UK GDPR and data residency.

Help center

HelpComplianceUK GDPR and data residency.

Where data lives, who the controller is, and how the Picked-as-processor contract is set up.

Last reviewed 28 September 20263 min read

Neuroworx Ltd is ICO-registered as a data controller for the candidate-side relationship and as a data processor for the hiring-company-side relationship. UK GDPR applies; EU GDPR applies on the EU candidate base.

Where data lives.

Structured data: Supabase in London (eu-west-2).
Application hosting: Vercel London (lhr1).
Transcript audio and large blobs: Cloudflare R2 EU.
Voice infra: LiveKit EU.
Outbound mail: Resend EU.
Reasoning model: Anthropic Claude. Transcription only: OpenAI Whisper.

No data leaves UK or EU regions for the core hiring workflow. Sub-processor regions and purpose are listed on /trust/sub-processors and updated on every quarterly review.

The DPA.

A standard data-processing agreement is in place for every workspace by default; the customer accepts it on sign-up. A custom DPA can be reviewed under Settings, Legal, DPA. Sign-off turnaround for a custom DPA is inside five working days.

The DPA covers the categories of personal data we process, the security measures in place, sub-processor disclosure, retention, deletion, and the assistance we provide on data-subject requests. Procurement-grade addenda (international data transfer addendum, UK ICO addendum, EU SCCs) are linked from the DPA panel.

For US-specific data flows when the V2 US tier ships, the Standard Contractual Clauses adendum will be added under the same screen.

What to do next: accept the default DPA on sign-up; flag a custom DPA only if your procurement requires one.

GDPRdata residencycontrollerprocessorDPA