Data Security
Sub-Processor
Sub-Processor
Register
In compliance with UK GDPR Article 28, we maintain a public register of the third-party organisations (sub-processors) that process personal data on our behalf in connection with the delivery of our services. This page is updated whenever we add, change, or remove a sub-processor.
What is a
sub-processor?
A sub-processor is a third-party organisation that we engage to process personal data on your behalf. This is different from a supplier who provides us with services that do not involve processing your personal data.
Under UK GDPR, we are required to notify you of our sub-processors, obtain your authorisation to use them, and ensure that appropriate data processing agreements are in place with each of them.
We ensure that all sub-processors provide sufficient guarantees that they will implement appropriate technical and organisational measures to protect personal data and comply with applicable data protection law.
Current Sub-Processors
Last updated: 8 June 2026| Provider | Purpose | Data processed | Location and safeguard |
|---|---|---|---|
| Zoho CorporationZoho Corp Pvt Ltd | Customer relationship management. Stores and manages contact information for customers, prospects, and business contacts. | Names, job titles, email addresses, phone numbers, business addresses, communications history. | UK / EUUK adequacy / UK IDTA |
| MailchimpIntuit Inc. | Email marketing. Used to send marketing communications to contacts who have opted in to receive them. | Names, email addresses, email engagement data (opens, clicks). | USAUK SCCs / UK IDTA |
| Vercel Inc.Vercel Inc. | Application hosting. Hosts our internally developed web applications and platforms used to deliver our services. | User account data, platform usage data, performance data processed through hosted applications. | UKData stored in UK, no international transfer |
| Neon Inc.Neon Inc. | Database hosting. Provides the database infrastructure for our internally developed applications. | User account data, platform usage data, and application data stored within our hosted databases. | UKData stored in UK, no international transfer |
| Resend Inc.Resend Inc. | Transactional email. Delivers automated transactional emails such as account confirmations and notifications from our internally developed applications. | Names, email addresses, and the content of transactional email messages. | USADPA in place, UK SCCs |
| Xero LtdXero Limited | Accounting and invoicing. Used to manage our financial records, raise invoices, and track payments from customers. | Business names, contact names, billing addresses, invoice values, and payment status. | UK / NZDPA in place, UK SCCs |
| Stripe Inc.Stripe Payments Europe Ltd | Payment processing. Processes payments from customers. We do not store payment card data; all card data is handled directly by Stripe's PCI-compliant systems. | Names, email addresses, billing addresses, transaction amounts, and payment status. Card details are processed by Stripe only. | USA / EUDPA in place, UK SCCs |
| Motion TechnologiesMotion Technologies Inc. | Call recording and project management. Used to record and transcribe calls for internal note-taking and project management purposes. Participants are informed at the start of any recorded call and may request that recording is stopped. | Voice recordings, call transcripts, names and contact details of call participants, and project management data. | USADPA in place, UK SCCs |
| ElevenLabs Inc.ElevenLabs Inc. | AI voice generation. Powers voice-based AI characters and interactions across our ESC, SHIFT, CMD, CTRL+Vish, and SPACE_ training products. Voice content is generated in real time as part of the training experience. | Scenario scripts, voice prompts, and text inputs used to generate AI voice responses during training experiences. | USADPA in place, UK SCCs |
| Twilio Inc.Twilio Inc. | Telephone call infrastructure. Provides the telephony infrastructure that enables voice-based AI interactions delivered through ElevenLabs across our ESC, SHIFT, CMD, CTRL+Vish, and SPACE_ products. | Phone numbers, call metadata, and call audio associated with AI-powered voice interactions in training experiences. | USADPA in place, UK SCCs |
| Anthropic PBCAnthropic PBC | AI processing. Generates behavioural analysis reports, scores call transcripts, and produces debrief reports across Instinct Lab, CTRL+Vish, CMD, and SHIFT products. Survey data, call transcripts, and participant response data are sent to the Anthropic API for processing. | Survey responses, behavioural scores, call transcripts, participant role and session data required to generate AI-produced reports and scoring outputs. | USADPA in place, UK SCCs |
| Pusher LtdPusher (Bird BV) | Real-time messaging infrastructure. Powers live in-session communications in the CMD platform, including player inboxes, poll delivery, metric updates, countdown timers, and session state synchronisation across participant devices. | Player inbox content, poll questions and responses, session metrics, and real-time session state data. | EU (Ireland)DPA in place, UK SCCs |
| Vercel BlobVercel Inc. | Audio file storage. Stores AI-generated voice note audio files used in CMD training sessions. Separate from Vercel's application hosting service. | Audio files containing AI-generated voice content delivered to participants during CMD sessions. | UK (London region)Data stored in UK, no international transfer |
| SimstacSimstac Ltd (UK) | Augmented reality escape room platform. Participants interact directly with Simstac's application during AR-based escape room training experiences. | Participant interaction data, session progress, and completion data within AR escape room experiences. | UK (data processing location pending confirmation)UK-based company — transfer safeguard TBC pending data processing confirmation |
| Microsoft CorporationMicrosoft Corporation | Email, calendar and productivity services (Microsoft 365 / Outlook / Exchange Online). Hosts our business email and associated data, accessed both directly and via the Microsoft Graph API into Function, our internal business management platform. | Names, email addresses and contact details, and the content of emails, calendar entries and attachments, which may include personal data relating to customers, prospects, participants and suppliers. | USADPA in place, UK SCCs |
Our
obligations
- 01We enter into a data processing agreement with each sub-processor, requiring them to implement appropriate technical and organisational security measures.
- 02We only engage sub-processors for specific, limited purposes directly related to our service delivery, never for their own commercial benefit.
- 03Where personal data is transferred outside the UK or EEA, we ensure appropriate transfer safeguards are in place, including Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs).
- 04We remain fully liable to you for the performance of any sub-processor we engage on your behalf.
- 05We will provide at least 10 days written notice before adding or replacing any sub-processor, giving you the opportunity to object.
Changes to this register
We review and update this register whenever we add, replace, or remove a sub-processor. Customers with active contracts or Data Processing Agreements will receive written notice of any changes at least 10 days in advance. You may object to a new sub-processor in writing within 10 days of receiving notice, in accordance with our Data Processing Agreement.
If you have questions about a specific sub-processor or would like to request our Data Processing Agreement, contact us at legal@cyberescaperoom.co.
Questions?
Contact us.
- Company
- The Cyber Escape Room Co. Ltd
- Registered no.
- 13753868
- ICO ref.
- ZC074478
- Address
- Queensgate House, 23 North Park Road, Harrogate, HG1 5PD
- Legal queries
- legal@cyberescaperoom.co