Sub-processors
Last updated:
These are the third-party services we use to provide GPDash. Each one is a sub-processor — they process personal data on our behalf under a data processing agreement, only on our instructions, and only for the purposes listed below.
We'll update this page whenever the list changes and notify existing customers by email before adding a new sub-processor that materially changes data flows.
Supabase
Privacy notice ↗RoleAuthentication and primary database hosting
Data handledAll account data, audit logs, MFA factor metadata, practice configuration
Regioneu-west-2 (London, UK)
AgreementStandard Supabase DPA
TOTP secrets are stored by Supabase Auth and are not readable by GPDash application code.
Vercel
Privacy notice ↗RoleApplication hosting (server functions and static assets)
Data handledNetwork traffic, request logs (30 days), CSP violation reports
RegionFrankfurt (fra1) primary; edge functions may be served from the nearest available region
AgreementStandard Vercel DPA
Upstash
Privacy notice ↗RoleRedis service for API rate limiting
Data handledHashed user ID or IP address + request counters (sliding window, max 1 hour)
RegionEU region (verified in account settings)
AgreementStandard Upstash DPA
No request content is stored — only counters.
Bunny Fonts
Privacy notice ↗RoleWeb font delivery (drop-in privacy-respecting replacement for Google Fonts)
Data handledHTTP request from your browser to load the font file. Bunny Fonts publicly commits to not logging IP addresses.
RegionEU/EEA hosted
AgreementBunny Fonts terms (no DPA needed — no personal data processed by them)
We migrated from Google Fonts in v4.24.1 specifically to avoid sending visitor IPs to a US-hosted CDN.
Open-Meteo
Privacy notice ↗RoleWeather forecast data feed for the demand prediction model
Data handledPractice location coordinates (already publicly known, e.g. NHS ODS) and date. No personal data sent.
RegionEU
AgreementNot required (anonymous query)
Weather is used as one of many features in the demand predictor model.
What about other tools?
Some tools are used by our development team (e.g. GitHub for source code, Claude for engineering assistance) but are not connected to the production data flow. They never see GPDash user data and are therefore not sub-processors. If that ever changes, this page will be updated and you'll be notified.