Sub-processors

The suppliers we use to deliver the AI Concierge service, where they process data, and the legal mechanisms we rely on for any transfer outside the UK.

Published by: Belport AI Ltd (Companies House number to follow at incorporation)
ICO registration: [ICO registration number — ZAxxxxxx — to follow at incorporation]
Contact: [email protected] · postal address available on written request
Last reviewed: 13 May 2026
Last published: [publication date — to be filled at go-live]

What this list is, and why we publish it

A sub-processor is a third-party company that processes personal data on our behalf so that we can run the AI Concierge service for residential buildings. For example: the company that hosts our database, or the company that provides the AI model that drafts replies. We don't sell your data and we don't share it with advertisers — but we do rely on a small number of trusted suppliers to actually run the service.

We publish this list for three reasons:

Your building's management company (our customer) can see, in advance, every supplier we use, where the data is held, and what legal mechanism makes any transfer outside the UK lawful. Our contract with each customer gives them at least 30 days' written notice before we add a new sub-processor, replace one, or change where one of them processes data — and the right to object on reasonable data-protection grounds within that window.
You, a resident, can see who is involved in the chain that carries your WhatsApp messages.
Regulators (in our case primarily the UK Information Commissioner's Office) can verify that what we tell residents matches what we have in our internal records.

If you click through to this page from the resident privacy notice or from our DPA, this list is the up-to-date version. The privacy notice may summarise it, but if the summary and this list ever diverge, this list controls.

"Personal data": Any information that relates to an identifiable living person: your name, your phone number, your messages, your apartment number.
"Sub-processor": A third-party supplier that handles personal data on Belport AI's behalf.
"Transfer mechanism": The specific UK GDPR-approved legal basis we rely on when personal data leaves the UK. The main two we use are (i) the UK Extension to the EU–US Data Privacy Framework, an adequacy decision the UK government made about certain US companies, and (ii) the International Data Transfer Agreement (IDTA), a model contract approved by the UK Information Commissioner's Office.
"DPF" / "Data Privacy Framework": The US-side certification scheme that makes the UK Extension available. We check that any US sub-processor we rely on the UK Extension for is actively listed on dataprivacyframework.gov/list with the UK Extension opted in.
"DPA": Data Processing Agreement. The contract we sign with each sub-processor that sets out what they can and can't do with personal data.

verified The fact in that row has been confirmed against the vendor's current published documentation. verification pending Documented and contractually scoped, but the vendor's live status (e.g. DPF certification, exact entity name, region) still needs to be checked against the official source before this page goes live.

Sub-processors we use

1. Meta Platforms Ireland Ltd (and Meta Platforms, Inc. / WhatsApp LLC as Meta sub-processors)

Operates the WhatsApp Business Cloud API — the channel that carries every inbound and outbound message between the resident and the assistant.

Categories of personal data: Phone number; message content (text and voice); message metadata (timestamps, delivery receipts); WhatsApp account display name.
Processing location: Ireland (Meta Platforms Ireland) with onward routing to the United States (Meta Platforms, Inc. infrastructure).
Transfer mechanism: verified Meta DPA + UK Data Transfer Addendum to EU SCCs (Meta-published; covers UK→US within Meta's chain). Belport AI is not an exporter to Meta US directly — Meta Ireland is the contracting counterparty.
DPA / contract: WhatsApp Business Data Processing Terms
UK Data Transfer Addendum
Certifications: Meta-published security and privacy assurance materials. SOC 2 / ISO 27001 status [verify against Meta trust centre].
Last reviewed: 13 May 2026

2. OpenAI, L.L.C. / OpenAI OpCo, LLC

Provides the AI model (GPT-4o-mini) that reads messages and helps draft replies; the embeddings model used for retrieval against the building's knowledge base; the Whisper voice-transcription endpoint; and the Responses API used for optional web search. OpenAI is contractually prohibited from using API submissions to train OpenAI's general models — this is the API default and is recorded in OpenAI's DPA.

Categories of personal data: Message content (text and transcribed voice — original audio is never persisted by Belport AI); resident name where given; building / apartment context (so the model knows which knowledge base to draw on); inferred profile snippets when surfaced into prompts.
Processing location: EU residency endpoint where supported by OpenAI; United States for endpoints that do not yet support EU residency. [verify which endpoints currently support EU residency on the operator's account]
Transfer mechanism: verification pending UK Extension to the EU–US DPF for endpoints handled by OpenAI entities actively DPF-listed with the UK Extension opted in; IDTA + UK Addendum to EU SCCs (incorporated into OpenAI's DPA) + a TRA using ICO Tool Option 3 for residual endpoints. Zero Data Retention (ZDR) enabled on eligible endpoints so OpenAI's default 30-day abuse-monitoring retention is set to zero.
DPA / contract: OpenAI DPA. Sub-processor disclosures via the enterprise privacy page and, for active customers, behind the platform login.
Certifications: SOC 2 Type II (per OpenAI Trust Portal — verify currency); DPF status of OpenAI entities [verify against the live DPF list].
Last reviewed: 13 May 2026

3. Railway Corp.

Hosts the production PostgreSQL database (including pgvector embeddings), the Redis queue (BullMQ), and the application servers. Field-level encryption is applied at the application layer to message content, inferred-profile fields, and consent-prompt snapshots.

Categories of personal data: All categories: identifiers (hashed phone, name, apartment, email where given); message content (encrypted at application layer); inferred-profile data (encrypted); ticket records; key-release events; audit logs; consent events.
Processing location: Today (May 2026): United States — us-east4, Ashburn, Virginia. Target post-migration: EU (London / Amsterdam). This page will be updated when the migration completes — that constitutes a sub-processor geographic-location change under our DPA and triggers the 30-day notice.
Transfer mechanism: verification pending During the US-region transition: IDTA + UK Addendum to EU SCCs with Railway, supplemented by a TRA using ICO Tool Option 3. After the EU migration: UK→EEA adequacy under the Data Protection (Adequacy) (United Kingdom) Regulations — no further Article 46 safeguards required.
DPA / contract: Railway DPA — published at railway.com/legal/dpa [verify exact URL and content currency].
Certifications: SOC 2 Type II [verify]; ISO 27001 status [verify against Railway trust hub].
Last reviewed: 13 May 2026

4. Cloudflare, Inc.

Provides R2 object storage for knowledge-base documents (building handbooks, house rules, contractor information) and building photos uploaded by managers. Voice audio is never written to Cloudflare R2 — Whisper transcription runs against a streaming memory buffer only.

Categories of personal data: KB documents (may incidentally name residents); building photos (may incidentally contain residents); manager-uploaded asset metadata. No message content. No voice audio.
Processing location: EU jurisdiction (R2 location hint = eu). [verify R2 bucket location-hint setting in production]
Transfer mechanism: verification pending UK→EEA adequacy for transfers into the eu location — no further Article 46 safeguards required. UK Extension fallback (Cloudflare entities on the active DPF List with the UK Extension opted in) for the rare case that an R2 object is served from a non-EU edge.
DPA / contract: Cloudflare Customer DPA; Cloudflare's sub-processor list; Cloudflare Trust Hub.
Certifications: SOC 2 Type II verified; ISO 27001 verified; PCI DSS verified; DPF status [verify].
Last reviewed: 13 May 2026

5. Langfuse GmbH

Operates Langfuse Cloud, the observability platform we use to record traces of LLM interactions for debugging and quality monitoring. Traces include the prompt we sent to the model, the retrieved knowledge-base chunks, and the completion the model returned. 30-day retention configured at Langfuse.

Categories of personal data: Message content within prompts and completions; retrieved KB chunks; model and token metadata; trace identifiers. No phone numbers or apartment numbers transmitted as discrete fields (these are redacted before they reach a trace).
Processing location: EU — Langfuse Cloud Frankfurt region. [verify exact Langfuse legal entity and Cloud region]
Transfer mechanism: verification pending UK→EEA adequacy — no further Article 46 safeguards required. Standard Article 28 processor obligations apply via the Langfuse DPA.
DPA / contract: Langfuse DPA — verify on langfuse.com/security or successor URL [verify].
Certifications: SOC 2 Type II [verify]; ISO 27001 [verify].
Last reviewed: 13 May 2026

6. Resend, Inc.

Sends transactional email for the staff dashboard only — manager invitations, password resets, weekly digest emails. Resend is not used for any resident-facing communication. Residents interact with Belport AI exclusively over WhatsApp.

Categories of personal data: Manager email addresses; manager names; transactional email content (e.g. invitation links, digest summaries — which may reference resident first names but do not transmit message bodies).
Processing location: United States [verify — Resend offers an EU sending region; confirm which is configured].
Transfer mechanism: verification pending UK Extension to the EU–US DPF if Resend is actively DPF-listed with the UK Extension opted in; IDTA + UK Addendum + TRA Option 3 otherwise.
DPA / contract: Resend DPA — [verify URL on resend.com/legal].
Certifications: SOC 2 Type II [verify].
Last reviewed: 13 May 2026

7. Google LLC / Google Ireland Ltd (Google Maps Platform — Places API only)

Provides building-level address and amenity lookup ("the nearest dry cleaner to building X") for resident questions. Queries are constructed so that no resident identifier is sent to Google — the query contains the building address and the resident's question text, never the resident's name or phone number.

Categories of personal data: Query text (may incidentally contain personal data if a resident's free-text question includes it); building address; coarse location. No phone number, no apartment number, no resident name as a discrete field.
Processing location: EU and United States (Google's global Maps Platform infrastructure).
Transfer mechanism: verification pending UK Extension to the EU–US DPF (Google LLC is DPF-certified with the UK Extension opted in [verify]); Google Cloud DPA + UK Addendum as a fallback / parallel mechanism.
DPA / contract: Google Cloud DPA; Maps Platform terms.
Certifications: SOC 2 verified; ISO 27001 verified; ISO 27017 verified; ISO 27018 verified; DPF status [verify on the live DPF list].
Last reviewed: 13 May 2026

Voice audio. Belport AI's Whisper transcription runs against a streaming in-memory buffer. Original voice audio is never persisted to Postgres, Redis, R2, Langfuse, or any disk. This is verified in code and is locked in by a regression test.

Key-release feature. The automated key-release feature operates under a manager-approval gate — no key release is authorised solely by the assistant; a human at the building's management company approves, edits, or rejects every proposed release. The feature therefore does not engage UK GDPR Articles 22A–22D as a "solely automated" decision in the standard configuration.

How we tell you about changes

For our customers (the building management companies)

The formal contractual commitment lives in our DPA. We give at least 30 days' written notice before:

adding a new sub-processor,
replacing an existing sub-processor, or
changing the geographic location of processing of an existing sub-processor.

The customer can object within the notice period on reasonable data-protection grounds. We discuss the objection in good faith. If we can't agree, the customer may terminate the affected service or the master agreement without penalty for fees relating to the rejected change.

For residents and other interested readers

There is no contract between Belport AI and an individual resident, so the contractual notice mechanism above doesn't apply. Instead:

This page is date-stamped at the top and we update those dates on every material change.
You can subscribe to changes by emailing [email protected] with the subject line "Subscribe". We'll add you to a low-volume mailing list and send a short email each time this page changes materially. We won't use the address for anything else, and you can unsubscribe any time by replying "Unsubscribe".
A historical record of changes lives in the change log at the bottom of this page.

How to ask us a question

General questions about sub-processors, transfer mechanisms, or this list: [email protected]. We aim to reply within five working days.

Data subject rights requests (access, rectification, erasure, restriction, portability, objection, and complaints under UK GDPR Articles 15–22 and Articles 22A–22D) go through a separate flow described in our resident privacy notice, §7. The privacy notice covers the WhatsApp keyword commands (DATA, DELETE, STOP, NO SENSITIVE) and the identity-verification we apply before responding.

If you're unhappy with how we've handled a data-protection matter, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint — but we'd genuinely appreciate the chance to put it right first.

Change log

Date	Change
[publication date — to be filled at go-live]	Initial publication. Sub-processor list goes live alongside the resident privacy notice on Day 1 of Belport AI Ltd's incorporation.

This list is part of our compliance with UK GDPR Article 28(2)–(4), Article 30(1)(d), and the transparency obligations under Articles 12–14. If you spot a factual error, please email [email protected] and we'll correct the page and add an entry to the change log above.