Driver Codes — Sub-processor List
Provider: RSMT Limited trading as Driver Codes
Version: v1.0 — April 2026
Published location: app.driver.codes/documents/subprocessors
Document use: Published list of Sub-processors engaged by Driver Codes. Incorporated by reference into the Data Processing Addendum.
1. Purpose
This list identifies the Sub-processors Driver Codes has engaged to support the provision of its services. Each Sub-processor operates under a written contract imposing data protection obligations no less protective than those in the Driver Codes Data Processing Addendum (DPA).
This list is maintained by Driver Codes and updated from time to time. The current version is always published at app.driver.codes/documents/subprocessors.
2. Scope
This list covers Sub-processors with access to Customer Personal Data in connection with Driver Codes' processor activities under the DPA (the Customer Portal and related workspace layer), and material processors used in Driver Codes' own controller processing where access to personal data is involved.
DVLA and DVSA are not Sub-processors of Driver Codes. They are independent public bodies from which Driver Codes obtains information under its own registrations and lawful-access arrangements. Their processing of personal data is governed by their own privacy notices.
Individual business customers of Driver Codes are not Sub-processors; each business customer is a Controller in its own right in respect of the check results it receives.
3. Current Sub-processors
The table below shows current Sub-processors at the version date.
| Sub-processor (entity name) | Service provided | Data accessed | Location of processing | Transfer mechanism (if outside UK) |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL (Luxembourg-incorporated AWS contracting entity for EMEA customers) | Production hosting (compute, storage, database, key management, backup, managed services), including Amazon SES for transactional and notification email delivery Data sensitivity: Core service data and check records | All Customer Personal Data processed in the Services; for SES, recipient email address, name, and the contents of transactional messages | United Kingdom (AWS eu-west-2, London region; SES configured to use the London region) | Not applicable (UK processing) |
| Google Ireland Limited (Firebase / Google Cloud) | Firebase Cloud Messaging — mobile push notification delivery Data sensitivity: Device token and short notification payload only; no substantive check result | Device push token, notification payload (which is kept short and free of substantive personal data) | United States and global (Google's Cloud infrastructure; FCM is a global service) | UK Addendum to the EU Standard Contractual Clauses, incorporated into Google's Data Processing and Security Terms; supported by a documented Transfer Risk Assessment |
| Functional Software, Inc. d/b/a Sentry | Application error monitoring, logging, and observability Data sensitivity: Error/log data; may include incidental identifiers and IP addresses | Error and log data, which may incidentally include user identifiers and IP addresses | European Union (Frankfurt, Germany — Sentry EU region) | UK Addendum to the EU Standard Contractual Clauses, incorporated into Sentry's Data Processing Addendum, supported by a documented Transfer Risk Assessment |
| Intercom R&D Unlimited Company (Irish-incorporated, contracting entity for non-Americas customers) | Customer and driver support ticketing and communications Data sensitivity: Support messages and contact details | Support ticket contents, user contact details, communication history | United States (AWS us-east-1, North Virginia) | UK Addendum to the EU Standard Contractual Clauses, incorporated into Intercom's Data Processing Addendum, supported by a documented Transfer Risk Assessment |
| Stripe Payments Europe Limited ("SPEL", Irish-incorporated; main establishment for non-Americas Stripe Users) | Payment processing for subscription and transaction fees (business customers) and consumer app subscriptions Data sensitivity: Billing/payment metadata; Driver Codes does not see or store card numbers | Billing contact details, payment identifiers (Stripe handles card numbers directly under PCI DSS — Driver Codes does not see, store or transmit card data) | United States and global (Stripe Payments Europe contracts in Ireland but Stripe's platform processing occurs across multiple jurisdictions) | UK Addendum to the EU Standard Contractual Clauses, incorporated into Stripe's Data Processing Agreement and Data Transfers Addendum; supported by a documented Transfer Risk Assessment. Note: Stripe acts as an independent controller for Know Your Customer, Anti-Money Laundering, and fraud-prevention activities, and as processor for the payment-on-Driver-Codes'-behalf piece. |
DVLA and DVSA are not listed above because they are not Sub-processors — they are independent public-sector controllers that disclose driver data to Driver Codes under its own DVLA and DVSA registrations. Their handling of driver data is governed by their own privacy notices.
Where the location of processing is outside the United Kingdom, Driver Codes has put in place the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses (UK Addendum) with the relevant Sub-processor, supported by a documented Transfer Risk Assessment in accordance with Information Commission guidance. Summaries are available to customers on request.
4. Change notification
Driver Codes notifies changes to this list in accordance with clause 5.3 of the DPA, which provides:
- advance notice of proposed Sub-processor additions or replacements (including changes to service, location, or scope of access);
- at least 30 days before the change takes effect, unless shorter notice is required for security, legal compliance, or urgent service continuity;
- by update to this list (with a version increment and a dated change note); and
- where customers have requested it, by email to the customer's nominated contact.
Customers that reasonably object to a proposed change on legitimate data protection grounds may raise the objection under clause 5.3 of the DPA.
5. Change log
| Version | Date | Change |
|---|---|---|
| v1.0 | April 2026 | Initial standalone publication. |
6. Contact
Questions about this list: privacy@driver.codes
Note on regulator naming: at the version date of this document, the Information Commissioner's Office (ICO) remains the operative legal name of the UK data protection regulator. References in this document to the "Information Commission" anticipate the regulator's reconstitution under Part 6 of the Data (Use and Access) Act 2025. Our registration (ZA788385) is held with the regulator and will transfer to the Information Commission by operation of law on commencement of sections 118 and 119 of that Act.