Sub-Processor List

Last Updated: 21st January 2026

In accordance with our Data Processing Addendum and GDPR transparency requirements, this page lists the third-party sub-processors that AutoChain Limited engages to assist in delivering our services.

What is a Sub-Processor?

A sub-processor is a third-party service provider engaged by AutoChain to process personal data on behalf of our customers. All sub-processors are carefully selected and contractually required to provide appropriate data protection guarantees.

1. Infrastructure & Hosting

Service Provider

Cloud Hosting Providers

Purpose

Application hosting, database storage, file storage

Data Location

UK / EU

Safeguards: UK GDPR compliant, Standard Contractual Clauses where applicable

2. Data Storage & Backup

Service Provider

Cloud Storage Providers

Purpose

Document storage, image storage, backup services

Data Location

UK / EU

Safeguards: Encryption at rest and in transit, UK GDPR compliant

3. Communication Services

Service Provider

Email Delivery Providers

Purpose

Transactional emails, service notifications, reminders

Data Location

UK / EU / US (with safeguards)

Safeguards: Standard Contractual Clauses, UK GDPR compliant

4. Analytics & Monitoring

Service Provider

Analytics Platforms

Purpose

Website analytics, performance monitoring, error tracking

Data Location

Global (with safeguards)

Safeguards: Anonymization where possible, consent-based tracking, UK GDPR compliant

5. Payment Processing

Service Provider

Payment Service Providers

Purpose

Payment processing, fraud prevention, billing

Data Location

UK / EU / Global

Safeguards: PCI-DSS compliant, Standard Contractual Clauses

6. Customer Support

Service Provider

Support & CRM Platforms

Purpose

Customer support, ticketing, communication management

Data Location

UK / EU / US (with safeguards)

Safeguards: Standard Contractual Clauses, encryption in transit and at rest

Our Sub-Processor Commitments

Due Diligence

All sub-processors undergo security and privacy assessments before engagement.

Contractual Protection

Sub-processors are bound by data protection obligations equivalent to those in our DPA.

Change Notification

We provide 30 days' advance notice before adding or replacing sub-processors.

Ongoing Monitoring

We regularly review sub-processor compliance with security and privacy requirements.

Objecting to a Sub-Processor

If you are a customer operating under a Data Processing Addendum with AutoChain and you object to a new or replacement sub-processor on reasonable data protection grounds, please contact us within 30 days of notification:

Email: privacy@autochain.co.uk

Note: This list provides high-level categories of sub-processors for transparency. Specific provider names and detailed information are available to customers upon request in accordance with our Data Processing Addendum.

For questions about sub-processors or data protection, please contact privacy@autochain.co.uk

What is a Sub-Processor?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, a sub-processor is any third party appointed by a data processor (AutoChain) to carry out processing activities on behalf of the data controller (our customers) involving personal data. AutoChain acts as a data processor when handling personal data on behalf of garages and service providers who use our platform. In that capacity, we are required to disclose which sub-processors we engage, ensure they provide sufficient guarantees regarding data protection, and notify controllers of any material changes to our sub-processor list.

All AutoChain sub-processors are contractually bound to process personal data only on our documented instructions, implement appropriate technical and organisational security measures, and support AutoChain in meeting our obligations to data subjects including the right to access, erasure, rectification, and portability under UK GDPR Articles 15–22.

How We Manage Sub-processor Relationships

AutoChain selects sub-processors carefully, taking into account their security practices, compliance certifications, data residency, and contractual commitments to UK GDPR obligations. Before engaging a new sub-processor, we carry out a data protection impact assessment where required and ensure appropriate Data Processing Agreements or Standard Contractual Clauses are in place where data transfers outside the UK are involved.

We regularly review our sub-processor relationships to confirm continued compliance and to assess whether any changes to sub-processor processing activities require updates to our own data protection documentation. Where a sub-processor relationship changes materially — for example, if a sub-processor begins processing additional categories of personal data — we review the arrangement and update this notice accordingly.

AutoChain service provider customers (garages and automotive businesses using our platform) are themselves data controllers for the personal data of their own customers that they input into AutoChain. AutoChain acts as a data processor on behalf of these businesses and our obligations in this capacity are governed by the Data Processing Agreement available in the legal section of this website. Sub-processors used by AutoChain in connection with processing on behalf of service provider customers are subject to the same standards described on this page.

If you have questions about our use of sub-processors or wish to exercise a data subject right in connection with data processed by a sub-processor on our behalf, please contact privacy@autochain.co.uk. We will respond within one calendar month in accordance with our obligations under UK GDPR Article 12.

Platform Logic

Why Clearer Infrastructure Matters to Both Drivers and Garages

Most problems in vehicle ownership are not caused by a lack of effort. They come from fragmented information. AutoChain is designed to close those gaps by giving both sides a clearer way to keep the history of the vehicle usable after the job is finished.

What better infrastructure fixes

A driver can care about the car and still lose track of service dates if reminders, invoices, MOT history, and approvals all live in different places. A garage can carry out good work and still struggle to retain customers if the record of that work is hard to retrieve later.

Better infrastructure matters because it makes the history usable again. It gives the owner and the workshop a stronger basis for the next decision instead of forcing both sides to reconstruct what happened from memory.

Why it matters in practice

Trust is built when the customer can see what happened, the garage can prove what was done, and the next decision starts with better context than the last one.

Trust improves

Customers can see what happened, garages can prove what was done, and the next decision starts with better context.

Economics improve

On-time reminders protect repeat business, cleaner records support price, and better visibility reduces wasted diagnosis.

Handovers improve

Approvals, complaints, resale discussions, and ownership transfers become easier to manage with a stronger evidence trail.

The market improves

Independent garages and informed drivers both benefit when the ownership story becomes easier to follow.

AutoChain combines driver tools, provider workflows, reminder systems, digital service history, and educational content because each part becomes more useful when it strengthens the same central outcome: a clearer, more credible, and more transferable record of what has happened to the vehicle and why it matters.