Compliance Update: Upstash/Vercel KV and Slack Added to Sub-processor Disclosures
Compliance Update: Upstash/Vercel KV and Slack Added to Sub-processor Disclosures
Release: v1.0.465 · Date: 26 March 2025 · Tracking: SCR-13
Overview
This release resolves a UK GDPR Article 13(1)(e) compliance gap (internal reference: SCR-13). Two sub-processors — Upstash Inc. / Vercel KV and Salesforce / Slack Inc. — were already processing personal data on behalf of the platform but were not listed in the Privacy Policy or the Record of Processing Activities (ROPA). Both have now been fully disclosed.
No product features or data flows were changed. This update exclusively brings legal documentation into alignment with how the platform already operates.
What personal data flows to these services?
Upstash Inc. / Vercel KV
- Data received: User IDs, IP addresses
- Why: Used as short-lived rate-limit keys on every authenticated API request to prevent abuse. Keys have a TTL of 2–10 minutes and are not retained beyond that window.
- Data location: US (AWS us-east-1)
- Transfer mechanism: Standard Contractual Clauses (SCCs) / UK IDTA
- DPA: upstash.com/trust/dpa.pdf
Salesforce / Slack Inc.
- Data received: Organisation IDs, error context, operational metadata
- Why: Engineering on-call webhook (
SLACK_INCIDENT_WEBHOOK_URL) used to route P0/P1 security incident alerts. - Data location: US (Slack infrastructure)
- Transfer mechanism: SCCs / UK IDTA
- DPA: Salesforce/Slack DPA
Note on
org_id: Organisation IDs are considered personal data under UK GDPR where the organisation is a sole trader or single-person LLC, since the identifier can be traced to a natural person.
Changes to the Privacy Policy
The /privacy page has been rewritten from a generic shell component to a fully custom, product-specific policy. The updated page includes:
- 10-entry sub-processor table covering all recipients of personal data, including Upstash and Slack, with DPA links for each.
- Legal bases table mapping each processing purpose to the relevant UK GDPR Article 6 ground.
- Retention schedule:
- Account data: duration of account + 30 days post-deletion
- Financial records and HMRC submissions: 7 years (statutory requirement)
- Audit logs: 3 years
- Rate-limit counters (Vercel KV / Upstash): 2–10 minute TTL — no long-term retention
- Incident alerts (Slack): subject to Slack's retention policy; 90-day automatic deletion recommended
- Data subject rights section covering access, rectification, erasure, restriction, portability, and objection.
- Security section describing encryption at rest and in transit for sensitive fields.
All 10 sub-processors in the table:
| Sub-processor | Role |
|---|---|
| Neon Inc. | Managed PostgreSQL database |
| Vercel Inc. | Application hosting, edge compute, CDN |
| TrueLayer Ltd. | Open Banking connectivity |
| Resend Inc. | Transactional email delivery |
| Twilio Inc. | SMS and WhatsApp notifications |
| Inngest Inc. | Background job orchestration |
| Upstash Inc. / Vercel KV | Distributed rate limiting (new) |
| Salesforce / Slack Inc. | Incident alerting (new) |
| AgentOS Ltd. | Letting agent data source |
| HMRC | Statutory tax submission recipient |
Changes to the ROPA Register
The /ropa page has been updated with the following additions:
New sub-processor entries
- Upstash Inc. / Vercel KV — role, data location, transfer mechanism, and DPA link added to the sub-processor register.
- Salesforce / Slack Inc. — role, data location, transfer mechanism, and DPA link added to the sub-processor register.
Updated processing activities
| Activity | Change |
|---|---|
| PA-001 — Authentication | Vercel KV added as a recipient (user IDs and IP addresses transmitted at login) |
| PA-009 — Security Monitoring | Slack added as a recipient with correct data categories |
| PA-010 — Audit Logging | Vercel KV added as a recipient (rate-limit checks accompany audit-logged requests) |
New processing activity
PA-012 — Distributed Rate Limiting
A dedicated processing activity entry documenting the full data flow for rate limiting:
- Data categories: User IDs, IP addresses
- Purpose: Abuse prevention and API stability
- Processor: Upstash Inc. / Vercel KV
- Legal basis: Legitimate interests (Art. 6(1)(f))
- Retention: 2–10 minute key TTL
What you need to do
No action is required from platform users. If you are a data processor or enterprise customer reviewing your own sub-processor lists, you should:
- Add Upstash Inc. (via Vercel KV) and Salesforce / Slack Inc. to your own sub-processor disclosure documentation if you rely on this platform.
- Confirm that your own DPA with AgentOS Ltd. covers onward transfer to these processors under SCCs / UK IDTA.
For questions, contact privacy@agentos.com.