Legal
Sub-processors
Last updated 1 June 2026
VigilPath engages the following sub-processors to deliver the platform. Customers are notified at least 30 days before a new sub-processor is added or a material change is made. Object to a change by writing to dpo@vigilpath.co.uk.
Infrastructure & data
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Managed PostgreSQL (hyperscaler) | Primary application database | London, UK | UK domestic |
| Object storage | Encrypted evidence files | London, UK | UK domestic |
| CDN / edge compute | Static assets, WAF | UK / EU edge | UK adequacy |
| Email delivery | Transactional and authentication emails | EU | UK adequacy |
| Error monitoring | Application error telemetry (no payload PII) | EU | UK adequacy |
AI / model providers
Agent inference is run against models hosted in UK or EU regions. Customer case material is sent under zero-retention terms; providers do not train on customer data.
How we vet sub-processors
- Documented security review and data protection assessment.
- Article 28-compliant data processing terms signed before go-live.
- Annual review of certifications (ISO 27001, SOC 2) where available.