Legal
Sub-processors
Last updated 9 May 2026
This is the canonical, version-controlled list of sub-processors Hovermarks engages to deliver the platform. The same list is mirrored in our Data Processing Agreement under §3 and in our Privacy Notice under "Sharing".
Notification policy
Per the DPA §3, we will notify customers of any addition or replacement of a sub-processor at least 30 days in advance by email to your TenantAdmins. You have the right to object during that window; if we cannot accommodate the objection, the customer may terminate the affected service without penalty.
To subscribe to sub-processor change notifications, ensure that the TenantAdmin email on your account is monitored, or email [email protected] with an alternative contact.
Current sub-processors
Last updated: 9 May 2026.
| # | Sub-processor | Purpose | Region | Added on |
|---|---|---|---|---|
| 1 | Microsoft Azure | Hosting, storage, identity (Azure SQL, Blob Storage, App Service) | UK South | 2026-04-26 |
| 2 | Microsoft Entra External ID | Customer authentication / SSO (CIAM tenant) | UK / EU | 2026-04-26 |
| 3 | Microsoft Entra ID | Platform-admin authentication / SSO | UK / EU | 2026-04-26 |
| 4 | Microsoft Graph | Transactional + notification email via Microsoft 365 | UK / EU | 2026-04-26 |
| 5 | Azure AI Vision | Inspection photo quality gate (opt-in AI feature) | UK South | 2026-05-04 |
| 6 | Azure AI Document Intelligence | Certificate text extraction (opt-in AI feature) | UK South | 2026-05-04 |
| 7 | Azure OpenAI Service | Natural-language asset search (opt-in AI feature). Microsoft abuse-monitoring opt-out applied; no data used to train models. | UK South | 2026-05-04 |
| 8 | Azure AI Speech | Voice-to-text on inspection notes (opt-in AI feature) | UK South | 2026-05-04 |
| 9 | Cloudflare, Inc. | DNS, edge proxy, Turnstile bot-protection on public fault-report form | EU / US | 2026-04-26 |
| 10 | Plausible Analytics | Marketing-site analytics ONLY (the in-app dashboard does not run Plausible) | EU | 2026-04-26 |
| 11 | Stripe, Inc. | Payment processing (PCI-DSS Level 1 certified). Activated when billing is switched on at GA. | US / EU | 2026-05-09 |
Notes on each sub-processor
- Microsoft Azure (Azure SQL, Blob Storage, App Service, Static Web Apps, Front Door, Key Vault, Application Insights). Primary customer-data plane. UK South region. Microsoft is the data processor; we are a sub-controller for our own corporate data.
- Microsoft Entra External ID. Customer-facing authentication. Microsoft holds the user account record (email, display name, authentication factors); Hovermarks holds the tenant-membership link.
- Microsoft Entra ID. Platform-admin authentication only. Hovermarks platform-admin team members sign in via Microsoft Entra ID in the BrainBoxIT tenant.
- Microsoft Graph (Microsoft 365). Transactional email — invite emails, password-reset emails, fault-report acknowledgements, marketing-form contact-us responses.
- Azure AI services (Vision, Document Intelligence, OpenAI, Speech). Used for the opt-in AI features. All configured in the UK South region, with Microsoft's abuse-monitoring opt-out applied to Azure OpenAI (no prompt or output retention). No customer data used to train models.
- Cloudflare, Inc.. DNS for hovermarks.com and hovermarks.co.uk
(and the legacy hovermark.co.uk that 301-redirects to them); edge
proxy with Universal SSL on
www; Turnstile bot-protection on the anonymous public fault-report endpoint. - Plausible Analytics. Cookieless aggregate analytics on the marketing site only. Does not run inside the dashboard or the API. EU-hosted (Frankfurt).
- Stripe, Inc.. Payment card processing. Hovermarks never sees raw card numbers — Stripe Elements handles the card form in an isolated iframe, and Hovermarks holds only the Stripe customer/subscription identifiers. Stripe is PCI-DSS Level 1 certified.
International transfers
Where a sub-processor processes data outside the UK or EU, the transfer is governed by:
- The UK International Data Transfer Agreement (where the UK is the source jurisdiction); or
- EU Standard Contractual Clauses (where an EU member-state is the source); or
- An adequacy decision by the UK / EU where one applies (e.g., the UK-US Data Bridge for transfers to certified US recipients).
Each Microsoft sub-processor is contracted under Microsoft's Data Protection Addendum, which incorporates SCCs / IDTA as applicable. Cloudflare and Stripe operate under their own published Data Processing Addenda referencing SCCs.
Historical changes
| Date | Change |
|---|---|
| 2026-05-09 | Added Stripe (payment processing) ahead of GA billing switch-on |
| 2026-05-04 | Added Azure AI Vision / Document Intelligence / OpenAI / Speech (Tier 1 AI features) |
| 2026-04-26 | Initial sub-processor list published |
We re-publish this page on every change so the change history is visible. The DPA cites this page as the canonical sub-processor register.