Sub-Processor List
- UK GDPR Article 28 & 30
Conscium Limited engages the following third-party sub-processors to provide the VerifyAX platform and related services. This list is maintained in accordance with our obligations under UK GDPR and is updated whenever we add, change, or remove a sub-processor.
Last updated: May 2026 | 9 Sub-processors listed | Controller: Conscium Limited
Client notification. Conscium will provide at least 30 days' notice of any intended addition or replacement of a sub-processor by updating this page and notifying active clients by email to the address registered on their account. Continued use of the VerifyAX platform after the notice period constitutes acceptance unless an objection is raised in writing. To raise an objection or to receive notifications automatically, contact privacy@conscium.com.
Cloud Infrastructure
Google Cloud Platform - Cloud infrastructure, compute, storage, networking
1 processor | UK | EU
| Legal Entity Google LLC / Google Cloud EMEA Limited |
Processing Location Primary: europe-west2 (London, UK) Failover: europe-west4 (Netherlands, EU) |
| Purpose / Services Used All VerifyAX infrastructure: GKE (compute), Cloud SQL (database), Cloud Storage (file/log storage), Memorystore (session cache), Cloud Load Balancing, Cloud DNS, Cloud CDN, Artifact Registry, Workload Identity |
Personal Data Processed All categories of personal data processed by VerifyAX — GCP is the primary hosting platform |
| Transfer Safeguard Google Cloud Data Processing Addendum — includes Standard Contractual Clauses. Primary processing in UK/EU — no third-country transfer for production data. |
Risk Level Low — UK/EU hosting; Google Cloud DPA in place; adequate protections apply |
| Further Information Google Cloud DPA ↗ | Compliance documentation ↗ |
|
Identity & Authentication
Auth0 (Okta) — User authentication and identity management
1 processor | US / EU | SCCS
| Legal Entity Okta, Inc. (US) / Okta EMEA Limited (EU) |
Processing Location EU tenancy configured — EU (Ireland / Germany). Production data does not leave the EU. |
| Purpose User registration, authentication, login event management, MFA, session management for all VerifyAX platform users |
Personal Data Processed Email address, name, hashed credentials, login timestamps, IP address, device information, MFA settings |
| Transfer Safeguard Auth0 DPA + Standard Contractual Clauses. EU tenancy ensures primary processing within the EEA — adequacy applies for UK–EU transfers. |
Risk Level Low — EU tenancy configured; SCCs in place as backstop |
| Further Information Okta Privacy Policy ↗ | Okta DPA and SCCs ↗ |
|
Billing & Communications
Stripe — Payment processing and subscription billing
2 processors EU | UK
| Legal Entity Stripe Payments Europe Limited (Ireland) for EU/UK customers |
Processing Location EU / UK (Stripe EMEA infrastructure). Some data may flow to US Stripe entities — covered by SCCs. |
| Purpose Processing subscription payments, managing billing records, handling invoices, refunds, and payment disputes for VerifyAX subscribers |
Personal Data Processed Name, email address, billing address, company name, tokenised payment card data (Conscium does not store raw card numbers), transaction history, subscription tier |
| Transfer Safeguard Stripe Data Processing Agreement + Standard Contractual Clauses. Stripe Payments Europe processes EU/UK billing data under EU GDPR. |
Risk Level Low — established payment processor; EU entity; DPA in place; PCI DSS Level 1 certified |
| Further Information Stripe Privacy Policy ↗ | Stripe DPA ↗ |
|
Transactional Email Provider — Transactional and notification email delivery
| Status To be confirmed. Conscium uses an email delivery provider for transactional emails (account confirmations, password resets, billing notifications, service alerts). This entry will be updated with the provider name and DPA details upon finalisation. Candidates include Postmark, Mailgun, and SendGrid. |
|
| Purpose Delivery of transactional emails triggered by platform events and user actions |
Personal Data Processed Email address, name (for personalisation), email delivery metadata (timestamps, delivery status) |
LLM Providers
1 processor category | US | SCCS | TIA REQUIRED
LLM Providers (via LiteLLM Proxy) - Large language model inference for agent evaluation
Important: VerifyAX routes AI inference requests through an internal LiteLLM Proxy. Prompts may be forwarded to one or more LLM providers depending on the model selected. Prompt content may contain personal data depending on how clients configure their agent tests. Clients are contractually required to avoid including special category personal data in prompts without a specific data processing addendum. A Transfer Impact Assessment has been conducted for all US-based LLM providers.
Providers Currently Engaged
|
|||||||||||||||||
| Purpose Processing of user and client prompts for AI agent evaluation, simulation, and scoring within the VerifyAX platform |
Personal Data Processed Prompt content (variable — depends on client use case; may contain names, contact details, or other personal data). Response content. Session identifiers. |
||||||||||||||||
| Retention by Provider Per provider API terms — typically prompts are not retained for training for API customers. Confirm per provider DPA. |
Risk Level Medium — US transfers require SCCs and TIA. Clients must not include special category data in prompts without written agreement. |
||||||||||||||||
Observability & Monitoring
Langfuse — LLM observability, prompt tracing and evaluation logging
3 processors
| Legal Entity Langfuse GmbH (Germany) |
Processing Location EU (Germany) — EU cloud hosted. No transfer to third countries for EU/UK customers. |
| Purpose Logging and tracing of LLM prompt and response pairs for platform observability, debugging, and quality evaluation. Internal use only. |
Personal Data Processed Prompt content, response content, trace metadata, session identifiers, timestamps. Access restricted to authorised Conscium engineering personnel only. |
| Transfer Safeguard Langfuse DPA — EU hosting; UK–EU adequacy applies. No third-country transfer. |
Risk Level Low — EU hosted; DPA in place; access controlled |
| Further Information Langfuse Security & Privacy ↗ |
|
ClickHouse — Analytics database for observability data
| Deployment Model Self-hosted on Google Cloud Platform (GKE, Observability Project). Not a third-party SaaS deployment. |
Processing Location UK (GCP europe-west2, London) — covered by Google Cloud DPA |
| Purpose Storing and querying LLM trace data and platform analytics for internal observability and performance monitoring |
Personal Data Processed Aggregated usage analytics, LLM trace data (which may include prompt content). Access restricted to Conscium engineering team. |
| Transfer Safeguard Google Cloud DPA — self-hosted on GCP; no separate ClickHouse entity processes data |
Risk Level Low — self-hosted on GCP UK; covered by GCP DPA |
Grafana — Metrics dashboards and system monitoring
| Deployment Model Self-hosted on Google Cloud Platform (GKE, Observability Project). |
Processing Location UK (GCP europe-west2, London) |
| Purpose Displaying aggregated system performance metrics, infrastructure health dashboards, and alerting for the VerifyAX platform. Internal use only. |
Personal Data Processed Minimal. Aggregated infrastructure metrics. Grafana does not process user personal data directly. |
| Transfer Safeguard Google Cloud DPA — self-hosted on GCP; no third-party data transfer |
Risk Level Low — minimal personal data; self-hosted on GCP UK |
Development & CI/CD
GitHub (Microsoft) — Source code repository and CI/CD pipelines
1 processor | EU BOUNDARY | SCCS
| Legal Entity GitHub, Inc. (subsidiary of Microsoft Corporation) |
Processing Location EU (Microsoft EU Data Boundary enabled). Some metadata may be processed in the US — covered by SCCs. |
| Purpose Hosting VerifyAX source code repositories; running automated CI/CD build and deployment pipelines via GitHub Actions; developer account management |
Personal Data Processed Developer account data (name, email, GitHub handle). Source code — which must not contain real personal data. CI/CD pipeline logs. Production personal data must never be used in CI/CD pipelines. |
| Transfer Safeguard GitHub DPA + Microsoft Standard Contractual Clauses. EU Data Boundary activated. |
Risk Level Low — code repository; production personal data must not be present; SCCs and EU boundary in place |
| Further Information GitHub Privacy Statement ↗ | GitHub DPA ↗ |
|
Change Log
May 2026 - PUBLISHED — Initial sub-processor list published. Nine sub-processors listed across infrastructure, identity, billing, AI providers, observability, and DevOps categories.
Contact
This page is maintained by Conscium Limited (company number 15404582), registered in England and Wales.
Data controller contact: privacy@conscium.com — Sea Containers House, Upper Ground, London SE1 9GL. For our full Privacy Notice see conscium.com/legal. For our Terms of Service see conscium.com/terms-of-use.