Effective Date: 10 July 2026
This register identifies BrokerCentral subprocessors and third-party data recipients used in connection with the Services.
Transfer mechanisms have been populated where public DPA, processor terms, controller terms, or vendor documentation have been reviewed. Where marked as pending confirmation, the applicable vendor DPA, processor status, hosting or access location, or UK GDPR transfer safeguard remains subject to vendor or account confirmation.
| Subprocessor | Purpose | Region | Data Types | Transfer Mechanism |
|---|---|---|---|---|
| AWS S3 | Document, image, email, migration, snapshot, and import file storage |
London Region, eu-west-2 |
Uploaded documents, emails/EML, logos, migration files, client/policy files |
UK hosting in London Region; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers. |
| AWS SES | Email delivery options |
London Region, eu-west-2 |
Email recipients, subjects, bodies, attachments |
UK hosting in London Region where configured; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers. |
| Mailtrap | Development, staging, and UAT catch-all mailbox |
USA |
Email recipients, subjects, bodies, attachments |
Mailtrap DPA states DPF applies to UK/EEA-US transfers; UK SCCs / EU SCCs apply if DPF no longer applies. Subprocessors outside UK/EEA are covered by similar clauses. |
| AWS SNS | SMS delivery |
London Region, eu-west-2 |
Phone numbers, SMS bodies, sender IDs |
UK hosting in London Region where configured; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers. |
| AWS Lambda | MSG-to-EML conversion and optional PDF rendering |
London Region, eu-west-2 |
Uploaded .msg email files and attachments |
UK hosting in London Region where configured; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers. |
| Google Workspace / Gmail API | User Gmail sending using client Google Workspace accounts |
Client dependent / Google global infrastructure |
Email contents and Gmail OAuth tokens |
Google Cloud Data Processing Addendum; UK Extension to the EU-US Data Privacy Framework / UK-US Data Bridge where applicable, with SCCs as contractual fallback where required. |
| Google Maps Platform / Places / Geocoding / Street View | Address and postcode lookup, geocoding, Places enrichment, and Street View imagery retrieval |
Google global infrastructure; Google LLC / Google Ireland controller terms |
Postcodes, addresses, latitude/longitude, formatted address, place IDs, panorama IDs, and Google Maps/Places/Street View content displayed or cached where permitted by Google terms |
Google Controller-Controller Data Protection Terms; independent-controller arrangement. For UK restricted transfers, Google’s Controller SCCs apply with the UK International Data Transfer Addendum; Google may also rely on an adopted Data Transfer Solution such as the UK Extension to the EU-US Data Privacy Framework where applicable. |
| Intercom | In-app support and messaging |
USA / Ireland / Australia |
User ID, name, email, phone, brokerage/company metadata, onboarding/support events |
Intercom DPA relies on EU-US / Swiss-US / UK-US Data Privacy Framework certification for US restricted transfers, with fallback EU SCCs and UK Addendum / UK SCCs where required. |
| Blink Payments | Payment links and payment status lookup |
GDPR-compliant location |
Client name, email/mobile, address/postcode, amount, transaction references |
Pending vendor confirmation. Public privacy policy reviewed; processor DPA and UK GDPR transfer mechanism not yet publicly verified. |
| OpenAI | Document categorisation and extraction |
USA |
Extracted document text, insurance document metadata, prompts |
OpenAI DPA: UK Data is processed under SCCs amended by the UK Addendum; EEA/Swiss transfers use SCCs or adequacy decisions where applicable. |
| Simplified.id | Sanctions screening |
UK and EEA (primary processing in UK; encrypted backups stored in AWS S3, Dublin, Ireland; platform accessible globally by authorised users) |
Client/contact/officer names, addresses, DOB, nationality, sanctions screening results/decisions |
UK adequacy regulations for the EEA (Ireland). Article 28 DPA in place. No subprocessors used for sanctions screening. |
| Applied Systems Europe Ltd t/a Applied Systems UK | Rating Hub / EDI rating and policy fulfilment |
UK; agreement permits transfers to Applied group companies and third parties within or outside the EEA |
Client name, DOB, licence information, vehicle registration details, quote/policy/EDI transaction data |
Partially confirmed / pending vendor confirmation. UK processor terms are included in the agreement, but the agreement does not specify the transfer safeguard for any non-UK/EEA transfers. Confirm whether SCCs, UK Addendum, IDTA, adequacy, or Data Bridge applies. |