Security Measures
and Sub-Processors

As incorporated into LightWork’s Data Processing Agreement

Technical and organisational
measures to ensure the
security of Personal Data

Technical measures

All workloads run on Google Cloud Platform (GCP), deployed strictly in UK and EU regions (London or other EU zones only).
MongoDB (UK region) is our primary database. Data is encrypted at rest with AES-256 and encrypted in transit (TLS).
We maintain periodic automated backups of all production databases with secure storage and controlled access.
Qdrant (EU region) is used as our vector database, and Redis Cloud (UK region) is used for caching.
Access to infrastructure is restricted via IAM, MFA-enforced accounts and least-privilege roles.
Services run in private networks with firewalls and VPC-level isolation.
Monitoring, alerting and log management are handled by Datadog, configured within EU regions.
We use Vanta to continuously monitor our security position and maintain compliance with ISO27001:2022 and SOC2 frameworks.
All software is kept up-to-date and security updates are installed as soon as reasonably possible.

Organisational measures

Operational practices include regular patching, vulnerability scanning, penetration testing and maintaining incident management and response processes.
Making all employees and third-party agents fully aware of their individual responsibilities under the UK GDPR.

Current sub-processors

Name of Sub-processor	Location of Processing	Transfer mechanism
Google Cloud Platform (GCP): cloud infrastructure	UK and EEA	N/A
MongoDB Atlas: primary database	UK	EU-US DPF (UK Extension)
Redis Cloud: caching	UK	SCCs + UK Addendum; TRA completed
Qdrant Cloud: vector database	EEA	N/A
Nylas: email and calendar integration	EEA (US access)	EU-US DPF (UK Extension)
OpenAI (ChatGPT): foundational model provider	US	SCCs + UK Addendum; TRA completed
Google (Gemini): foundational model provider	US	EU-US DPF (UK Extension)
Anthropic (Claude): foundational model provider	US	SCCs + UK Addendum; TRA completed
SendGrid (Twilio): outbound transactional email	US	EU-US DPF (UK Extension)
Resend: outbound transactional email	US	EU-US DPF (UK Extension)
Twilio: voice, SMS and WhatsApp communications	EEA / US	EU-US DPF (UK Extension)
ElevenLabs: text-to-speech / voice	US	EU-US DPF + SCCs (UK Addendum)
Google Maps Platform: travel-time and viewing logistics	US	EU-US DPF (UK Extension)
Datadog: monitoring, logging and observability	EEA (US access)	EU-US DPF (UK Extension)
PostHog: product analytics	EEA (US access)	EU-US DPF (UK Extension)
Pydantic Logfire: application and LLM observability	EEA (US access)	SCCs + UK Addendum; TRA completed
LangSmith: LLM tracing and evaluation	US	SCCs + UK Addendum; TRA completed

Version	Date	Description	Author	Approved By
1.0	25 March 2026	Security Measures and Sub-Processors	James Wilson	Rameen Sorkhabi
1.1	11 June 2026	Updated Annex 2 sub-processor list and transfer mechanisms	Ahmed Elnaggar	Freddie Poser