neumind
Sub-processors register
Every third-party processor that handles personal data on Neumind's behalf.
This register is the canonical source for Neumind's sub-processor disclosures. Our Privacy Notice, the Data Processing Agreement (DPA) for B2B customers, and our DTAC v2 § C2 submission all reference back to this list.
We publish it to give data subjects, B2B controllers, and NHS commissioners a single, up-to-date view of the third parties that touch their data.
Current sub-processors
Each sub-processor below is bound by a written Data Processing Agreement (DPA). International transfers are safeguarded by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), except where a UK adequacy decision applies.
| Sub-processor | Purpose | Categories of personal data | Processing location | Lawful transfer mechanism | DPA |
|---|---|---|---|---|---|
Amazon Web Services (RDS, Lightsail, S3 — eu-west-2) |
Application hosting, primary database, backend compute, file storage | All app + dashboard content (identifying, contact, health-related where users record it, account, financial-metadata) | UK / EU (Ireland — eu-west-2) |
UK adequacy (EU) | aws.amazon.com/agreement |
| Auth0 (Okta) | Authentication, identity storage | Identifying (email, name), authentication state, account metadata | EU | UK adequacy (EU) | auth0.com/legal/dpa |
| RevenueCat | In-app (mobile) subscription management | Receipt + entitlement metadata; pseudonymous user ID | US | UK Addendum + SCCs | revenuecat.com/dpa |
| Stripe | Web card-payment processing | Identifying, financial, transaction; Stripe acts as our processor for transaction metadata and as an independent controller for card-network and PCI-DSS-mandated processing under its own privacy notice | US | UK Addendum + SCCs | stripe.com/dpa |
| SendGrid (Twilio) | Transactional email (receipts, account notifications, password resets) | Identifying (recipient name + email), email content | US | UK Addendum + SCCs | twilio.com/legal/dpa |
| Firebase Cloud Messaging (Google) | Mobile push notifications | Pseudonymous device token; notification payload | US | UK Addendum + SCCs | cloud.google.com/terms/dpa |
| Firebase Analytics (Google) | Mobile app analytics | Pseudonymous app-event data; device + OS metadata | US | UK Addendum + SCCs | cloud.google.com/terms/dpa |
| Typeform | Course and onboarding forms | Identifying (name, email), survey responses | US | UK Addendum + SCCs | typeform.com/dpa |
| PostHog | Product analytics and session recording (professional dashboard only — not on marketing website, not inside mobile apps) | Pseudonymous event data with sensitive-field masking (passwords + health-data fields automatically masked); session recordings retained 30 days rolling | EU | UK adequacy (EU) | posthog.com/dpa |
| ImageKit | Image processing and delivery | Image content uploaded by users; image metadata | India / US | UK Addendum + SCCs | imagekit.io/dpa |
Sub-processor count: 10 entries. Amazon Web Services is shown as a single entry covering RDS, Lightsail, and S3. Firebase appears as two entries (Cloud Messaging and Analytics) given their distinct purposes.
Other recipients (not sub-processors)
In addition to the sub-processors above, we may share personal data with:
- Internal employees and contractors bound by confidentiality obligations and need-to-know access.
- Professional advisers (lawyers, auditors, insurers) bound by professional secrecy.
- Regulatory and law-enforcement bodies where required by law (UK ICO, MHRA, NHS England, courts of competent jurisdiction).
- Acquirers or successors in the event of a merger, acquisition, or sale of assets, on the same data-protection terms or stricter.
These are not sub-processors under Article 28 UK GDPR — they are independent recipients with their own controller obligations.
Change-notification commitment
We treat changes to this register as significant. Our notification posture has two tracks:
For B2B customers (where we act as processor on their behalf)
We provide at least 30 days’ prior notice before adding or replacing a sub-processor that processes the practice’s client data. The customer has the right to object on reasonable data-protection grounds. Notification is by email to the customer’s primary contact and by in-product notice on the professional dashboard. If we cannot resolve a customer’s objection in good faith, the customer may terminate without further charge for the affected service.
For controller-context users (website visitors, app users, professional-dashboard users)
We publish updates to this register at the next material change and reflect them in the Privacy Notice at the next refresh. Material changes are also notified inside the product (login modal on the professional dashboard; in-app notice on the mobile app where the change affects mobile processors). Where a sub-processor change affects you and you do not wish to continue, you may withdraw consent for any non-essential processing at any time and may close your account at no cost; we will delete your data per our Privacy Notice retention table.
Sub-processor list version history
| Version | Date | Material changes |
|---|---|---|
| v1.0 | 2026-04-27 | First published register. Reflects sub-processor stack as of Privacy Notice v3 § R3. Mixpanel retired 2026-04-27 and not included; PostHog is the canonical product analytics processor. |
Contact
Questions about a sub-processor, a transfer mechanism, or our change-notification process: privacy@neumind.io or dpo@neumind.io.
Complaints: you have the right to complain to the UK Information Commissioner’s Office (ICO) at any time. Our ICO registration number is ZB038508.