Subprocessors
Last Updated: 01 June 2026
This page lists the third-party service providers ("subprocessors") that Graded Prompts Ltd uses to operate the Graded Prompts marketplace at gradedprompts.com, and separately lists the independent controllers we share data with. It supplements our Privacy Policy and is maintained as a separate page so it can be kept up to date independently.
A subprocessor is a third party that processes personal data on our behalf to help us deliver the Platform. We share only the data each subprocessor needs to perform its specific function, and each is bound by contractual data-protection terms.
Some parties we work with are independent controllers rather than subprocessors — they receive personal data but determine their own purposes and means of processing under their own legal obligations. They are listed separately in Section 2.
1. Current Subprocessors
These parties process personal data on our behalf, under our instructions, pursuant to a Data Processing Agreement.
Infrastructure
| Subprocessor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting (Elastic Beanstalk, database, storage) and internal admin tooling used by Graded Prompts staff | All Platform data | us-east-1 (Virginia, USA) | UK Addendum to the EU SCCs / IDTA, per the AWS GDPR DPA |
| Amazon CloudFront (Amazon Web Services EMEA SARL / Amazon Web Services, Inc.) | Content delivery network and edge caching in front of the Platform | IP addresses, request metadata, cached static assets | Global edge network | UK Addendum to the EU SCCs / IDTA for traffic routed via non-UK/EEA edge locations |
Security and Anti-Abuse
| Subprocessor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Cloudflare, Inc. (Turnstile) | Bot and abuse protection on sign-up, login, and other public-facing forms | IP address, browser and device signals, interaction data, and a widget verification token | USA (delivered via Cloudflare's global network) | UK Addendum to the EU SCCs, per the Cloudflare DPA |
Communications
| Subprocessor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Postmark (operated by ActiveCampaign, LLC) | Transactional email delivery (password resets, OTPs, order confirmations, payout notifications) | Email address, message content | USA | UK Addendum to the EU SCCs, per the ActiveCampaign DPA |
Note on transfer instruments: The ICO recognises two instruments for restricted transfers — the standalone International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs. The label shown for each subprocessor above reflects the instrument used in that provider's current data processing terms. We confirm the applicable instrument against each provider's published DPA and update this page if it changes.
2. Independent Controllers
The following parties receive personal data but act as independent data controllers for that data, because they have their own legal obligations (under PSD2, anti-money-laundering rules, card-network rules, and similar). They are not our subprocessors. Their own privacy policies govern how they handle your data, and we encourage you to review them.
Payments and Payouts
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd / Stripe, Inc. | Buyer card payment processing, seller onboarding and identity verification (Stripe Connect), and seller payouts | Card details, billing address, transaction data, payout account details, identity data for KYC | Ireland / USA |
Banking and Network Operators
- Wise Payments Limited (Wise Business) — our operating bank. Wise receives aggregate settlements paid to Graded Prompts Ltd and does not process personal data of individual buyers or sellers on our behalf. Wise acts as an independent data controller for any data we provide to it.
- Card networks (Visa, Mastercard, etc.) — payment-network operators that route transactions; they are independent controllers.
Because these parties are independent controllers, the international transfers of personal data they make are governed by their own transfer arrangements and privacy policies, not by our processor safeguards. Where we provide them with data, that disclosure is a controller-to-controller sharing covered by Section 4 of our Privacy Policy.
3. Other Parties (Not Processors of User Data)
For clarity, the following are involved in operating Graded Prompts but do not process buyer or seller personal data:
- Our UK formation agent and Companies House — these relate to corporate registration, not user data processing.
4. Analytics, Advertising, and Tracking
We do not currently use third-party analytics, advertising, or cross-site tracking providers. If this changes, we will update this page and the Privacy Policy before the new subprocessor goes live, and we will request consent where required.
5. Updates to This List
We may add or change subprocessors as the Platform evolves. When we do:
- We will update this page with the new entry and the "Last Updated" date.
- If a future enterprise or team customer has a Data Processing Agreement with us that requires advance notice, we will follow the notice period agreed in that DPA.
6. Where Your Data Is Hosted
Primary Platform data is hosted with AWS in us-east-1 (Virginia, USA). Some of our subprocessors and independent controllers are also located outside the UK and EEA.
Where personal data is transferred to a country without a UK adequacy decision (including the USA), we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment and supplementary measures where appropriate.
7. Contact
Questions about our subprocessors, transfer safeguards, or to request copies of the relevant data protection terms:
Email: privacy@gradedprompts.com Registered Office: Graded Prompts Ltd, 128 City Road, London, EC1V 2NX, United Kingdom Company Number: 17080335
This page was last reviewed and updated on 01 June 2026.