1. About This Page
TIMVERO Ltd uses a small number of third-party services to operate timvero.com and the timveroOS platform. These services are sub-processors under UK GDPR / EU GDPR Article 28 — they process personal data on our behalf, under written Data Processing Agreements with us.
This page lists the sub-processors that handle personal data collected through this Website. (Sub-processors that are part of the timveroOS platform itself are governed by your separate contract with us.) For full context on what personal data we collect and why, see our Privacy Policy; for cookies specifically, see our Cookie Policy.
We update this list when sub-processors change. To be notified of changes, write to privacy@timvero.com and request to be added to our sub-processor change notification list.
2. Sub-Processors
| Sub-Processor | Service | Processing Location | Their Sub-Processors |
|---|---|---|---|
| Google LLC | Analytics (GA4), Tag Manager, Ads conversion tracking | USA | privacy.google.com/businesses/subprocessors |
| HubSpot Inc. | CRM, marketing automation, embedded forms, website tracking | USA | legal.hubspot.com/dpa-sub-processors-list |
| Vercel Inc. | Website hosting, serverless functions, content delivery, blob media storage, web analytics | European Union (Frankfurt / London) for stored data; USA for control plane | vercel.com/legal/subprocessors |
| Neon Inc. | Managed PostgreSQL database for our content management system | United Kingdom (London region) for stored data; USA for control plane | neon.com/subprocessors |
| Cloudflare Inc. | Content delivery network, DDoS protection, web application firewall, bot management | Global edge network; USA for control plane | cloudflare.com/gdpr/subprocessors |
3. International Transfers
Sub-processors located in the United States process personal data under one or more of the following safeguards:
- EU-US Data Privacy Framework certification — verifiable at dataprivacyframework.gov/list.
- UK International Data Transfer Agreements (IDTAs) approved by the UK Information Commissioner's Office.
- Standard Contractual Clauses (SCCs) approved by the European Commission, as supplementary safeguard.
For more on how we manage these transfers, see Section 8 ("International Data Transfers") of our Privacy Policy.
4. How We Choose Sub-Processors
Before engaging any new sub-processor, we:
- Verify they offer a Data Processing Agreement that meets Article 28 GDPR requirements.
- Review their security posture (SOC 2, ISO 27001, or equivalent independent attestation where available).
- For non-EEA / UK destinations, document the legal basis for international transfer and assess whether the destination provides essentially equivalent protection.
- Maintain an internal record (Records of Processing Activities and Sub-Processor Register) for accountability under Article 30.
5. Changes to This List
We may add or change sub-processors from time to time as our infrastructure evolves. When that happens, we update this page and refresh the "Last Reviewed" date below. We do not separately email customers about routine sub-processor changes; if you have a contractual right to be notified (e.g. as part of an enterprise agreement), that notice is sent through the channel agreed in the contract.
6. Contact
For questions about this list, the sub-processors listed, or our Article 28 controller-processor relationship with any of them, contact:
Email: privacy@timvero.com
Subject line: "Sub-Processor Question — [Vendor Name]"