How We Manage Subprocessors
We screen vendors before we onboard them, contractually flow our data-protection obligations down to them, and review them quarterly.
- Selection: We select subprocessors based on their security posture (SOC 2 Type II, ISO/IEC 27001, or equivalent certifications preferred), their data-protection commitments, their geographic footprint, and their fit with the service we need.
- Contracts: Every subprocessor that processes Personal Data is bound by a written agreement (typically a Data Processing Agreement or equivalent) imposing data-protection obligations no less protective than those we accept.
- Transfers: Where Personal Data crosses borders, we rely on the EU Standard Contractual Clauses (Decision 2021/914) and, for UK-origin data, the UK ICO's International Data Transfer Addendum.
- Reviews: We review the subprocessor list quarterly and refresh due-diligence on a risk-tiered basis.
Notice of Changes
Want to be told before a new subprocessor goes live? Subscribe.
We provide at least thirty (30) days' notice of any addition or replacement of a subprocessor that will process Personal Data of one of our clients.
You can subscribe to subprocessor-change notifications by emailing privacy@headgatetech.com with the subject line "Subscribe: Subprocessors" and the email address(es) you want notified. To unsubscribe, reply with "Unsubscribe."
If you object to a new subprocessor on reasonable data-protection grounds, contact privacy@headgatetech.com within fifteen (15) days of the notice. We will work with you to find a resolution; if we cannot, you may terminate the affected Statement of Work without penalty (other than for services already performed), as set out in Section 6.4 of the DPA.
Current Subprocessors
HEADGATE's site and operational tooling are deliberately minimal. The three vendors below are the only sub-processors that may process personal data on our behalf as of the "Last updated" date above. Click a vendor name to read its data-protection commitments.
| Sub-processor | Purpose | Location of processing | Transfer mechanism (from EEA / UK / CH) | DPA / privacy reference |
|---|---|---|---|---|
| Railway Corp. | Application hosting for headgatetech.com (container runtime, build, deploy, runtime logs). |
United States (region-locking available per service). | EU SCCs (Module 3) where transfer applies; UK Addendum. | railway.com/dpa |
| Cloudflare, Inc. | DNS, TLS termination, CDN, DDoS / WAF protection for headgatetech.com. |
United States; global edge. | EU SCCs (Module 3) + DPF (where applicable); UK Addendum. | cloudflare.com/cloudflare-customer-dpa |
| GitHub, Inc. (Microsoft) | Source-code repository, version history, and CI/CD configuration for the website. | United States. | EU SCCs + DPF (Microsoft is DPF-certified); UK Addendum. | github.com / Global Privacy Practices |
We do not use any other third-party service that processes personal data on our behalf. We do not embed Google Analytics, Meta Pixel, LinkedIn Insight Tag, advertising networks, social-media trackers, third-party fonts, third-party CRMs, or third-party AI vendors on this site. If that ever changes, this page and the change-log below will be updated and any client whose data is affected will receive thirty (30) days' written notice in accordance with the DPA.
Past Changes (last 12 months)
A simple log so you can see how the list has evolved.
| Date | Change | Subprocessor | Reason |
|---|---|---|---|
| 2026-05-05 | Initial publication | — | First public version of this page |
Affiliate Sub-processors
HEADGATE does not currently engage Affiliate sub-processors (i.e., other entities under common control). If we do in the future, we will list them here.
Contact
For questions about this list, including subscription requests and objections to specific subprocessors:
- Email:
privacy@headgatetech.com - Postal: HEADGATE TECHNOLOGY LTD, Suite C, Level 7, 50 Stanley Street, Central, Hong Kong