and court date reminders.

Data Categories

Email addressFull nameEmail content (transactional only)

Location & Transfer Mechanism

Location: USA

Transfer: Standard Contractual Clauses (SCCs)

Article 28(3)(a) — Documented Processing Instructions

Send transactional emails only on documented instructions. No marketing emails without separate consent. Email content must not include special category data. Logs retained for delivery confirmation only.

Sub-Processors

  • AWS SES (email infrastructure)

Retention by Processor

Email send logs retained 30 days. Email content not retained beyond delivery.

Last reviewed: May 2026

View DPA →
P-007

Calendly LLC

McKenzie Friend Session Scheduling Provider

DPA Pending

Processing Activity

Manages booking and scheduling of paid McKenzie Friend support sessions. Processes booking data including name, email, and session type.

Data Categories

Full nameEmail addressSession typeBooking date/time

Location & Transfer Mechanism

Location: USA

Transfer: Standard Contractual Clauses (SCCs) + UK Addendum

Article 28(3)(a) — Documented Processing Instructions

Process booking data only for McKenzie Friend session scheduling. No special category data to be transmitted via Calendly. Booking data used solely for session management.

Sub-Processors

  • AWS (infrastructure)
  • Stripe (payment processing for paid bookings)

Retention by Processor

Booking records retained per Calendly standard terms. CourtCraft instructs deletion on account termination.

Last reviewed: May 2026

View DPA →
P-008

Vercel Inc.

Platform Hosting & Deployment Provider

Covered by Service Agreement

Processing Activity

Hosts the CourtCraft Advocate web application. Processes HTTP request logs and edge function execution. No personal data stored by Vercel beyond standard access logs.

Data Categories

IP addresses (access logs)HTTP request metadataEdge function logs

Location & Transfer Mechanism

Location: USA / EU (edge network)

Transfer: Standard Contractual Clauses (SCCs)

Article 28(3)(a) — Documented Processing Instructions

Process only HTTP request and deployment data. No personal data stored beyond standard access logs. Edge functions must not log personal data content.

Sub-Processors

  • AWS (infrastructure)
  • Cloudflare (CDN)

Retention by Processor

Access logs retained 30 days per Vercel standard terms.

Last reviewed: May 2026

View DPA →
P-009

Google LLC

Analytics Provider (consent-gated)

Covered by Service Agreement

Processing Activity

Collects anonymised usage analytics where user consent has been given. IP anonymisation enabled. No special category data processed.

Data Categories

Anonymised usage eventsPage viewsSession durationBrowser/device type (anonymised)

Location & Transfer Mechanism

Location: USA

Transfer: Standard Contractual Clauses (SCCs) + UK Addendum

Article 28(3)(a) — Documented Processing Instructions

Analytics only active with explicit user consent. IP anonymisation must remain enabled at all times. No cross-site tracking. No special category data to be transmitted.

Sub-Processors

  • Google Cloud (infrastructure)

Retention by Processor

26 months (Google Analytics default). Anonymised aggregate data retained indefinitely.

Last reviewed: May 2026

View DPA →

⚠️ Action Required — DPA Execution

The following processors require formal Data Processing Agreements before processing live user data at commercial scale. This is a pre-launch compliance requirement under Article 28 UK GDPR.

Supabase Inc.

Database, Authentication & Storage Provider

DPA →

Anthropic PBC

AI Language Model Provider (Claude)

DPA →

OpenAI LLC

AI Language Model & Image Generation Provider

DPA →

Perplexity AI Inc.

AI-Assisted Legal Research Provider

DPA →

Resend Inc.

Transactional Email Delivery Provider

DPA →

Calendly LLC

McKenzie Friend Session Scheduling Provider

DPA →

© 2024–2026 CourtCraft Advocate™ Ltd. All rights reserved.
ICO Registration No. ZB812547 | Article 28 UK GDPR | Living Document — updated on any change to processor relationships