Kit Intelligence
Legal · Transparency

Sub-processors

Every external service that processes data on behalf of a controller using WWFC Kit Room. Maintained under UK GDPR Article 28(4) and the DPA executed with each controller.

Last updated 28 June 2026 · Controllers receive at least 14 days' advance notice before any addition (concurrent notice for emergency service-continuity swaps).

Fly.io

In use since 2025-09-01

Application hosting and managed Postgres database.

Processing region
London (LHR), United Kingdom
Data categories
  • All Personal Data processed by the platform (at rest and in flight).
Transfer mechanism
UK adequacy — Fly.io processing occurs in the LHR region; no international transfer.
Their DPA
https://fly.io/legal/dpa/

Backblaze B2

In use since 2025-09-01

Encrypted off-site backup storage.

Processing region
EU Central (Amsterdam / Frankfurt)
Data categories
  • Encrypted database snapshots (restic-encrypted, AES-256, client-side).
Transfer mechanism
UK / EU adequacy. Backblaze sees only ciphertext — the encryption key is held by the platform operator independently of Backblaze.
Their DPA
https://www.backblaze.com/company/dpa.html

Anthropic, PBC

In use since 2026-02-15

Large language model for AI assistant queries and delivery-photo parsing.

Processing region
United States
Data categories
  • Pseudonymised tool results (names, jersey numbers, squads, sites and emails are tokenised before egress; see app/pseudonymise.py).
  • User question text (typically operational, not identifying).
  • Image content (delivery photos) where the user invokes the receive-by-photo flow.
Transfer mechanism
UK International Data Transfer Addendum / SCCs as applicable. For the AI assistant, the platform pseudonymises identifying fields in tool results BEFORE the request leaves the UK region — for those, the LLM provider receives tokens (e.g. PERSON-1, ITEM-7), not real names. Note: the optional receive-by-photo flow transfers the delivery-note image content un-pseudonymised, as the image cannot be tokenised; only upload a note where this transfer is acceptable.
Their DPA
https://www.anthropic.com/legal/dpa

Sentry (Functional Software, Inc.)

In use since 2025-09-01

Application error tracking and alerting.

Processing region
European Union (Frankfurt)
Data categories
  • Stack traces, request paths, user IDs, tenant IDs, request IDs.
  • PII scrubbed at the SDK boundary before egress: a sensitive-key filter drops fields such as name, email, phone, address, password, token, pin, barcode and free-form notes, and frame locals + request bodies are removed entirely (see app/__init__.py:_sentry_before_send).
Transfer mechanism
EU adequacy via Sentry's Frankfurt region.
Their DPA
https://sentry.io/legal/dpa/

unpkg (Cloudflare, Inc.)

In use since 2025-09-01

Public CDN delivering the html5-qrcode browser library used by the camera scan screens (loaded with Subresource Integrity).

Processing region
Global edge network (nearest point of presence to the visitor).
Data categories
  • Browser request metadata only — IP address and user-agent of staff loading a scan page. No application or player data is sent to the CDN.
Transfer mechanism
Standard Contractual Clauses as applicable. The CDN serves a static, integrity-pinned script and receives no Personal Data beyond the connecting browser's network metadata. Self-hosting this library to remove the sub-processor entirely is a planned hardening step.
Their DPA
https://www.cloudflare.com/cloudflare-customer-dpa/

Browser push services (Apple, Google, Mozilla)

In use since 2026-02-15

Transport relay for web-push notifications to a staff member's own browser/device, where they have opted in.

Processing region
Operated by the relevant browser vendor; varies by recipient device.
Data categories
  • An opaque push endpoint URL registered by the recipient's browser.
  • End-to-end-encrypted notification payload — the title and body are encrypted in the application (VAPID / aes128gcm via pywebpush) before transport; the relay forwards ciphertext only.
Transfer mechanism
The notification payload is encrypted client-side to keys held only by the recipient's browser before it leaves the platform; the push relay never sees plaintext content, only the encrypted blob and the recipient's own endpoint.

Microsoft (Graph API)

In use since 2025-09-01

Outbound email transport for the weekly digest and operational notifications.

Processing region
United Kingdom / European Union (primary); global Microsoft 365 infrastructure.
Data categories
  • Email content (operational summaries — typically counts and aggregates, not individual player data).
  • Recipient email addresses.
Transfer mechanism
UK adequacy; Microsoft 365 tenant configured for UK / EU primary residency.
Their DPA
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

How to raise an objection

Per Article 28(2) UK GDPR and §8.3 of the executed DPA, a controller may object to any sub-processor on reasonable data-protection grounds within the notice window. Send objections in writing to the data-protection contact named in your DPA. If the objection cannot reasonably be resolved within 30 days, either party may terminate the affected processing without penalty.

Anthropic transfer — additional safeguard

For the AI assistant, the data Anthropic receives is pseudonymised. Names, jersey numbers, squads, sites and emails in the assistant's tool results are tokenised (replaced with non-identifying labels such as PERSON-1, ITEM-7, SQUAD-3) at the application boundary before any request crosses jurisdictions, and detokenised only on return inside the UK region. For those results, the LLM provider sees tokens, not real names. The pseudonymisation layer is documented at app/pseudonymise.py in the source code.

The optional receive-by-photo flow is the one exception: when a kitman uploads a photo of a paper delivery note, the image content is transferred to Anthropic un-pseudonymised, because an image cannot be tokenised. Delivery notes are operational documents (supplier, item descriptions, quantities) and should not contain player data — only upload a note where this transfer is acceptable.