Sub-processors — Mecha Site

Overview

A sub-processor is a third party we engage to help us deliver the service. Each one has signed (or auto-accepted by click-through) a Data Processing Agreement that flows down our obligations to your data. We disclose the full list publicly here.

We do not engage a sub-processor that we have not assessed for security and transfer-mechanism adequacy. Detailed per-vendor assessments — Transfer Risk Assessments under the UK GDPR ‘not materially lower’ standard — are kept on file and available on request to verified controller customers.

Current sub-processors (12)

Sub-processors engaged by Mecha Site, listed alphabetically.
Sub-processor	Purpose	Location
Cloudflare, Inc.	Content delivery network, DDoS protection, and DNS for the Mecha Site platform and the websites we manage.	Global edge network (data residency: UK/EU edges preferred)
Cloudflare R2 (Cloudflare, Inc.)	Object storage for site assets, generated artefacts, and DSAR export bundles.	EEA-resident buckets (jurisdictional hint enforced)
GitHub, Inc. (Microsoft)	Source code repositories for client websites (deploy pipeline) and internal Mecha Site code. Engaged via GitHub App.	United States
Inngest, Inc.	Durable workflow orchestration for deployment pipelines, complaint deadline timers, and async jobs.	United States
MXRoute (Atlas Industries LLC)	Email hosting for client custom domains (managed website mailboxes). Currently testing on basic 10GB tier.	United States (data centre: Texas)
Neon, Inc.	Managed PostgreSQL database for the Mecha Site platform (London region) and per-site DBs in deployment pipeline.	United Kingdom (eu-west-2 region)
Render Services, Inc.	Application hosting (PaaS) for the Mecha Site platform and generated client websites.	United States
Resend, Inc.	Transactional email delivery (welcome, password reset, security alerts, complaint acknowledgements, ops notifications).	United States
Sentry (Functional Software, Inc.)	Error monitoring and (consent-gated) session replay recordings.	United States
Statsig, Inc.	Feature flag evaluation and aggregate product analytics. Two-mode init (anonymous stableID on public routes; userID on authenticated routes) per consent.	United States
Stripe Payments UK Ltd	Subscription billing, payment processing, customer object management, VAT handling.	United Kingdom (Stripe UK entity); fall-back EU/US for payment rails
Upstash, Inc.	Serverless Redis for rate limiting, ephemeral cache, and Layer 1 edge throttling.	Global edge (EU primary region: eu-west-1)

How we notify you of changes

We give all customers at least 30 days’ notice before adding a new sub-processor that processes your personal data. You can object during that window via the contact below; we’ll work with you on alternatives.

This page is the source of truth — the “Last updated” date at the top changes whenever the list changes.
Email notifications are sent to subscribers (sign-up form coming Q3 2026 — for now email privacy@mechasite.com with subject “Subscribe to sub-processor updates”).
RSS feed at /legal/sub-processors/rss.xml (coming Q3 2026 alongside the email opt-in).
Direct customer emails for material changes (new vendor in a new data category) sent to the registered owner address on each org.

International transfers

Where a sub-processor is outside the United Kingdom or European Economic Area, we rely on one of the following mechanisms (per row in our internal register):

UK adequacy decision — for transfers to countries the UK Government has assessed as adequate.
UK Extension to the EU-US Data Privacy Framework — for certified US recipients listed at dataprivacyframework.gov.
UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs — when the above are not available.

Each transfer is backed by a Transfer Risk Assessment evaluating the destination-country legal regime against the “not materially lower” standard introduced by DUAA 2025. Assessments are reviewed annually or sooner on relevant change (legal, contractual, or breach event).

Requesting more detail

Verified controller customers can request:

The current per-vendor TRA documentation.
The DPA (or DPA equivalent) we hold with each sub-processor.
SOC 2 / ISO 27001 attestations where the vendor publishes them.

Email dpo@mechasite.com from the email address on your account. Our DPA governs how we share this information.