SCR-13: Adding Upstash Redis and Slack to Our Sub-Processor Inventory
SCR-13: Adding Upstash Redis and Slack to Our Sub-Processor Inventory
Version: 1.0.466
Compliance Control: SCR-13
Regulation: UK GDPR Article 13(1)(e)
As part of our ongoing supply chain compliance programme, we have completed a review of third-party services that receive personal data during platform operation. This review identified two sub-processors — Upstash Redis and Slack — that were not previously listed in our privacy policy sub-processor table or our ROPA (Record of Processing Activities). This post explains what these services do, what personal data they receive, and the steps we have taken to address the compliance gap.
Background
UK GDPR Article 13(1)(e) places a clear obligation on data controllers: at the time personal data is collected, individuals must be informed of all recipients or categories of recipients of that data. Sub-processors — third-party services that process personal data on behalf of the controller — must be disclosed.
Our supply chain review (control SCR-13) found that two services in active use were absent from our disclosures.
Upstash Redis — Distributed Rate Limiting
Entity: Upstash Inc. (United States)
Role: Distributed rate limiting
Personal data received: User IDs and IP addresses
Transfer mechanism: Standard Contractual Clauses (SCCs) / IDTA
Upstash Redis is used to enforce rate limits on authenticated API requests (src/lib/rate-limit.ts). On every authenticated request, the platform sends a rate-limit key composed of the user's ID and IP address to Upstash. Both of these are personal data under UK GDPR — IP addresses can identify a natural person, and user IDs are directly linked to platform accounts.
Slack — Incident Alerting
Entity: Salesforce / Slack Inc. (United States)
Role: Incident alerting
Personal data received: Org IDs, domain names, error messages, and operational context
Transfer mechanism: Standard Contractual Clauses (SCCs) / IDTA
Slack receives notifications via an incident webhook whenever platform errors or operational events are triggered. These webhook payloads include org_id, domain names, error messages, and operational metadata. Depending on context, this information may be linked to identifiable natural persons — particularly where the org_id relates to a sole trader or individual.
What We Have Done
- Updated
/privacy— Both Upstash Redis and Slack are now listed in the sub-processor disclosure table with their entity details, roles, data categories, and international transfer mechanisms. - Updated the ROPA — Both services are now recorded in the sub-processor DPA register within our Record of Processing Activities.
- DPA procurement — We are obtaining Data Processing Agreements with both Upstash Inc. and Salesforce/Slack Inc. to formalise the controller–processor relationship.
A Note on org_id as Personal Data
Whether an org_id alone constitutes personal data depends on whether it can be used — directly or in combination with other data — to identify a natural person. For sole traders operating under their own name, an org_id may link directly to an individual. Data Protection Officers should review their DPA definitions and, where in doubt, treat org_id as personal data and apply appropriate safeguards.
International Data Transfers
Both Upstash Inc. and Salesforce/Slack Inc. are US-based entities. Personal data transferred to them from the UK is covered by:
- Standard Contractual Clauses (SCCs) — the European Commission's approved transfer mechanism, recognised under UK law as a valid transfer tool for the transition period.
- IDTA (International Data Transfer Agreement) — the UK Information Commissioner's Office approved mechanism for restricted transfers from the UK.
Summary
| Sub-Processor | Entity | Data Received | Transfer Basis |
|---|---|---|---|
| Upstash Redis | Upstash Inc. (US) | User IDs, IP addresses | SCCs / IDTA |
| Slack | Salesforce / Slack Inc. (US) | Org IDs, domain names, error messages, operational metadata | SCCs / IDTA |
If you have questions about this change or your rights as a data subject, please refer to the updated Privacy Policy or contact our Data Protection Officer.