In accordance with UK GDPR Article 28, NurtureHub maintains this publicly accessible register of all third-party sub-processors that receive or process personal data on behalf of our agent customers. Agent customers acting as data controllers may reference this page when responding to data subject requests or completing their own Records of Processing Activities (RoPA).
Last updated: 1 June 2025
NurtureHub is designed to keep personal data within the UK and European Economic Area wherever technically possible. The table below shows where each processor stores data at rest. For transfers outside the UK/EEA, appropriate safeguards (UK IDTA, EU SCCs, or the EU-US Data Privacy Framework) are in place as detailed in each processor’s DPA.
UK / EEA Storage
US Transfer (with IDTA/SCCs)
Configurable / Conditional
Only activated when agent configures these integrations.
| Sub-Processor | Purpose | Data Categories | Data Location | Links |
|---|---|---|---|---|
| Neon (Neon Inc.) | Managed PostgreSQL database hosting. Stores all platform data including contact records, email content, engagement events, and configuration. | Contact personal data (name, email, phone, address), engagement events, agency configuration, AI-generated content. | European Union (AWS eu-west-1 / eu-central-1) — EU region selected at project provisioning. | |
| OpenAI (OpenAI, LLC) | Large language model inference for AI-generated nurture email content, brand voice extraction, and intent analysis. Contact context is passed to the API for email personalisation. | Contact first name, category, postcode area, property interest summary. No government IDs or financial data. | United States (OpenAI infrastructure — no EU region option). Data transferred under UK IDTA / EU SCCs. NurtureHub relies on the EU-US Data Privacy Framework (DPF) as an additional adequacy basis. Zero data retention (ZDR) is enabled — OpenAI does not store API data for model training. | |
| Resend (Resend Inc.) | Transactional email delivery for platform notifications, welcome emails, hot lead alerts, and sequence emails sent via the NurtureHub platform delivery path. | Recipient email address, sender name, email subject and body (which may contain contact personal data), delivery metadata. | European Union (EU infrastructure selected for NurtureHub sending domains). Data transferred under UK IDTA / EU SCCs for any US-side processing. | |
| Twilio (Twilio Inc.) | SMS and WhatsApp message delivery for hot lead alerts and contact notifications where SMS delivery mode is configured. | Mobile phone numbers, message content (which may reference contact names or property context). | United States / European Union (EU data centre configured where available). Data transferred under UK IDTA / EU SCCs. | |
| Inngest (Inngest Inc.) | Durable background job orchestration for AI pipeline execution, email scheduling, CRM sync, and analytics aggregation. Job event payloads may contain contact IDs and processing context. | Job event payloads including tenant IDs, contact IDs, and processing metadata. Not full contact records — personal data minimised to identifiers only. | United States (AWS). Data transferred under UK IDTA / EU SCCs. | |
| Vercel (Vercel Inc.) | Cloud application hosting and serverless edge function execution. All HTTP requests to NurtureHub pass through Vercel infrastructure. Also used for KV caching. | All data in transit (HTTP request/response), request logs (IP addresses, user agents, request paths). | European Union (fra1 Frankfurt / lon1 London region selected for NurtureHub deployment). Data transferred under UK IDTA / EU SCCs. | |
| AWS / Tigris (file storage) | Object storage for uploaded brand voice documents, agency logos, and other files uploaded through the NurtureHub platform. | Uploaded documents (brand guidelines, tone-of-voice documents), agency logos and images. Files may contain agency branding material; they are not full personal data sets but are tenant-specific assets. | United Kingdom (eu-west-2, AWS London) — NurtureHub explicitly configures AWS_REGION=eu-west-2 to enforce UK storage. Tigris is Vercel's object storage layer backed by AWS. If eu-west-2 is unavailable, eu-west-1 (Ireland) is the fallback (EEA adequate). | |
| Apify (Apify Technologies s.r.o.) | Web data extraction platform. NurtureHub agents connect their own Apify accounts to run pre-configured Actor scrapes for prospecting data. NurtureHub acts as a connector; the agent is the data controller for extracted data. | Apify API keys (encrypted at rest with AES-256-GCM). Extracted web data (property listings, public contact details) is processed transiently during import. | European Union (Czech Republic — EU member state, adequate). | |
| agentOS (Angels Media Ltd) | Native CRM integration. Contact records, property data, and activity events are synced bidirectionally between agentOS and NurtureHub for agencies using this integration. | Contact records (name, email, phone, address, property interests), property records, activity history. | United Kingdom | |
| Reapit (Reapit Ltd) | CRM integration via Open API. Contact data is synced from Reapit to NurtureHub for agencies using the Reapit connector. Engagement events are written back to Reapit. | Contact records (name, email, phone, address), applicant requirements, vendor records. | United Kingdom / European Union | |
| Alto (Landmark Information Group) | CRM integration via Open API. Contact and property data synced for agencies using the Alto connector. | Contact records, applicant requirements, landlord and vendor records. | United Kingdom | |
| Street (Street Group Ltd) | CRM integration via Open API. Contact and property data synced for agencies using the Street connector. | Contact records, property interests, applicant and vendor details. | United Kingdom | |
| Loop (Loop CRM) | CRM integration via Open API. Contact and property data synced for agencies using the Loop connector. | Contact records, tenancy and landlord records, applicant details. | United Kingdom | |
| Meta Platforms (Meta Platforms, Inc.) | Social media advertising retargeting. Where an agency enables the retargeting integration, hashed contact email addresses are shared with Meta for Custom Audience matching to serve relevant property adverts. | Hashed (SHA-256) email addresses only. Raw email addresses are never transmitted. Requires explicit agency configuration and contact consent. | United States. Data transferred under UK IDTA / EU SCCs. | |
| Google LLC | Google Ads retargeting (Customer Match) and, where configured, Google Workspace email delivery via Gmail API for sending campaign emails from the agency's own Google Workspace account. | Hashed email addresses for Ads Customer Match. OAuth tokens for Gmail delivery. Email content and recipient data for Workspace delivery. | United States / European Union. Data transferred under UK IDTA / EU SCCs. | |
| Microsoft Corporation | Microsoft 365 email delivery. Where an agency configures Microsoft 365 delivery mode, NurtureHub uses the Microsoft Graph API to send campaign emails from the agency's own Outlook / Exchange Online account. | OAuth tokens, email content, and recipient data for Microsoft 365 email delivery. | United States / European Union (EU Data Boundary available for M365 on eligible plans). Data transferred under UK IDTA / EU SCCs. |
Where personal data is transferred outside the United Kingdom, NurtureHub ensures that adequate safeguards are in place in accordance with UK GDPR Chapter V. The primary mechanisms used are:
Data residency controls: NurtureHub explicitly configures all configurable processors to use UK or EU regions where possible. In particular, file storage uses AWS eu-west-2 (London), the primary database uses Neon in eu-west-1 (Ireland), and application hosting uses Vercel EU regions. A Transfer Impact Assessment (TIA) is maintained internally for transfers to United States-based processors. Copies are available to agent customers on request via privacy@nurturehub.co.uk.
NurtureHub will provide at least 30 days’ prior written notice before engaging a new sub-processor or making a material change to an existing sub-processor arrangement that affects the processing of personal data. Notice is given via email to the account holder and by updating this page. Agent customers who object to a new sub-processor appointment on reasonable grounds should contact us at privacy@nurturehub.co.uk within 30 days of notification.
For questions about this register, data processing under UK GDPR Article 28, or to request a copy of our Data Processing Agreement (DPA) or Transfer Impact Assessment (TIA), please contact our Data Protection Lead at privacy@nurturehub.co.uk. We aim to respond within 5 business days.