Last updated: April 2026
A sub-processor is a third-party organisation that Core M8 Ltd (“Corem8”) engages to process personal data on behalf of our customers in order to deliver the Corem8 platform. Under Article 28 of the UK and EU General Data Protection Regulation we are required to maintain an up-to-date list of these parties and to notify our customers of any changes.
This page is the authoritative list. It is referenced by our Data Processing Agreement and our Privacy Policy.
We split the list into two groups. Core infrastructure sub-processors are engaged for every customer of the platform. Optional integration sub-processors only receive data if the customer explicitly connects them from within Corem8.
Engaged for the operation of the Corem8 platform for every customer.
| Provider | Purpose | Data Categories | Location | Transfer Mechanism |
|---|---|---|---|---|
Clerk Clerk, Inc. Privacy notice → | User authentication, session management, MFA, organisation membership | Name, email, phone, hashed password, session tokens, IP, user-agent | United States | SCCs + UK IDTA Addendum |
Supabase Supabase Inc. Privacy notice → | Primary Postgres database, Storage (file/photo uploads), Realtime subscriptions | All tenant-entered data (customers, jobs, invoices, messages, photos) | United States | SCCs + UK IDTA Addendum |
Vercel Vercel Inc. Privacy notice → | Application hosting, edge network, serverless compute, image optimisation | Request logs, IP addresses, routing metadata (no persistent tenant data) | United States (edge PoPs global) | SCCs + UK IDTA Addendum |
Upstash Upstash, Inc. Privacy notice → | Rate limiting, short-lived cache, idempotency keys | Rate-limit identifiers (hashed IP / user ID), TTL-bound cache entries | Ireland (EU) | No transfer outside EU/UK |
Stripe Stripe Payments Europe, Ltd. / Stripe, Inc. Privacy notice → | Subscription billing, card processing for the Corem8 SaaS itself | Billing contact, card token, payment history (card numbers never reach us) | Ireland (EU) with US sub-processors | SCCs + UK IDTA Addendum |
Anthropic Anthropic PBC Privacy notice → | Claude large-language-model inference for AI-assisted features (summaries, drafts, knowledge base) | Prompts derived from tenant-supplied text (customer messages, job notes, KB content) | United States | SCCs + UK IDTA Addendum; Anthropic zero-retention enterprise terms |
SendGrid (Twilio) Twilio Inc. Privacy notice → | Transactional and notification email delivery | Recipient email, email subject and body, delivery metadata | United States | SCCs + UK IDTA Addendum |
Twilio Twilio Inc. Privacy notice → | SMS and WhatsApp message routing | Sender and recipient phone numbers, message content, delivery metadata | United States | SCCs + UK IDTA Addendum |
Sentry Functional Software, Inc. (trading as Sentry) Privacy notice → | Error tracking and performance monitoring for platform reliability | Stack traces, request metadata, redacted user IDs (no PII or message bodies) | Germany (EU) | No transfer outside EU/UK |
Only engaged where the customer has explicitly connected the relevant integration from within Corem8 (for example, by completing an OAuth flow or entering API credentials). Disconnecting the integration stops the associated data transfer.
| Provider | Purpose | Data Categories | Location | Transfer Mechanism |
|---|---|---|---|---|
Google (Maps Platform) Google LLC / Google Ireland Ltd. Privacy notice → | Address autocomplete, geocoding, distance matrix, map tiles | Addresses and coordinates entered for jobs and leads | United States / Ireland | SCCs + UK IDTA Addendum |
Google (Ads API) Google LLC / Google Ireland Ltd. Privacy notice → | Uploading offline conversions to the tenant's Google Ads account | Google click ID (GCLID), conversion value, conversion time (no customer PII) | United States / Ireland | SCCs + UK IDTA Addendum |
Google (Gmail API) Google LLC / Google Ireland Ltd. Privacy notice → | Sending and syncing email from the tenant's connected Gmail account | Email subjects, bodies, and attachments the tenant chooses to sync | United States / Ireland | SCCs + UK IDTA Addendum |
Meta (WhatsApp Cloud API) Meta Platforms Ireland Ltd. Privacy notice → | Sending and receiving WhatsApp messages on the tenant's business number | Sender and recipient phone numbers, message content, delivery receipts | Ireland (EU) with US sub-processors | SCCs + UK IDTA Addendum |
Meta (Facebook Login / Graph API) Meta Platforms Ireland Ltd. Privacy notice → | Facebook Login for tenant accounts, posting to the tenant's Facebook Page | Facebook user ID, name, email (from login), Page access tokens | Ireland (EU) with US sub-processors | SCCs + UK IDTA Addendum |
Xero Xero (UK) Ltd. Privacy notice → | Accounting sync (invoices, customers, payments) | Invoice and customer records the tenant chooses to sync | United Kingdom / Australia / New Zealand | UK IDTA for AU/NZ transfers |
Intuit (QuickBooks Online) Intuit Inc. Privacy notice → | Accounting sync (invoices, customers, payments) | Invoice and customer records the tenant chooses to sync | United States | SCCs + UK IDTA Addendum |
Where personal data is transferred outside the United Kingdom or the European Economic Area we rely on one or more of the following transfer mechanisms, depending on the destination country and the sub-processor's own compliance posture:
Copies of the executed Data Processing Addenda we hold with each sub-processor are available on request for customers who have signed our Data Processing Agreement.
Before we engage a new sub-processor, or replace an existing one, we will update this page and send advance notice to customers who have an active subscription and have requested notifications.
Notice is typically given at least 30 days in advance of the new sub-processor receiving any personal data, except where a shorter timeframe is required for platform security or legal compliance.
To receive notifications of changes to this list by email, send a request from the billing contact on your Corem8 account to privacy@corem8.com.
A customer that has signed our Data Processing Agreement may object to a proposed new sub-processor on reasonable data-protection grounds by writing to privacy@corem8.com within 30 days of the notice.
We will work in good faith to propose an alternative approach. If an alternative is not reasonably available and the customer does not wish to proceed, the customer may terminate the affected service in accordance with the termination provisions of the Data Processing Agreement.
Email: privacy@corem8.com
Entity: Core M8 Ltd, registered in England & Wales
Regulator:Information Commissioner's Office, United Kingdom (ico.org.uk)