1. About this Schedule
1.1 Purpose
This Schedule lists the third-party service providers ("Subprocessors") that Circlworld engages to operate the Platform and that process Personal Data on Circlworld's behalf as data processors under UK GDPR. It is referenced from the Privacy Policy and is incorporated by reference into the Terms of Service.
1.2 Maintenance
This Schedule is maintained current. When a new Subprocessor is engaged, or an existing one is removed, this Schedule is updated and the prior version is archived under /legal/archive for change-history. Material changes (the addition of a Subprocessor handling sensitive data, or a change to the data categories an existing Subprocessor receives) are notified to Members at least 30 days before they take effect. Routine changes (a Subprocessor moving between sub-regions of the same data-protection regime) are reflected here without separate notice.
1.3 Legal basis
Each Subprocessor processes Personal Data under a written data-processing agreement that incorporates the UK GDPR Article 28 obligations, the international data transfer mechanisms required where the Subprocessor is outside the UK / EEA (UK International Data Transfer Agreement or its US-equivalent successor), and an audit right reserved to Circlworld. Where a Subprocessor operates outside the UK / EEA, the safeguards are summarised in the entry below.
2. Subprocessors in use
2.1 Vercel
Service: Frontend application hosting and edge network. Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, United States. Region: Edge locations globally; primary data residency US. Personal Data received: request metadata (IP address, user-agent, requested URL, response status, timestamp), authentication cookies in transit (not at rest), Member-uploaded form payloads in transit. Purpose: serve the web application; cache static assets at the edge; route requests to the backend. Safeguards: Data Processing Agreement with UK International Data Transfer Agreement addendum. Vercel does not retain request bodies; access logs retained for operational diagnostics under Vercel's own retention schedule.
2.2 Railway
Service: Backend application hosting and database hosting. Provider: Railway Corp., 2261 Market St, San Francisco, CA 94114, United States. Region: US-West (primary). Personal Data received: all Personal Data Members provide to the Platform that is persisted in the relational database — name, email, phone number, country of residence, verification level, Standing record, Circle participation records, attestations, messages. Purpose: application hosting; primary data store. Safeguards: Data Processing Agreement with UK International Data Transfer Agreement addendum. Database at rest is encrypted; the application connects over TLS only; database backups are retained for the period necessary for operational recovery and are encrypted at rest.
2.3 Stripe
Service: Payment processing for subscriptions, one-time purchases, and basket checkout. Provider: Stripe Payments UK, Ltd., 211 Old Street, London EC1V 9NR, United Kingdom (UK-resident Members); Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, United States (other Members). Region: UK / EU for UK-resident Members; US for others. Card data is tokenised at Stripe and never reaches Circlworld systems. Personal Data received: name, email, billing address, card data (tokenised), country, currency, transaction amounts, subscription tier, basket line items. Purpose: charge Members for paid subscriptions, one-time purchases (audited records, AI credit packs, Storefront SKUs), and basket checkouts; issue refunds; manage subscription billing portal. Safeguards: PCI-DSS Level 1 certified; UK GDPR controller-to-processor for the Member data Circlworld sends; Stripe is an independent data controller for the payment-card data it tokenises.
2.4 Resend
Service: Transactional email delivery. Provider: Resend, Inc., 2261 Market St, San Francisco, CA 94114, United States. Region: US. Personal Data received: Member email address, Member name (as it appears in the email), message content (account verification codes, password reset links, transactional notifications, in-app digest summaries). Purpose: deliver transactional emails from notifications@circlworld.com. Safeguards: Data Processing Agreement with UK International Data Transfer Agreement addendum. Email content is delivered transiently; Resend does not retain email bodies beyond the delivery window. Sender domain authenticated via SPF, DKIM and DMARC.
2.5 Didit
Service: Identity verification (KYC) for Levels 2 through 4 per the Identity Verification Framework. Provider: Didit (legal entity per the platform's then-current contract; current registered office available on request from the Help Office). Region: EU. Personal Data received: government-issued photo identity document image, liveness selfie image, biometric template derived from the selfie, residential address proof image, name, date of birth, document number, nationality. For Level 2 and above: country of tax residence, source-of-funds attestation (where required), watchlist screening result. Purpose: verify Member identity per the Identity Verification Framework. Document images and biometric data are retained by Didit per its own retention schedule and are not stored on Circlworld systems. Circlworld receives only the verification outcome (pass / fail / refer) plus the structured fields necessary to operate the entitlement framework. Safeguards: EU-resident; UK GDPR processor agreement with adequacy decision. Members exercise data-subject rights over document images and biometric data directly with Didit; Circlworld facilitates requests through the Help Office.
2.6 Cloudflare R2
Service: Object storage for Member-uploaded binaries (Bylaws document attachments, evidence pack attachments in the Dispute Settlement Centre, Treasurer photo avatars where the Member chooses to upload a photo rather than use the KYC-verified one). Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, United States. Region: Eligible R2 buckets in EU regions for UK-resident Members; US elsewhere. R2 transfers are zero-egress between Cloudflare regions. Personal Data received: the binary content the Member uploads (typically PDFs, images, scanned documents). Filenames are normalised on upload; storage keys are non-guessable UUIDs; access is mediated by short-lived presigned URLs scoped to the requesting Member. Purpose: durable storage of Member-uploaded binaries. Safeguards: Data Processing Agreement with UK International Data Transfer Agreement addendum. Object encryption at rest; TLS in transit; access logs retained for security monitoring under Cloudflare's own retention schedule.
2.7 Amazon Web Services (AWS) — KMS, Aurora, Lambda, S3 (Object Lock)
Service: Cryptographic signing infrastructure for audited records (Credibility Reports, Trust Passports, Member Activity Records). Audit-trail storage (S3 Object Lock with Compliance retention). Signing-service compute (Lambda) and signing-service metadata store (Aurora PostgreSQL). Provider: Amazon Web Services, EMEA SARL (Luxembourg) for UK/EU residents; Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, United States for the underlying global services where the resource is not regional. Region: eu-west-2 (London) primary; eu-west-1 (Ireland) standby. Signing keys never leave the regulated KMS boundary. Personal Data received: the structured fields of audited records (Member ID, Standing tier, KYC level, cycle history) that are cryptographically signed and stored as immutable audit trails. The signing service does not receive document images or biometric data. Purpose: issue cryptographically signed audited records that a recipient (a lender, an employer, a partner) can verify against the Circlworld signing key. Maintain the immutable audit trail per the Signing Infrastructure Charter. Safeguards: AWS Data Processing Addendum + Standard Contractual Clauses where data crosses jurisdictions. KMS signing keys are dual-control (IAM A/B). Object Lock is Compliance mode — the audit trail cannot be altered or deleted within the retention period, even by Circlworld.
2.8 Anthropic (CirclAI)
Service: Large language model inference for the CirclAI assistant. Provider: Anthropic, PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, United States. Region: US. Personal Data received: the contents of a Member's CirclAI conversation (the question the Member asks, plus the platform context injected by Circlworld — the Member's Standing tier, recent Circle activity context where relevant). Conversations are not used to train Anthropic models (zero-retention agreement in place). Anthropic does not receive document images, payment data, or messages from the Dispute Settlement Centre, the Wellbeing Centre's Care Concierge, or any other communication-isolated surface (Inviolable Principle 3). Purpose: generate CirclAI responses to Member questions about Circlworld. Safeguards: Data Processing Agreement with zero-retention addendum (conversations not retained beyond the inference window); UK International Data Transfer Agreement addendum.
2.9 PostHog
Service: Product analytics and feature-flag delivery. Provider: PostHog, Inc., 2261 Market St, San Francisco, CA 94114, United States. Region: EU-hosted instance for UK-resident Members; US otherwise. Personal Data received: Member ID (pseudonymous), session events (which pages a Member visits, which buttons they click, which features they engage with), feature-flag assignments. Member name and email are sent only when the Member is identified at sign-in; they can be removed at any time through Member account settings. Purpose: understand how Members use the Platform; deliver feature flags for staged rollouts. Safeguards: Data Processing Agreement; UK GDPR processor; EU instance for UK-resident Members. Members can opt out of product analytics in account settings; the opt-out scopes to the originating browser.
3. Subprocessors no longer in use
When Circlworld terminates engagement with a Subprocessor, the entry is moved to the archive (/legal/archive) so prior versions of this Schedule remain auditable. As of the effective date above, no Subprocessors have been retired from this Schedule.
4. Member rights and contact
4.1 Data-subject rights
Members exercise UK GDPR rights (access, rectification, erasure where applicable, restriction of processing, data portability, objection, withdrawal of consent) by writing to privacy@circlworld.com or through the Help Office. Where a request relates to Personal Data held by a Subprocessor (for example, document images held by Didit), Circlworld will facilitate the request with that Subprocessor.
4.2 Objection to a particular Subprocessor
A Member may object to processing by a specific Subprocessor by writing to privacy@circlworld.com. Where the objection is to a Subprocessor whose service is operationally inseparable from the Platform (for example, Vercel, Railway, Stripe for paid tiers), the Member's remedy is to close their Circlworld account; Circlworld cannot operate the Platform for a Member who has objected to its core processors. Where the objection is to a Subprocessor whose service is optional (for example, PostHog for product analytics), the Member can exercise the opt-out without leaving the Platform.
4.3 Updating this Schedule
This Schedule is the canonical source for Subprocessor information. The Privacy Policy references this Schedule but does not duplicate it; where there is any inconsistency between this Schedule and the Privacy Policy, this Schedule prevails on Subprocessor matters and the Privacy Policy prevails on all other matters.