Data Processors

Last updated: November 3, 2025

This document lists all third-party data processors and sub-processors who process personal data on behalf of neurobetter. This list is maintained in accordance with our obligations under UK GDPR.

How to Read This List

For each processor, we provide:

• Name: The organisation name
• Purpose: What we use this processor for
• Data Processed: What types of personal data they process
• Data Location: Where data is stored (UK/EEA/US/Other)
• Adequacy/Safeguards: Legal basis for any transfers outside UK/EEA
• Privacy Policy: Link to their privacy policy
• Date Added/Last Reviewed: When this entry was added or last checked

Payment Processing

Stripe

• Purpose: Payment processing for sponsored listings
• Data Processed: Name, email, payment card details, transaction data
• Data Location: US (with EU data centres available)
• Adequacy/Safeguards: Standard Contractual Clauses (SCCs), adequate technical and organisational measures
• Privacy Policy: https://stripe.com/gb/privacy
• DPA Available: Yes
• Notes: Stripe is PCI DSS Level 1 certified. Full card details are not visible to neurobetter.

Donation and CRM

Beacon CRM

• Purpose: Donation processing, Gift Aid administration, donor relationship management
• Data Processed: Name, email, postal address, donation history, Gift Aid declarations, communication preferences
• Data Location: UK
• Adequacy/Safeguards: N/A (UK-based)
• Privacy Policy: https://www.beaconcrm.org/privacy-policy
• DPA Available: Yes
• Notes: Beacon is designed specifically for UK charities and charity-specific compliance.

Verification Services

Yoti

• Purpose: Age and identity verification
• Data Processed: Verification status, date of birth. For ID verification: full name, date of birth, postal address (if collected)
• Data Location: UK/EEA
• Adequacy/Safeguards: N/A (UK/EEA-based)
• Privacy Policy: https://www.yoti.com/privacy-policy/
• DPA Available: Yes
• Notes: Yoti does not share ID documents with neurobetter. We only receive verification status and specified attributes (DOB, name, address if requested).

Hosting and Infrastructure

DigitalOcean

• Purpose: Website and database hosting
• Data Processed: All member data stored in our database
• Data Location: UK/EU
• Adequacy/Safeguards: N/A (UK/EU data centres)
• Privacy Policy: https://www.digitalocean.com/legal/privacy-policy
• DPA Available: Yes

Backblaze B2

• Purpose: Automated backups of database and files
• Data Processed: All member data (backup copies)
• Data Location: EU
• Adequacy/Safeguards: N/A (EU data centres)
• Privacy Policy: https://www.backblaze.com/company/privacy.html
• DPA Available: Yes
• Notes: Backups are encrypted.

Analytics and Performance

Google Analytics

• Purpose: Website analytics, user behaviour analysis, performance monitoring
• Data Processed: IP addresses (anonymised), browser data, pages viewed, user journey data
• Data Location: US/EU
• Adequacy/Safeguards: Standard Contractual Clauses
• Privacy Policy: https://policies.google.com/privacy
• DPA Available: Yes
• Notes: IP anonymisation enabled. Analytics data is aggregated.

AppSignal

• Purpose: Application error monitoring and debugging
• Data Processed: Error logs, user IDs (pseudonymised), technical data
• Data Location: EU
• Adequacy/Safeguards: N/A (EU-based)
• Privacy Policy: https://www.appsignal.com/privacy-policy
• DPA Available: Yes
• Notes: Personal data is redacted from error logs where possible.

Cookie Consent

Silktide

• Purpose: Cookie consent management and compliance
• Data Processed: Cookie preferences, consent records
• Data Location: UK
• Adequacy/Safeguards: N/A (UK-based)
• Privacy Policy: https://silktide.com/privacy-policy/
• DPA Available: Yes
• Notes: Required for PECR compliance.

Sub-Processors Used By Our Processors

Many of the processors listed above may use their own sub-processors. We require our processors to:

• Notify us of any sub-processor changes
• Ensure sub-processors meet the same data protection standards
• Remain liable for sub-processor actions

For detailed information about sub-processors used by our main processors, please refer to:

• Stripe: https://stripe.com/gb/service-providers/legal
• Beacon CRM: Contact Beacon directly

International Transfers

Transfers to the United States

Where we use processors based in or storing data in the United States (such as Stripe), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses
• Supplementary Measures: We assess each processor's security measures to ensure they provide adequate protection
• Data Processing Agreements: All US-based processors have signed Data Processing Agreements with additional protections

Adequacy Decisions

We monitor ICO and EU Commission adequacy decisions. If adequacy status changes for any country where data is processed, we will review and update safeguards as necessary.

Data Processing Agreements (DPAs)

We have Data Processing Agreements in place with all processors listed above (marked as "DPA Available: Yes"). These DPAs:

• Define the scope and purpose of processing
• Specify security requirements
• Set out data subject rights procedures
• Address sub-processing
• Include audit rights
• Define breach notification procedures

Copies of our DPAs are held securely and are available to data subjects or the ICO upon request.

Review and Updates

Regular Reviews

This list is reviewed:

• Quarterly: To ensure accuracy and completeness
• When adding new processors: Before engaging any new processor
• When processors change terms: If a processor materially changes their practices or policies
• Annually: Comprehensive review of all processors and DPAs

Member Rights

As a neurobetter member, you have rights regarding your personal data processed by these third parties:

• Right to be Informed: This list fulfills part of our transparency obligations
• Right to Object: You can object to certain types of processing (e.g., marketing analytics)
• Right to Access: You can request details of what data each processor holds about you
• Right to Erasure: When you delete your account, we instruct processors to delete your data

To exercise these rights, contact us at team@neurobetter.org.

Processor Selection Criteria

When selecting data processors, we assess:

1. Security Measures: Technical and organisational measures to protect data
2. Compliance: UK GDPR compliance and relevant certifications (ISO 27001, SOC 2, etc.)
3. Data Location: Preference for UK/EEA processors; careful assessment if outside
4. Track Record: Reputation, breach history, transparency
5. Contract Terms: Willingness to sign appropriate DPA with required terms
6. Sub-Processing: Controls over their own sub-processors
7. Audit Rights: Allowing us to audit or review their practices
8. Business Stability: Financial stability and likelihood of continued operation

Objections to Processors

If you have concerns about any of the processors we use, please contact team@neurobetter.org. We will:

• Consider your concerns seriously
• Assess whether alternative processors are available
• Balance your interests against the necessity of the processing and interests of other members
• Provide a response explaining our decision

In some cases (e.g., payment processing, hosting), use of third-party processors is essential to provide our services.

Contact

For questions about our data processors, to request copies of DPAs, or to exercise your rights, contact:

• Email: team@neurobetter.org
• Post: neurobetter, Ground Floor, Kings House, 101-135 Kings Road, Brentwood, Essex, CM14 4DR, United Kingdom
• Data Protection Contact: dataprotection@neurobetter.org
• ICO Registration: ZB688961

This Data Processors List is maintained in accordance with Articles 28 and 30 of the UK GDPR. It forms part of neurobetter's Records of Processing Activities.