| A | B | C | D | E | F | G | H | I | J | |
|---|---|---|---|---|---|---|---|---|---|---|
1 | TWINKL LTD – SUB-PROCESSOR REGISTER | Data Controller: Twinkl Ltd | Wards Exchange, 197 Ecclesall Road, Sheffield, S11 8HW | Document Owner: Data Protection Officer | Version: 2.1 | Last Reviewed: March 2026 | |||||||||
2 | Sub-Processor / Vendor Name | Service / Function | Categories of Personal Data Processed | Data Subjects Affected | Transfer Country / Region | Transfer Mechanism / Safeguard | DPA / Contract in Place? | Technical & Organisational Security Measures (TOMs) | Evidence / Certification Links | Notes / Gaps |
3 | Adyen | Payment Processing | Payment card data, transaction records, billing address, name, email | Customers, paying subscribers | Netherlands (EU) | DPA / EU Adequacy (GDPR Art. 45) | Yes – DPA in place | PCI-DSS Level 1 compliant; end-to-end encryption of card data; tokenisation (no raw PAN storage); real-time fraud monitoring (RevenueProtect); AES-256 encryption at rest; TLS 1.2+ in transit; SOC 1 & SOC 2 Type II audited; RBAC; MFA for platform access; penetration testing; annual third-party audits | Adyen Security Overview Adyen PCI Compliance Adyen DPA | |
4 | Amazon Web Services (AWS) | Primary Data Hosting & Cloud Infrastructure | All categories of personal data hosted on platform; server logs; IP addresses | All data subjects (employees, customers, users) | UK / EU | DPA / UK IDTA / EU SCCs | Yes – AWS DPA & SCCs | ISO 27001 certified; SOC 1, SOC 2 Type II & SOC 3 audited; encryption at rest (AES-256) and in transit (TLS 1.2+); Virtual Private Cloud (VPC) isolation; Identity & Access Management (IAM); mandatory MFA; full audit logging (CloudTrail); regular penetration testing; physical security controls at data centres; 99.99% availability SLA | AWS Compliance Programmes AWS ISO 27001 Cert AWS SOC Reports AWS DPA | |
5 | AWS Nova Lite (Amazon Bedrock) | AI / Generative AI Model Inference | User-submitted content; usage prompts; pseudonymised identifiers | Platform users, educators, pupils | US | DPA / SCCs / UK IDTA | Yes – AWS DPA | Encryption in transit (TLS 1.2+) and at rest (AES-256); no training on customer data by default (opt-out enforced via Bedrock policy); full audit logging via CloudTrail; RBAC with least-privilege IAM policies; AWS Nitro System for hardware-level isolation; data residency controls; VPC endpoints to avoid public internet traversal | AWS Bedrock Data Privacy AWS AI Services Data Privacy AWS DPA | Verify no-training opt-out is active in Bedrock console settings |
6 | Akamai Technologies | CDN / Web Performance & Security | IP addresses, device identifiers, HTTP request metadata, geolocation data | Website visitors, users | Global (US HQ) | DPA / SCCs / UK IDTA | Yes – DPA in place | TLS 1.2+ / SSL enforcement; DDoS mitigation (Prolexic); Web Application Firewall (WAF); edge-node security with physical & logical access controls; data minimisation by design; ISO 27001 certified; SOC 2 Type II audited; log retention controls; RBAC for platform access | Akamai Compliance Akamai ISO 27001 Akamai DPA | |
7 | Cloudinary | Image & Media Asset Management | Profile images, user-uploaded media, metadata | Users, customers | US | DPA / SCCs / UK IDTA | Yes – DPA & SCCs | HTTPS/TLS in transit; cloud-based RBAC with least-privilege access; CDN delivery with signed URLs; AES-256 encrypted storage; SOC 2 Type II audited; automatic backup; access logging; CORS controls; IP allowlisting available | Cloudinary Security Cloudinary Privacy & Compliance Cloudinary DPA | |
8 | DPD (UK) | Physical Delivery Services | Name, delivery address, phone number, email | Customers (physical goods purchasers) | UK | DPA | Yes – DPA in place | Secure logistics data handling; encrypted parcel tracking portal (HTTPS/TLS); RBAC for driver and depot access systems; data minimisation (delivery data only retained as needed); physical security at depots; staff training on data handling; compliant with UK GDPR and Postal Services Act | DPD UK Privacy Policy | Request updated DPA and TOMs evidence at next contract review |
9 | Elastic / OpenSearch (Object Rocket) | Search & Data Analytics | Usage data, pseudonymised user identifiers, log data | Platform users | US | DPA / SCCs / UK IDTA | Yes – DPA in place | Data encryption at rest (AES-256) and in transit (TLS); RBAC with role-scoped API access; secure API endpoints (HTTPS only); SOC 2 Type II audited; audit logging; field-level security; IP allowlisting; index-level access controls; automated snapshots for backup | Elastic Security Elastic Compliance Elastic SOC 2 | |
10 | Fingerprint (OpenFPCDN) | Device Fingerprinting / Fraud Prevention | Device identifiers, browser attributes, IP addresses, behavioural signals | Website visitors, users | US | DPA / SCCs / UK IDTA | Yes – DPA in place | Pseudonymisation of device identifiers; AES-256 encryption in transit (TLS 1.2+); strict data minimisation (only fraud-relevant signals collected); access controls with API key authentication; data retention limits configurable; SOC 2 Type II audited; GDPR-compliant consent integration; server-side processing to minimise client exposure | Fingerprint Security Fingerprint Privacy Fingerprint DPA | |
11 | FireBolt | Data Warehouse & BI Analytics | Pseudonymised user IDs, usage data, analytics data, IP addresses, log data | Platform users | US | DPA / SCCs | Yes – DPA & SCCs | Encryption in transit (TLS) and at rest (AES-256); RBAC with least-privilege enforcement; VPC isolation; IP allowlisting; full audit logging; AWS KMS key management; IAM integration; SOC 2 Type II in progress (verify current status); automated backup and point-in-time recovery | Firebolt Security Firebolt DPA | Confirm SOC 2 Type II certification status — was listed as 'in progress' |
12 | Flow (Book Distribution) | Book & Physical Resource Distribution | Name, delivery address, order data | Customers (book purchasers) | UK | DPA | Yes – DPA in place | Secure distribution data handling; HTTPS/TLS encrypted transactions; RBAC for staff access; data minimisation (order fulfilment data only); compliant with UK GDPR; physical security at warehouse/fulfilment sites | Flow Privacy | Request formal TOMs documentation at next contract review |
13 | Gemini (Google DeepMind / Google Cloud AI) | AI / Generative AI Features | User-submitted text, prompts, pseudonymised identifiers | Platform users, educators, pupils | US / EU (GCP regions) | DPA / SCCs / UK IDTA | Yes – Google DPA | Encryption in transit (TLS) and at rest (AES-256); no training on customer data without explicit consent (off by default for API use); full audit logging via Cloud Audit Logs; RBAC with least-privilege service accounts; Google Cloud security standards (ISO 27001, SOC 2/3); data residency configurable; VPC Service Controls; DLP integrations available | Google Cloud AI Data Privacy Google Workspace DPA Google Cloud Compliance | Confirm no-training setting is enforced via GCP console; review data residency region selection |
14 | GetSite Control | On-site Pop-ups & Live Chat Widget | Name, email, behavioural data, IP address | Website visitors, users | EU | DPA | Yes – DPA in place | Data encryption in transit (HTTPS/TLS); access controls with password-protected admin; GDPR-compliant data handling; data minimisation by configuration; server-side encryption at rest; consent-based data capture | GetSiteControl Privacy GetSiteControl DPA | Verify current DPA version covers UK GDPR |
15 | Google Analytics (GA4) | Website Traffic & User Behaviour Analytics | IP addresses (anonymised), device/browser data, page views, session data | Website visitors | US | DPA / SCCs / UK IDTA | Yes – Google DPA & SCCs | IP anonymisation enabled (last octet masked); data encryption at rest and in transit; RBAC with restricted admin access; configurable data retention (set to minimum required); no cross-site tracking; consent mode integration; Google Signals disabled where not required; SOC 2 Type II; ISO 27001 | Google Analytics DPA GA4 Data Privacy Google Cloud Compliance | Ensure GA4 consent mode is correctly configured with UK cookie consent |
16 | Google Cloud Platform (GCP) – Cloud & Email | Cloud Infrastructure, Gmail, Google Workspace | Emails, calendar data, documents, personal data within Workspace | Employees, contractors | US / EU | DPA / SCCs / UK IDTA | Yes – Google Workspace DPA | ISO 27001 certified; SOC 2 Type II & SOC 3 audited; AES-256 encryption at rest; TLS in transit; MFA enforced (Google 2-Step Verification); RBAC via Google Admin console; full audit logging; eDiscovery and data loss prevention (DLP) tools; endpoint management; Google Workspace data residency option; physical security at Google data centres | Google Workspace DPA Google Workspace Compliance Google ISO 27001 | |
17 | HubSpot | CRM & Business Management | Name, email, company details, marketing preferences, contact history | Customers, leads, contacts | US | DPA / SCCs / UK IDTA | Yes – HubSpot DPA | AES-256 encryption at rest; TLS 1.2+ in transit; MFA enforced; SOC 2 Type II audited; RBAC with granular permissions; data residency options (EU available); audit logs; GDPR tools (consent management, right-to-erasure workflows); SSO/SAML support; intrusion detection; annual penetration testing | HubSpot Security HubSpot DPA HubSpot SOC 2 | |
18 | Impact.com | Affiliate / Ambassador Programme Management | Contact data, marketing data, tracking data | Customers, partners | USA | SCCs / UK IDTA | Yes | HTTPS/TLS encryption in transit; AES-256 at rest; access controls with RBAC; SOC 2 Type II audited; contractual data handling controls; data minimisation for tracking; fraud detection controls; MFA for admin access | Impact.com Privacy Impact.com Security | Obtain formal DPA document and add to contract file |
19 | Jira (Atlassian) | Project Management & Issue Tracking | Employee names, email addresses, work tasks, project data | Employees, contractors | US / EU (Atlassian Cloud) | DPA / SCCs / UK IDTA | Yes – Atlassian DPA | SOC 2 Type II audited; ISO 27001 certified; AES-256 encryption at rest; TLS in transit; RBAC with project-level and space-level permissions; audit logs; SSO/MFA (Atlassian Access); IP allowlisting; data residency available (EU); automated backup; GDPR admin controls | Atlassian Trust Centre Atlassian DPA Atlassian SOC 2 | |
20 | Kickbox | Email Verification | Email addresses | Customers, subscribers | US | DPA / SCCs / UK IDTA | Yes – DPA in place | TLS encryption in transit; minimal data retention (email addresses not stored post-verification by default); secure REST API with API key authentication; HTTPS-only endpoints; SOC 2 Type II audited; data minimisation by design | Kickbox Privacy Kickbox DPA | |
21 | Legal Debt Recovery Ltd | Debt Collection | Name, address, account details, financial data | Customers (debtors) | UK | DPA | Yes – DPA in place | Secure access controls for debt recovery data; encrypted data transfer (HTTPS/TLS); confidentiality agreements with all staff; RBAC; ICO registered; compliant with FCA debt collection guidelines and UK GDPR; physical document security; staff training on data handling | ICO Register | Verify current ICO registration; request updated TOMs schedule |
22 | Mailchimp (Intuit) | Email Marketing & Deliverability | Name, email address, marketing preferences, open/click data | Customers, subscribers | US | DPA / SCCs / UK IDTA | Yes – Mailchimp DPA | AES-256 encryption at rest; TLS 1.2+ in transit; SOC 2 Type II audited; RBAC with audience-level permissions; anti-spam compliance (CAN-SPAM, CASL); DKIM/SPF/DMARC enforced; MFA for account access; unsubscribe management; data retention controls; GDPR contact management tools | Mailchimp Privacy Mailchimp DPA Mailchimp Security | |
23 | Microsoft Clarity | User Behaviour Analytics / Session Recording | IP addresses (masked), session recordings, heatmaps, device data, click data | Website visitors | US | DPA / SCCs / UK IDTA | Yes – Microsoft DPA | Automatic IP masking (last octet); data minimisation by design; HTTPS/TLS in transit; Microsoft Azure security infrastructure; SOC 2 Type II audited; ISO 27001 certified; masking of sensitive input fields by default; RBAC for dashboard access; data retention controls; consent integration supported | Microsoft Clarity Privacy Microsoft DPA Microsoft Compliance | Confirm input masking is correctly configured to exclude payment/sensitive fields |
24 | New Relic | Application Performance Monitoring | Server logs, IP addresses, error traces, pseudonymised user identifiers, performance metrics | Platform users (indirect), employees | US | DPA / SCCs / UK IDTA | Yes – New Relic DPA | AES-256 encryption at rest; TLS 1.2+ in transit; SOC 2 Type II audited; RBAC with account-level access controls; configurable data retention periods; audit logging; data obfuscation rules (PII scrubbing); IP masking options; FedRAMP authorised (moderate); penetration testing; SSO/SAML support | New Relic Security New Relic DPA New Relic Compliance | Verify PII obfuscation rules are active to scrub any personal data from logs |
25 | OpenAI | AI / Generative AI Features | User-submitted text, prompts, pseudonymised identifiers | Platform users, educators, pupils | US | DPA / SCCs / UK IDTA | Yes – OpenAI DPA | Encryption in transit (TLS 1.2+) and at rest (AES-256); zero data retention option active via API (prompts/completions not stored); no training on API data by default (confirmed in DPA); SOC 2 Type II audited; RBAC with API key scoping; audit logging; GDPR data subject rights tooling; penetration testing; dedicated security team | OpenAI Security OpenAI Privacy Policy OpenAI DPA OpenAI SOC 2 | Confirm zero-data-retention is enabled in API account settings; review if pupils' data is involved and consider age-appropriate AI policy |
26 | SendGrid (Twilio) | Transactional Email Delivery | Name, email address, IP address, email metadata | Customers, users | US | DPA / SCCs / BCRs / UK IDTA | Yes – Twilio/SendGrid DPA | TLS/SSL in transit; SOC 2 Type II audited; ISO 27001 certified; encrypted communications; RBAC with API key scoping; anti-spam compliance; DKIM/SPF/DMARC authentication; dedicated IPs available; Twilio BCRs cover intra-group transfers; email suppression list management; abuse monitoring | SendGrid Security Twilio DPA SendGrid Compliance | |
27 | Shopify | Merchandise E-Commerce & Distribution | Name, address, payment data, order history, email | Customers (merchandise purchasers) | EU / US | DPA / SCCs / UK IDTA | Yes – Shopify DPA | PCI-DSS Level 1 compliant; AES-256 encryption at rest; TLS 1.2+ in transit; RBAC with staff account permissions; SOC 2 Type II audited; fraud analysis tools; 2FA enforced for merchant accounts; automated threat detection; HTTPS enforced on storefronts; GDPR data deletion and export tools; bug bounty programme | Shopify Security Shopify DPA Shopify PCI | |
28 | Tableau (Salesforce) | Interactive Data Visualisation | Aggregated/pseudonymised analytics and business data | Internal teams | EU / US | DPA / SCCs / UK IDTA | Yes – Salesforce/Tableau DPA | TLS 1.2+ in transit; RBAC with site-level and workbook-level permissions; Salesforce Shield encryption available; SOC 2 Type II audited; ISO 27001 certified; MFA enforced; audit logging; row-level security for data access control; Salesforce Trust site for real-time status | Tableau/Salesforce DPA Salesforce Trust Tableau Security | |
29 | Twilio | Business Communications (SMS, Voice) | Phone numbers, message content, IP addresses | Customers, users | US | DPA / SCCs / BCRs / UK IDTA | Yes – Twilio DPA | End-to-end encryption for voice (SRTP) and messaging (TLS); SOC 2 Type II audited; ISO 27001 certified; RBAC with API key and subaccount management; strict access controls; BCRs for intra-group transfers; GDPR DPA in place; message logging controls; MFA for console access; data residency options; abuse monitoring | Twilio DPA Twilio Security Twilio Trust Centre | |
30 | Upfluence | Influencer Marketing & Tracking | Influencer contact data, social media handles, email, campaign performance data | Influencers, marketing partners | US / EU | DPA / SCCs / UK IDTA | Yes – DPA in place | HTTPS/TLS encryption in transit; AES-256 at rest; RBAC for campaign and contact data access; data minimisation (campaign-relevant data only); GDPR-compliant influencer consent management; encrypted API communications; SOC 2 in progress (verify); access logging | Upfluence Privacy Upfluence Security | |
31 | Zendesk | Customer Support – Live Chat & Telephony | Name, email, account details, support conversation data, IP address | Customers, users | US | DPA / SCCs / BCRs / UK IDTA | Yes – Zendesk DPA | AES-256 encryption at rest; TLS 1.2+ in transit; Zendesk BCRs covering intra-group transfers; SOC 2 Type II audited; ISO 27001 certified; RBAC with ticket-level and brand-level permissions; audit logs; data deletion and export tools; SSO/MFA; HIPAA BAA available; network security monitoring; penetration testing | Zendesk DPA Zendesk Trust Centre Zendesk Compliance | |
32 | Sprig | Qualitative User Feedback / Session Insights | Usage data, feedback, behavioural data | Customers / users | USA | SCCs / UK IDTA | Yes | Data minimisation and anonymisation tools; HTTPS/TLS in transit; AES-256 at rest; SOC 2 Type II audited; RBAC for survey and session data access; consent-based data collection; configurable data retention; GDPR compliance tools | Sprig Security Sprig Privacy | |
33 | YPO | School Application Processing | Student data, parent data, application info | Students, parents | UK / International | SCCs / UK IDTA | Yes | Secure portals with HTTPS/TLS; restricted access with RBAC; encryption at rest; data minimisation; compliant with UK GDPR and Children's data requirements (ICO Age Appropriate Design Code where applicable); audit trails; staff training | YPO Privacy | Children's data — verify Age Appropriate Design Code compliance; obtain updated TOMs |
34 | RefTech | Event Badge Scanning / Lead Capture | Contact data, event interaction data | Event attendees | UK / EU | SCCs (if applicable) | Yes | Encrypted devices for badge scanning; HTTPS/TLS in transit; AES-256 at rest; RBAC for event staff access; data minimisation (event-relevant data only); audit logs; GDPR-compliant consent capture at registration; secure data deletion post-event per retention policy | RefTech Privacy | Confirm SCCs in place if EU data involved; obtain DPA |
35 | ManyChat | Social Media Automation | Contact data, interaction data | Customers / prospects | Canada | Adequacy decision (Canada – PIPEDA) | Yes | HTTPS/TLS in transit; AES-256 at rest; RBAC for bot and campaign management; SOC 2 Type II audited; GDPR/PIPEDA compliant; consent-based subscriber management; unsubscribe management; platform-level security (Meta API); MFA for account access; data minimisation | ManyChat Security ManyChat Privacy | |
36 | Anrok | US/CA Automated Sales Tax | Transaction data, billing data | Customers | USA / Canada | SCCs / UK IDTA | Yes | Financial data protection controls; HTTPS/TLS in transit; AES-256 at rest; SOC 2 Type II audited; RBAC for finance team access; data minimisation (transaction data only); PCI-DSS alignment for billing data; audit logging | Anrok Security Anrok Privacy | |
37 | Meta Platforms | Digital Advertising / Hashed Audiences | Hashed email addresses, marketing data | Customers / prospects | USA | SCCs / UK IDTA | Yes | Pseudonymisation via one-way SHA-256 hashing of emails before upload; HTTPS/TLS in transit; platform-level security (ISO 27001, SOC 2); RBAC with Business Manager account controls; MFA enforced for ad account access; data minimisation (hashed identifiers only); Meta DPA covers EU/UK transfers; custom audiences encrypted in transit | Meta Privacy Policy Meta DPA Meta Business Security | Confirm hashing is applied before any data leaves Twinkl systems; review Meta pixel consent configuration |
38 | ElevenLabs | AI Voice / Subtitle Generation | Audio, transcripts | Employees, customers | USA | SCCs / UK IDTA | Yes | AI processing controls with no-training option for API use; HTTPS/TLS in transit; AES-256 at rest; RBAC for API access; data minimisation (audio processed and not retained post-generation by default); SOC 2 Type II in progress (verify current status); audit logging; content moderation controls | ElevenLabs Privacy ElevenLabs Security | Verify no-retention setting is active; confirm SOC 2 status; consider if voice data constitutes biometric data (Art. 9 UK GDPR) |
39 | Descript | Video Subtitle Generation | Audio / video data | Employees, customers | USA | SCCs / UK IDTA | Yes | Encryption at rest (AES-256) and in transit (TLS); secure cloud-based processing; RBAC for project and workspace access; SOC 2 Type II audited; HTTPS-only access; data minimisation; configurable media retention; MFA for account access | Descript Privacy Descript Security | Assess whether voice/audio data = biometric data requiring Art. 9 UK GDPR basis |
40 | Stripe | Payment Processing / Subscription Billing | Payment data, billing info | Customers | USA / EU | SCCs / UK IDTA | Yes | PCI-DSS Level 1 compliant; AES-256 encryption at rest; TLS 1.2+ in transit; tokenisation (no raw card data stored by Twinkl); RBAC with dashboard access controls; SOC 2 Type II audited; ISO 27001 certified; fraud detection (Stripe Radar); MFA enforced for dashboard; GDPR data subject tooling; bug bounty programme | Stripe Security Stripe Privacy Stripe PCI Stripe DPA | |
41 | Snowflake | BI / Analytics Data Warehouse | Aggregated data, business data | Customers, employees | USA / EU | SCCs / UK IDTA | Yes | AES-256 encryption at rest; TLS 1.2+ in transit; end-to-end encryption option (Tri-Secret Secure); data segregation with virtual warehouses; RBAC with fine-grained access control; SOC 1 & SOC 2 Type II audited; ISO 27001 certified; dynamic data masking; row-level access policies; audit logging; MFA; data residency in EU available | Snowflake Trust Centre Snowflake Security Snowflake DPA | |
42 | Eventbrite | Event Management | Contact data, event participation data | Customers, prospects | USA | SCCs / UK IDTA | Yes | Zoom: AES-256-GCM encryption for meetings; TLS in transit; SOC 2 Type II; ISO 27001; RBAC for admin/host roles; MFA enforced; waiting room and password controls; Eventbrite: HTTPS/TLS; SOC 2 Type II; RBAC; data minimisation for registrant data; GDPR-compliant data subject tooling; both platforms offer data retention controls | Zoom Security Zoom DPA Eventbrite Privacy | Separate DPA entries may be needed for Zoom and Eventbrite as distinct controllers |
43 | Zoom | Webinars and Event Management | Contact data, event participation data | Customers, prospects | USA | SCCs / UK IDTA | Yes | Zoom: AES-256-GCM encryption for meetings; TLS in transit; SOC 2 Type II; ISO 27001; RBAC for admin/host roles; MFA enforced; waiting room and password controls; Eventbrite: HTTPS/TLS; SOC 2 Type II; RBAC; data minimisation for registrant data; GDPR-compliant data subject tooling; both platforms offer data retention controls | Zoom Security Zoom DPA Eventbrite Privacy | Separate DPA entries may be needed for Zoom and Eventbrite as distinct controllers |
44 | Google Cloud Identity Platform | User Authentication | Login credentials, identifiers | Users / employees | USA / EU | SCCs / UK IDTA | Yes | Identity security with OAuth 2.0 / OpenID Connect; MFA/2FA enforced; AES-256 at rest; TLS in transit; RBAC; SOC 2 Type II; ISO 27001; audit logging via Cloud Audit Logs; brute-force and anomaly detection; phishing-resistant authentication options; data residency in EU available | Google Cloud Identity Google Cloud Compliance Google DPA | |