— the legal stuff.

// // who we work with

Sub-processors, in plain English.

We're a UK Ltd company processing your data with help from these specialist services. We've reviewed each one's security and signed Data Processing Agreements with all of them. We notify you 30 days before adding any new sub-processor; you can object.

Effective 1 May 2026

Draft · awaiting solicitor review before binding use

  • Anthropic

    United States · UK SCCs

    Purpose: Primary LLM (reply drafting + classification)

    Data: Interaction content (call transcripts, email/SMS body, review text) for prompt + completion only; no training

  • OpenAI

    United States · UK SCCs

    Purpose: LLM fallback when Anthropic is degraded

    Data: Same as Anthropic; activated only on failover

  • Twilio (UK)

    United Kingdom

    Purpose: Inbound + outbound voice + SMS

    Data: Phone numbers, call audio, SMS bodies, call metadata

  • Telnyx

    European Union

    Purpose: Voice + SMS fallback when Twilio is degraded

    Data: Same as Twilio; activated only on failover

  • Retell

    United States · UK SCCs

    Purpose: Voice agent runtime (real-time TTS + STT)

    Data: Live call audio during the call only; not stored beyond the recording window

  • Synthflow

    United States · UK SCCs

    Purpose: Voice agent fallback

    Data: Same as Retell; activated only on failover

  • ElevenLabs

    United States · UK SCCs

    Purpose: Optional voice cloning (V1.1)

    Data: Customer voice sample (only if you opt in)

  • Supabase

    European Union (Frankfurt)

    Purpose: Database, auth, storage

    Data: Everything Workhand stores at rest

  • Vercel

    Global edge; primary US · UK SCCs

    Purpose: Application hosting

    Data: Request metadata; no persistent customer data

  • Cloudflare

    Global edge · UK SCCs

    Purpose: DNS + CDN

    Data: Request metadata only

  • Railway

    United States · UK SCCs

    Purpose: n8n workflow runner host

    Data: Workflow execution data (transient)

  • Resend

    United States · UK SCCs

    Purpose: Transactional email (operator alerts, magic links)

    Data: Recipient email + message content

  • Postmark

    United States · UK SCCs

    Purpose: Transactional email fallback

    Data: Same as Resend; activated only on failover

  • Stripe

    United States / Ireland · UK SCCs

    Purpose: Subscription billing + payment intents

    Data: Card data is held by Stripe — Workhand never sees it; we hold a customer reference + invoice metadata

  • Metricool

    European Union (Spain)

    Purpose: Social posting (Instagram / Facebook / LinkedIn)

    Data: Post drafts + scheduling metadata; account credentials remain with the platforms

  • Sentry

    United States · UK SCCs

    Purpose: Error monitoring

    Data: Stack traces + request metadata; PII scrubbing rules applied at capture

  • Axiom

    United States · UK SCCs

    Purpose: Structured log aggregation

    Data: Application logs (no raw interaction content)

This list is updated within 24 hours of any change. Existing customers get a 30-day notice on additions.

Questions on this page? Email felix@workhand.co.uk — Felix reads everything. For DSAR submissions specifically, use the in-app DSAR form so the request lands in the audit log directly.