Version 1.3 | June 2026 | Owner: Andrew James, CEO
This register lists all third-party organisations (sub-processors) that process personal data on behalf of Halved Limited in connection with the Halved platform. It is maintained in accordance with Article 28 of UK GDPR and is reviewed annually or when sub-processors change.
Halved will provide schools with notice of any new or replacement sub-processor in accordance with the data processing agreement (‘DPA’) agreed between Halved and the school and allow any objection rights set out in that DPA before the sub-processor processes live student data.
Any planned or conditional sub-processor must not process live student data until the relevant DPA terms are in place and the school has been notified where required.
Conditional providers must be marked active only if the relevant service is enabled in a way that processes platform personal data.
Sub-processor Register
| Sub-processor | Parent entity | Services used | Purpose | Data categories processed | Location | DPA | Status |
|---|---|---|---|---|---|---|---|
| Microsoft Azure | Microsoft Corporation | App Service, PostgreSQL Flexible Server, Cache for Redis, Blob Storage, Key Vault, Log Analytics Workspace | Application hosting, primary data storage, secrets management, audit logging | Student names, email addresses, accessibility flags, assignment work, chat history, AI learning profiles, session data, API credentials | UK South (London) | Microsoft DPA | Active |
| Azure OpenAI Service | Microsoft Corporation | Azure OpenAI (gpt-4o, gpt-4.1-mini) | AI learning support inference, generating responses to student messages | Chat message text, lesson context, learning profile summary, role-based student identifier | UK South (London) | Microsoft DPA | Active |
| Azure Speech Service | Microsoft Corporation | Speech-to-text, Text-to-speech (en-GB-AdaMultilingualNeural) | Converting student voice input to text; converting AI text responses to audio | Student voice audio recordings, AI-generated text content | UK South (London) | Microsoft DPA | Active |
| Azure Communication Services | Microsoft Corporation | Email send (ACS) | Transactional emails (account creation, password reset, sign-in reminders); safeguarding escalation emails to school leads | User email addresses, names, account setup links, password reset tokens; safeguarding alert content and flagged message excerpts | United Kingdom | Microsoft DPA | Active |
| Azure Container Instances (Gotenberg) | Microsoft Corporation | Azure Container Instances running Gotenberg:8 document converter | Converting teacher-uploaded lesson materials (PPTX, PDF) into page images for in-platform display | Lesson material content (teacher-uploaded educational files) | UK South (London) | Microsoft DPA | Active |
| Azure AI Content Safety | Microsoft Corporation | Content Safety API | Automated moderation of student chat messages and AI responses for safeguarding categories | Chat message text | UK South (London) | Microsoft DPA | Active |
| Azure Logic Apps | Microsoft Corporation | Logic Apps workflow | Orchestrating safeguarding escalation flow triggered by high-severity flags | Safeguarding flag metadata, email content | UK South (London) | Microsoft DPA | Active |
| MongoDB Atlas | MongoDB, Inc. | Atlas M10 cluster (halved-prod-mongodb) | Primary document store for student accounts, lessons, assignments, and chat history | Student names, email addresses, accessibility flags, assignment work, chat conversation history, AI learning profiles | Azure UK South (London) | MongoDB DPA | Active |
| Cloud202 Ltd | Cloud202 Ltd | Infrastructure management, deployment, and Terraform state | Production infrastructure management and technical support | Administrative access to production systems holding student and teacher data | London, UK | Data processing agreement | Active (temporary) |
DPA References
Microsoft Products and Services Data Protection Addendum: microsoft.com/licensing/docs (covers all Azure services listed above under a single Microsoft DPA)
MongoDB Data Processing Agreement: mongodb.com/legal/data-processing-agreement
Notes
Azure AI Content Safety and Azure Logic Apps support the live safeguarding pipeline and are active sub-processors.
No sub-processors are located outside the United Kingdom.
This register covers the production environment (halved-prod-rg, Azure UK South). Development and demo environments process no real student data.
Halved does not use any sub-processor for analytics. Google Analytics and Microsoft Clarity have been removed from the platform.
Cloudflare provides DNS, CDN and security for the Halved marketing website (halved.io) only. It does not sit in front of the student-facing platform (my.halved.io) and processes no student or school personal data, so it is not a platform sub-processor. Confirmed June 2026 by response-header inspection (cf-ray present on halved.io, absent on my.halved.io).
**Review date: **May 2027 (or earlier if sub-processors change) | dataprivacy@halved.io