This page lists the sub-processors that QDEX AI Ltd (“QDEX”) engages to process personal data on behalf of Customers in connection with the Service. This list is referenced in and forms part of the Data Processing Addendum (DPA) at /legal/dpa.
QDEX will update this page when sub-processors are added, removed or materially changed. Customers are notified of changes by email to the registered account administrator with at least 30 days’ notice before a new sub-processor begins processing personal data.
Infrastructure and Hosting
| Sub-processor | Entity | Purpose | Location | Safeguards |
| Google Cloud Platform | Google Ireland Limited / Google LLC | Cloud infrastructure, databases, storage and logging | UK (London) | UK adequate |
AI Services
| Sub-processor | Entity | Purpose | Location | Safeguards |
| OpenAI | OpenAI OpCo, LLC | Document extraction and AI assistant | USA | SCCs + UK IDTA |
| Anthropic | Anthropic PBC | Document extraction and AI assistant | USA | SCCs + UK IDTA |
| Google AI | Google LLC | Document extraction and AI assistant | USA | SCCs + UK IDTA |
Note: AI sub-processors are contractually prohibited from using Customer personal data to train or improve their models. Data retention is limited to what is necessary to provide the API service.
Communications
| Sub-processor | Entity | Purpose | Location | Safeguards |
| Postmark | ActiveCampaign, LLC | Transactional emails to Customers | USA | SCCs + UK IDTA |
Customer Support and CRM
| Sub-processor | Entity | Purpose | Location | Safeguards |
| HubSpot | HubSpot, Inc. | Customer account and administrative data only | USA | SCCs + UK IDTA |
Product Analytics
| Sub-processor | Entity | Purpose | Location | Safeguards |
| PostHog | PostHog Inc / Hiberty Ltd | Product analytics and troubleshooting | EU | EU adequate |
Note: PostHog processes analytics and session replay data. Session recording is enabled with input masking (form fields and text inputs are automatically redacted). IP addresses are anonymised. Input fields containing personal data are masked at capture.
Sub-processor Governance
All sub-processors listed above:
- Are engaged under written agreements containing data protection obligations equivalent to those in our DPA, as required by UK GDPR Article 28(3)
- Are required to notify QDEX of any personal data breaches within 24 hours of becoming aware
- Are subject to security assessments and hold relevant certifications (ISO 27001, SOC 2 Type II, or equivalent where applicable)
- Must provide QDEX with audit rights and cooperation for regulatory compliance
- Are required to implement appropriate technical and organisational security measures to the same standard as required under UK GDPR Article 32
For sub-processors located outside the UK and EEA (marked as ‘USA’ in the Location column):
- Transfers are governed by Standard Contractual Clauses (SCCs) approved under UK GDPR Article 46(2)(c) and the UK International Data Transfer Agreement (UK IDTA)
- QDEX has conducted transfer impact assessments and implemented supplementary measures where necessary
- Sub-processors are contractually prohibited from accessing data in ways that would undermine the safeguards provided by SCCs/UK IDTA
- QDEX monitors the ongoing adequacy of transfer mechanisms and will notify customers of any material changes to transfer safeguards
For detailed information on sub-processor security certifications, audit procedures, and data breach notification protocols, please contact us at legal@qdexai.com.
Questions or Objections
If you have questions about our sub-processors, please contact us at legal@qdexai.com.
Version: 2.0
Effective date: 06 February 2026
Last review: 05 February 2026
Next review: On change or 31 July 2026 (whichever is sooner)
Document owner: COO
Previous versions available on request to legal@qdexai.com