Sub-processor Register
Last updated: February 2026
This document should be reviewed by legal counsel before reliance.
HypnoVox acts as a data processor on behalf of therapists (data controllers) who use the platform. In order to provide the HypnoVox service, we engage the following third-party sub-processors to process personal data on behalf of our controllers.
This register is maintained in accordance with Article 28 of the UK GDPR and the Data Processing Agreement between HypnoVox and each controller.
Current Sub-processors
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, and file storage for audio recordings | All application data including client personal data, session metadata, and audio recordings (special category data) | Cloud infrastructure (AWS). Project region should be verified in the Supabase dashboard. | DPA signed |
| Vercel Inc. | Application hosting, serverless functions, and content delivery network (CDN) | Request logs, deployment data, server-side rendered page content. Audio files and client data are not persistently stored by Vercel. | Global CDN with US-based origin servers | EU–US Data Privacy Framework (DPF) certified |
| Resend Inc. | Transactional email delivery for sharing recordings with clients | Client email addresses, therapist display names, recording titles, and secure share link URLs | United States | EU–US Data Privacy Framework (DPF) certified |
Change Notification
In accordance with our Data Processing Agreement, we will notify all controllers at least 30 days in advance of any intended changes to the sub-processors listed above. This includes the addition of new sub-processors, the removal of existing sub-processors, or changes to the purpose or scope of processing carried out by a sub-processor.
Controllers who object to a proposed change may raise their concerns in writing within the 30-day notice period. We will discuss the concern in good faith with a view to achieving a commercially reasonable resolution.
International Data Transfers
Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. Currently, transfers to the United States are covered by the EU–US Data Privacy Framework (DPF) as recognised under the UK Extension to the DPF, or by Standard Contractual Clauses (SCCs) where DPF certification is not available.
We regularly review the transfer mechanisms in place with each sub-processor to ensure continued compliance with applicable data protection legislation.
Contact
For questions about our sub-processors or data processing practices, contact us at privacy@hypnovox.app.