Sub-processors

Last updated: May 26, 2026

About this page

We publish the full list of third parties that process personal data on our behalf so you can see exactly who touches your data and why. Each sub-processor is bound by a written data-processing agreement and may only act on our instructions.

We will notify business customers of any new or replacement sub-processor at least 30 days before the change takes effect (or sooner where the change is required by law or to address a security incident), giving you an opportunity to object as set out in our DPA.

Current sub-processors

Google — Firebase Authentication

USA

Purpose: Account creation, sign-in, password reset, and session management for customer dashboard access. Handles Google and GitHub OAuth flows.

Data categories: Email address, display name, hashed password (where applicable), OAuth identifier, sign-in timestamps, IP address (transient)

Region: Multi-region (US primary; EU available via project configuration)

Transfer mechanism: EU SCCs + UK IDTA via Google Cloud DPA

Documentation: https://firebase.google.com/support/privacy

Google — Firestore

USA (corporate); region per deployment

Purpose: Primary database for customer account records, business profiles, and application state.

Data categories: Account data, business records, audit metadata, application state

Region: Region selected per UIP deployment (currently US; EU available)

Transfer mechanism: EU SCCs + UK IDTA via Google Cloud DPA

Documentation: https://firebase.google.com/support/privacy

Google — Analytics

USA

Purpose: Aggregate, IP-anonymized website usage measurement. Loaded only after explicit analytics consent.

Data categories: Pseudonymous device identifier, page views, referrer, coarse location (country/region), browser metadata

Region: Google global infrastructure

Transfer mechanism: EU SCCs via Google Ads Data Processing Terms

Documentation: https://policies.google.com/privacy

Sub-processors of sub-processors

Each of our sub-processors maintains its own list of sub-processors (for example, Didit may rely on additional vendors for document forensics or telecommunications). Those lists are available on the respective sub-processor's documentation page linked above.

Questions or objections

Email [email protected] with questions about a specific sub-processor or to object to a planned change as set out in our DPA.

Back to Policies