International Data Transfers

Some of our service providers are located outside the UK. We ensure appropriate safeguards are in place for all international transfers.

UK/EU only vendors

No international transfer required

UK-US Data Bridge

DPF certified with UK Extension

Transfer Mechanisms We Use

UK-US Data Bridge (DPF + UK Extension)

For US-based processors certified under the EU-US Data Privacy Framework with the UK Extension. This provides an adequacy-based mechanism for UK-US transfers.

UK International Data Transfer Agreement (UK IDTA)

Where applicable, we use the UK IDTA as the primary transfer mechanism for non-adequacy countries.

EU SCCs with UK Addendum

For processors using EU Standard Contractual Clauses, we apply the UK Addendum to extend coverage to UK data subjects.

Transfer Risk Assessments (TRAs)

Where required, we conduct and document Transfer Risk Assessments to evaluate the level of protection in the destination country.

Our Approach

UK-first: We prioritise UK and EU-based vendors where practical
Data residency: Primary database (Supabase) is in EU/London region
Documented: Transfer mechanisms recorded in our vendor register
Reviewed: Transfer arrangements reviewed quarterly

For the complete list of vendors and their transfer mechanisms, see our Vendor Register.

Security, Privacy & Compliance