Subprocessor and Third-Party Data Recipients Register

Effective Date: 10 July 2026

This register identifies BrokerCentral subprocessors and third-party data recipients used in connection with the Services.

Subprocessor Purpose Region Data Types Transfer Mechanism
AWS S3
Document, image, email, migration, snapshot, and import file storage
London Region, eu-west-2
Uploaded documents, emails/EML, logos, migration files, client/policy files
UK hosting in London Region; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers.
AWS SES
Email delivery options
London Region, eu-west-2
Email recipients, subjects, bodies, attachments
UK hosting in London Region where configured; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers.
Mailtrap
Development, staging, and UAT catch-all mailbox
USA
Email recipients, subjects, bodies, attachments
Mailtrap DPA states DPF applies to UK/EEA-US transfers; UK SCCs / EU SCCs apply if DPF no longer applies. Subprocessors outside UK/EEA are covered by similar clauses.
AWS SNS
SMS delivery
London Region, eu-west-2
Phone numbers, SMS bodies, sender IDs
UK hosting in London Region where configured; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers.
AWS Lambda
MSG-to-EML conversion and optional PDF rendering
London Region, eu-west-2
Uploaded .msg email files and attachments
UK hosting in London Region where configured; AWS DPA applies automatically. AWS UK GDPR Addendum / SCCs as amended by IDTA apply for UK-restricted transfers.
Google Workspace / Gmail API
User Gmail sending using client Google Workspace accounts
Client dependent / Google global infrastructure
Email contents and Gmail OAuth tokens
Google Cloud Data Processing Addendum; UK Extension to the EU-US Data Privacy Framework / UK-US Data Bridge where applicable, with SCCs as contractual fallback where required.
Google Maps Platform / Places / Geocoding / Street View
Address and postcode lookup, geocoding, Places enrichment, and Street View imagery retrieval
Google global infrastructure; Google LLC / Google Ireland controller terms
Postcodes, addresses, latitude/longitude, formatted address, place IDs, panorama IDs, and Google Maps/Places/Street View content displayed or cached where permitted by Google terms
Google Controller-Controller Data Protection Terms; independent-controller arrangement. For UK restricted transfers, Google’s Controller SCCs apply with the UK International Data Transfer Addendum; Google may also rely on an adopted Data Transfer Solution such as the UK Extension to the EU-US Data Privacy Framework where applicable.
Intercom
In-app support and messaging
USA / Ireland / Australia
User ID, name, email, phone, brokerage/company metadata, onboarding/support events
Intercom DPA relies on EU-US / Swiss-US / UK-US Data Privacy Framework certification for US restricted transfers, with fallback EU SCCs and UK Addendum / UK SCCs where required.
Blink Payments
Payment links and payment status lookup
GDPR-compliant location
Client name, email/mobile, address/postcode, amount, transaction references
Pending vendor confirmation. Public privacy policy reviewed; processor DPA and UK GDPR transfer mechanism not yet publicly verified.
OpenAI
Document categorisation and extraction
USA
Extracted document text, insurance document metadata, prompts
OpenAI DPA: UK Data is processed under SCCs amended by the UK Addendum; EEA/Swiss transfers use SCCs or adequacy decisions where applicable.
Simplified.id
Sanctions screening
UK and EEA (primary processing in UK; encrypted backups stored in AWS S3, Dublin, Ireland; platform accessible globally by authorised users)
Client/contact/officer names, addresses, DOB, nationality, sanctions screening results/decisions
UK adequacy regulations for the EEA (Ireland). Article 28 DPA in place. No subprocessors used for sanctions screening.
Applied Systems Europe Ltd t/a Applied Systems UK
Rating Hub / EDI rating and policy fulfilment
UK; agreement permits transfers to Applied group companies and third parties within or outside the EEA
Client name, DOB, licence information, vehicle registration details, quote/policy/EDI transaction data
Partially confirmed / pending vendor confirmation. UK processor terms are included in the agreement, but the agreement does not specify the transfer safeguard for any non-UK/EEA transfers. Confirm whether SCCs, UK Addendum, IDTA, adequacy, or Data Bridge applies.