Legal — GDPR Article 28
Sub-Processor List
Last updated: April 2026 · Version 1.0 · HexVault Ltd, England & Wales
Your rights regarding sub-processors
Under GDPR Article 28(2), we are required to inform you of any sub-processors we use and allow you to object to new sub-processors. To subscribe to sub-processor change notifications, email [email protected] with subject "Sub-processor notification request". We provide 30 days notice of additions or changes.
Current sub-processors
Data shared
Email address, billing address, Stripe customer ID and subscription ID
Transfer mechanism
UK IDTA / EU Standard Contractual Clauses
Data shared
Email address, email content (transactional only — no marketing)
Transfer mechanism
UK IDTA / EU Standard Contractual Clauses
Data shared
IP addresses, request metadata (headers, URL paths). No vault data decryptable at this layer.
Country
United States (global edge network)
Transfer mechanism
UK IDTA / EU Standard Contractual Clauses
Data shared
5-character SHA-1 hash prefix only. This is insufficient to identify any specific password. No personal data is transferred.
Transfer mechanism
No personal data — GDPR transfer rules do not apply
Data shared
Error stack traces and application metadata only. Vault operations are explicitly excluded from Sentry instrumentation.
Transfer mechanism
UK IDTA / EU Standard Contractual Clauses
No advertising sub-processors: HexVault does not use advertising networks, analytics platforms, social media tracking, or any other sub-processor that processes data for purposes beyond service delivery. This list is exhaustive.
Change history
April 2026Version 1.0 published. Initial sub-processor list.
Customers subscribed to change notifications will receive 30 days advance notice of any additions or material changes to this list. To subscribe, email [email protected].