Sub-processors
The sub-processors Skillscan Limited engages to deliver the Skilly platform. Each is contractually bound to equivalent data-protection obligations to those Skillscan undertakes to schools.
Active sub-processors
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Primary database — all student reflection text, flags, assignments, audit log, every persistent table | EU — Frankfurt (aws-1-eu-central-1) | Within EEA |
| Vercel Inc. | Application hosting — server-rendered pages, API routes, cron functions. No persistent data. Also provides cookieless, aggregate Web Analytics on the public marketing pages only (visitor counts, page views, referrers) — no cookies, no personal data, never on the signed-in platform. | EU — Frankfurt (fra1, pinned in vercel.json) | EU-U.S. Data Privacy Framework + SCCs 2021 (controller-level — function execution is EU-pinned but contract is US) |
| Anthropic PBC | AI inference — reflection scoring, safeguarding detection, AI-generated reports. Data redacted at our edge for emails / phones / addresses / Eircodes / PPSNs / personal names before transit. Org-level Zero-Retention contract — no input/output retained beyond the response. | United States (default Anthropic endpoint) unless ANTHROPIC_BASE_URL pins an EU endpoint at the deploy | EU-U.S. DPF + SCCs 2021 + Zero-Retention Rider |
| Resend Inc. | Transactional email delivery — wellbeing-flag escalations, password resets, parent digests, classroom invitations | EU — Frankfurt (api.eu.resend.com) when RESEND_REGION=eu is set; otherwise US (api.resend.com) | Within EEA when EU region is configured; otherwise EU-U.S. DPF + SCCs 2021 |
| Microsoft Ireland Operations Ltd. | Microsoft 365 SSO — sign-in only when a school enables it. Email + name + Entra Object ID read from the ID token to map to existing Skilly user. No student reflection data ever sent to Microsoft. | Microsoft global identity platform (per the school's own Entra tenancy region) | Within EEA for EU Microsoft tenants; otherwise EU-U.S. DPF + SCCs 2021 |
| Stripe Inc. | School subscription billing — tenant id, school name, billing email, invoice history. No student data, no reflection content, no safeguarding flags. | United States (with EU data centre tier for paid customers) | EU-U.S. DPF + SCCs 2021 |
The live data-residency posture for the running deployment is also surfaced inside the school's admin panel at /admin/gdpr (under Where your data lives) — read at request time so what a DPO sees there is what the production stack actually does, not what this page claims.
Change notifications
Before we add or replace a sub-processor we will notify each subscribing school at least 30 days in advance and give them an opportunity to object. If a school reasonably objects on data-protection grounds we will either address the objection or allow the school to terminate the subscription with a pro-rata refund.
Where this fits
For the broader picture of who is the data controller, what data we hold, and what rights you have, see our Privacy Policy.
This page is the authoritative list. We do not maintain sub-processor information in any other location. Last updated 8 May 2026.