Subprocessor List
Overview of organisations that may process personal data in connection with CheckItQuick. This list is for schools, data protection officers and procurement teams.
This list reflects our processors and controller-directed integrations as of the last-updated date on this page. We may onboard or replace vendors where necessary to provide the Service.
Controller-directed school systems (iSAMS and MySchoolPortal)
iSAMS and MySchoolPortal are not appointed by us as subprocessors in the ordinary sense. They are school-selected systems and integrations. The school remains responsible for its own contracts, permissions and instructions with those providers. We connect to them only using credentials and configuration the school supplies. We list them here so you can see the full data flow, not because we hold processor-to-processor agreements with those vendors on the school’s behalf.
Changes and objections. Where your agreement requires formal notice of subprocessor changes, we provide updates through the nominated contact or product channels. If we intend to add or replace a material subprocessor for personal data processed on your behalf, you may object on reasonable data protection grounds within 14 days of our notice, as set out in our Data Processing Agreement. If you object, we will work with you in good faith; where we cannot resolve the objection, you may be entitled to terminate in line with your agreement.
For additional supplier paperwork (registered addresses, specific SCC references), contact [email protected].
| Legal entity (trading name) | Role | Purpose | Typical personal data / categories | Primary location / processing | International transfers | DPA / terms (overview) | Pupil or parent data? |
|---|---|---|---|---|---|---|---|
| OVH SAS (OVHcloud) | Subprocessor (hosting) | Virtual private server hosting: application runtime, networking, container deployment; backups configured on this infrastructure. | Service configuration, credentials, operational logs, application data at rest; transient processing of parent/pupil data while requests are handled (not held as a deliberate pupil database). | OpenStack os-uk2; data centre region London (UK). |
UK for primary application hosting as configured; see OVH contractual documentation for group operations. | OVHcloud agreements | May flow through the application in memory or logs when schools use the Service; schools should scope fields and permissions carefully. |
| Neon, Inc. (Neon) | Subprocessor (managed database) | Managed PostgreSQL for application data, configuration, credentials, operational metadata and support-related records stored in the database. | School settings, API keys/secrets, staff account linkage, billing references, logs metadata, Data Protection keys; not a separate copy of the school’s MIS pupil database. | AWS eu-west-2 (London), United Kingdom. |
Primary data region UK; Neon is a US-based provider โ transfer safeguards (e.g. UK IDTA/addendum, SCCs or equivalent) apply as described in Neon’s documentation. | Neon security & compliance | Same as hosting: incidental in DB fields/logs if schools expose data through workflows. |
| Brevo SAS (Brevo) | Subprocessor (email delivery) | Transactional and operational email (notifications, service messages where enabled). | Recipient email addresses, message content, send metadata. | EU-based processing as described by Brevo. | EU-focused; Brevo offers GDPR documentation, DPA and contractual transfers terms. | Brevo privacy & legal | Possible where emails relate to parents or staff; message content should be minimised. |
| Zoho Corporation (Zoho Mail and related services) | Subprocessor (business email) | Company mailboxes for support and operational correspondence. | Email content and headers; contact details of correspondents. | Per Zoho’s regional documentation (may include US/EU/India operations). | Appropriate transfer mechanisms per Zoho’s DPA where personal data is processed outside the UK. | Zoho privacy | Usually staff or school contacts; may include parent details if included in a support thread. |
| Stripe Payments Europe, Ltd; Stripe Technology Europe, Ltd; Stripe, Inc. (Stripe) | Subprocessor (payments) | Subscription billing and card payments where the school (or Academic Intelligence on its behalf) pays online. | Billing contact name and email, payment instrument metadata, transaction records; not pupil lesson data. | Per Stripe’s documentation (EU entity for many UK/EU controllers). | Stripe provides a DPA and IDTA/SCC-based arrangements as applicable. | Stripe legal (UK) | Typically no pupil records; may include parent name/email if supplied as payer contact. |
| Google LLC (Google) | Subprocessor (authentication) | “Sign in with Google” for authorised school staff administrator accounts where configured. | Google account identifier, name, email from the Google profile; OAuth tokens as handled by the platform. | Global Google infrastructure. | Google offers standard contractual terms and transfer tools for workspace/consumer authentication per their documentation. | Google Privacy Policy | Staff/admin use; pupils and parents normally authenticate through the school’s MySchoolPortal route, not Google. |
| GitHub, Inc. (GitHub) | Subprocessor (dev/CI) | Source control and CI/CD; build metadata. Production pupil databases are not stored in repositories. | Code, commit metadata, workflow logs; typically no pupil records. | Primarily United States. | GitHub Data Protection Agreement and SCC-style terms for restricted transfers. | GitHub terms | No by design; operational secrets must not be committed. |
| Your school’s iSAMS provider (legal name per the school’s contract; product: iSAMS) | Controller-directed integration (not our ordinary subprocessor) | MIS HTTP/API integration configured by the school for record lookup and updates. | Categories determined by the school’s iSAMS exposure and API permissions. | As between the school and its MIS/hosting arrangements. | Not applicable as a transfer we control; school governs its own arrangements. | School’s agreement with its vendor. | Yes when the school exposes pupil or parent fields through the integration. |
| MySchoolPortal (legal entity per the school’s MySchoolPortal contract) | Controller-directed integration (not our ordinary subprocessor) | Single sign-on and/or parent portal identity where configured by the school. | User identity claims, SSO metadata, session correlation as required for login. | As between the school and MySchoolPortal. | School governs its contract and any international aspects. | School’s agreement with MySchoolPortal. | Yes for account/identity linked to parents or staff as configured. |
Registered office for Academic Intelligence Ltd appears in the site footer and in our policies. Company number 17204358. Last updated: 12 May 2026.
Last updated: 12 May 2026.