Sub-processor Register
The third-party providers One Point Four West Ltd relies on to deliver the website, tools and consultancy services. Published in line with Article 28 UK GDPR. Last reviewed April 2026.
One Point Four West Ltd acts as a controller for website enquiries, template downloads and document pack purchases. It acts as a processor for client engagement data and for client data entered into the licensed diagnostic platform by consultant firms. The sub-processors below are used in both roles.
Clients will be notified of material changes at renewal, or earlier where the change materially affects the processing of client personal data. Objections should be raised with dpo@onepointfourwest.com.
Infrastructure and hosting
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| IONOS SE | Website hosting, SQLite storage for enquiry, health-check, download, ERA Audit and assessment data | Germany (EU) | UK adequacy (EU) |
| Supabase Inc. | Backend for the diagnostic platform and GPG Reporter saved-aggregates feature. Authentication, database and storage. | eu-central-1 (Frankfurt) | UK adequacy (EU) for data at rest; DPA in place |
| Cloudflare Inc. | DNS and CDN for onepointfourwest.com and tools.onepointfourwest.com | Global edge; US entity | Standard Contractual Clauses + UK Addendum |
Transactional services
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd / Stripe, Inc. | Payment processing for document pack and tool purchases. Stripe collects card and billing details directly. | Ireland (EU); US parent | Standard Contractual Clauses + UK Addendum |
| Postmark (Wildbit, LLC / ActiveCampaign) | Outbound transactional and post-download email (purchase confirmations, report delivery, cross-sell). | United States | Standard Contractual Clauses + UK Addendum |
| Google LLC (Google Analytics) | Web analytics. Loaded only on cookie consent. | United States | Standard Contractual Clauses + UK Addendum |
AI and productivity
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic PBC | Optional AI-enhanced analysis within the diagnostic platform. Organisation name is replaced with a placeholder before transmission. Feature is opt-in and consultant-initiated. | United States | Standard Contractual Clauses + UK Addendum. API data not used for training; 30-day maximum retention. |
| Microsoft Corporation (Microsoft 365, OneDrive, Teams) | Email, document storage and collaboration for client engagements. UK data residency configured where offered. | United Kingdom (primary); US entity | Standard Contractual Clauses + UK Addendum where applicable |
| Otter.ai, Inc. | Occasional meeting transcription with client consent. Not used for engagements where the client declines recording. | United States | Standard Contractual Clauses + UK Addendum |
Change history
April 2026 – Initial publication alongside the site-wide DPIA and compliance review.
Questions
For any question about this register, transfer mechanisms or the underlying contracts, email dpo@onepointfourwest.com. Supporting documentation is available to client procurement and supplier onboarding teams on request.