Sub-processor Register
Last updated: February 2026
HypnoVox acts as a data processor on behalf of therapists (data controllers) who use the platform. In order to provide the HypnoVox service, we engage the following third-party sub-processors to process personal data on behalf of our controllers.
This register is maintained in accordance with Article 28 of the UK GDPR and the Data Processing Agreement between HypnoVox and each controller.
Current Sub-processors
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism | Verification |
|---|---|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, and file storage for audio recordings | All application data including client personal data, session metadata, and audio recordings (special category data) | AWS eu-west-1 (Ireland) | DPA signed + EU hosting (no international transfer) | supabase.com/legal/dpa |
| Vercel Inc. | Application hosting, serverless functions, and content delivery network (CDN) | Request logs, deployment data, server-side rendered page content. Audio files and client data are not persistently stored by Vercel. | Global CDN (US primary) | UK Extension to EU–US Data Privacy Framework (DPF) | DPF participant list |
| Resend Inc. | Transactional email delivery for sharing recordings with clients | Client email addresses, therapist display names, recording titles, and secure share link URLs | United States | UK Extension to EU–US Data Privacy Framework (DPF) | DPF participant list |
Supabase data residency: eu-west-1 (Ireland). This can be confirmed in the Supabase project dashboard.
Change Notification
In accordance with our Data Processing Agreement, we will notify all controllers by email to their registered email address at least 30 days in advance of any intended changes to the sub-processors listed above. This includes the addition of new sub-processors, the removal of existing sub-processors, or changes to the purpose or scope of processing carried out by a sub-processor.
Controllers who object to a proposed change may raise their concerns in writing within the 30-day notice period. We will discuss the concern in good faith with a view to achieving a commercially reasonable resolution.
International Data Transfers
Where personal data is transferred outside the United Kingdom or the European Economic Area, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. Currently, transfers to the United States are covered by the EU–US Data Privacy Framework (DPF) as recognised under the UK Extension to the DPF.
Where DPF certification is not available for a sub-processor, we rely on the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) to provide adequate protection.
We regularly review the transfer mechanisms in place with each sub-processor to ensure continued compliance with applicable data protection legislation.
Contact
For questions about our sub-processors or data processing practices, contact us at privacy@hypnovox.app.