Get Work Authorised Sub-Processors & Third-Party Platforms List
Get Work Authorised Sub-Processors (Table A)
Scope note (for avoidance of doubt): This lists only those service providers engaged by Get Work to process Customer Personal Data on the Customer’s behalf for the purposes of providing the Services (UK GDPR Article 28). It excludes third-party platforms used by Get Work in its own controller capacity, which are listed separately in Table B below.
| Sub-processor | Processing activity / service | Customer Personal Data potentially processed | Primary processing location(s) | Notes (configuration / transfers) |
|---|---|---|---|---|
| DigitalOcean, LLC | Core hosting of Get Work Platform (application + databases) | Lead Data, Call Recording Data metadata, customer account identifiers to the extent embedded in Platform records | London, UK (LON1) | DigitalOcean region LON1 is London (UK). |
| Amazon Web Services (AWS) | Storage of Customer-uploaded files (images, documents, attachments) used in CRM / Platform | Customer uploads (may include Lead Data and other Personal Data), object metadata, access logs | EU | AWS provides a GDPR DPA incorporated into AWS Service Terms; SCCs may be used for transfers where relevant. |
| DigitalOcean | Backup and disaster recovery for Platform data | Backups of Customer Personal Data contained in Platform datasets | London, UK | Provider, region, and retention lifecycle are unspecified and must be inserted once selected. |
| Twilio Inc. | Telephony, SMS, call recording and related communications infrastructure | Call metadata, Call Recording Data, SMS content where used in Platform | Global (may include US) | Twilio notes encrypted backups stored across multiple AZs/regions in AWS US. Operationally, transfer risk should be treated as high unless regionally constrained. |
| Intercom, Inc. | Customer support communications (chat) where Customer Personal Data is shared in support tickets / chats | Support messages and attachments (may contain Lead Data if Customer provides it), contact identifiers | EU regional hosting available; EU DC: AWS eu-west-1 (Dublin) | Intercom states EU hosting is subject to exceptions: billing / support processes may transfer data outside region, including admin metadata, usage metadata and billing data processed in the US. |
| Twilio SendGrid | Transactional email delivery (e.g. lead notifications) | Recipient email addresses, message content, email event data | EU if configured; otherwise Global | SendGrid EU data residency requires EU subuser, EU dedicated IP and EU API endpoint. Using a global subuser / endpoint routes data outside the EU. Configuration is unspecified. |
| Mailgun (Sinch) | Transactional email and inbound / outbound routing (if used for Platform mail features) | Email content, recipients, event logs, suppressions | EU region (message data region-bound) | Mailgun states message data is tied to region and never leaves the region; some account data is replicated globally. |
Get Work Third-Party Platforms Used in Delivering Services (Controller Context) (Table B)
Scope note: The providers below are used by Get Work to operate its business, market the Services, measure performance, and administer payments / finance and identity verification. In these contexts, Get Work typically acts as controller for the relevant data. Some of these platforms may also be subject to separate controller / processor terms imposed by the platform.
| Platform | Purpose | Data types involved (high level) | Notes / key compliance implications |
|---|---|---|---|
| Google Ads (remarketing, Customer Match, Enhanced Conversions) | Advertising, remarketing, conversion measurement | Online identifiers / cookies; conversion data; hashed first-party identifiers for Enhanced Conversions | Enhanced Conversions uses hashed first-party conversion data (e.g. email / phone / address). Requires cookie / consent compliance and privacy disclosures. |
| Google Analytics 4 (GA4) | Web / app analytics | Usage analytics, device / browser signals | GA4 EU processing documentation indicates EU traffic is processed via EU domains / servers and IP addresses are not logged or stored. |
| Heap | Product analytics | User interaction / event data | Configure to avoid collecting sensitive data; ensure deletion / export processes. |
| Stripe | Payment processing | Billing identifiers, transaction metadata | Stripe processes full card data; Get Work should avoid storing full PAN / CVC. |
| Xero | Accounting records | Invoices, billing contacts, bookkeeping | Finance retention and access control required. |
| Veriff | Identity verification | ID documents, session media, verification outputs (biometric processing occurs) | Automation / human review options are operational; some configuration remains unspecified. Include DUAA safeguards and clear transparency in onboarding. |