Last updated: 9 June 2026

This document lists the sub-processors and "Sub-Providers" that Exchester Ltd (a company incorporated in England and Wales with company number 12601661, whose registered office is at 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom), trading as GATA AI ("GATA", "we", "us", "our"), uses to provide the GATA AI software-as-a-service platform (the "Service").

This list is published in three capacities at the same time:

it is the recipients summary referenced in Section 5 of the GATA AI Privacy Notice (https://gata.ai/privacy);
it is Annex III (List of Sub-Processors) of the GATA AI Data Processing Addendum (https://gata.ai/dpa) (the "DPA"), through which Customers (as controllers) authorise GATA (as processor) to engage these sub-processors to process Customer Personal Data on the Customer's behalf; and
it operationalises the "Sub-Providers" defined in clause 1 of the GATA AI Terms of Service (https://gata.ai/terms-of-service) (the "Terms").

Capitalised terms used but not defined here have the meanings given to them in the Terms or, where relevant, in the DPA.

1. Current Sub-Processors

The table below sets out the sub-processors that GATA uses to provide the Service as at the "Last updated" date.

#	Sub-Processor (legal entity)	Role / processing performed	Categories of personal data processed	Processing location(s)	Transfer mechanism (UK / EEA → recipient)
1	Amazon Web Services EMEA SARL (Luxembourg) — Amazon S3	Object storage of Customer Content (Inputs and Outputs), backups, transactional data, application logs and security logs.	Customer Content (which may include images, video, audio, scripts and any personal data they contain); Account, contractual, billing, usage and log data.	eu-west-2 (London, United Kingdom) with multi-AZ redundancy within the region.	Intra-UK / intra-EEA controller-to-processor processing under Article 28 UK GDPR / EU GDPR. AWS Data Processing Addendum and EU Standard Contractual Clauses / UK IDTA executed at the parent-account level for any onward transfer outside the UK / EEA that may occur (e.g. parent-company access from AWS Inc. in the US).
2	Amazon Web Services EMEA SARL (Luxembourg) — Amazon Bedrock	Hosted access to foundation models for text generation, parsing and content moderation (the default text model is configured by GATA via the `BEDROCK_TEXT_MODEL_ID` environment variable). All Customer-content moderation calls are routed through Bedrock.	Inputs and Outputs (which may include personal data); prompt and completion content; moderation classifications.	eu-west-2 (London, United Kingdom) for the inference endpoint where the selected model is available in eu-west-2; otherwise the closest in-region endpoint where the model is offered (which, for some Anthropic models, can include EU-resident endpoints in eu-west-1 / eu-central-1, or US endpoints in us-east-1 / us-west-2).	Intra-UK / EEA where eu-west-2 is used. UK / EEA → US transfers, where required by model availability, occur under the AWS Data Processing Addendum incorporating the EU Standard Contractual Clauses (Module 2 / 3) and the UK Addendum (UK IDTA), supplemented by AWS's certification under the EU–US Data Privacy Framework (and the UK Extension to it) where in force, plus AWS's published technical and contractual supplementary measures.
3	Amazon Web Services EMEA SARL (Luxembourg) — Amazon Transcribe	Speech-to-text transcription of audio extracted from Customer Content (used in the localisation pipeline to derive transcripts from uploaded video for downstream translation and re-voicing).	Audio extracted from Customer Content (which may contain personal data, including spoken voice that may identify a natural person); resulting transcripts; processing metadata.	eu-west-2 (London, United Kingdom), matching the S3 bucket region (`AWS_TRANSCRIBE_REGION`).	Intra-UK / intra-EEA controller-to-processor processing under Article 28 UK GDPR / EU GDPR, under the same AWS Data Processing Addendum and transfer-mechanism stack referenced in row 1 (SCCs / UK IDTA for any parent-company-level access from AWS Inc. in the US).
4	Amazon Web Services EMEA SARL (Luxembourg) — Amazon Simple Email Service (SES)	Sending transactional email (e.g. account email-verification codes, password resets, billing notifications, security and service notices).	Recipient business email address; sender identity; message content (typically transactional, no special-category data); delivery metadata (timestamps, bounces, complaints).	eu-west-2 (London, United Kingdom) sending endpoint; mail traversal across global SMTP infrastructure to recipient mail servers.	Intra-UK / EEA at the sending endpoint. Onward transit across the public internet to recipient mail servers is in the nature of email and is handled under the AWS Data Processing Addendum and the SCCs / UK IDTA referenced in row 1, plus the protections in Section 7 of the DPA (international transfers).
5	fal.ai, Inc. (Delaware, United States)	Hosted access to image- and video-generation models, including image generation, image-to-video, character "reels", and lip-sync. All Generative Operations of those types are routed to fal.ai.	Inputs (including images, video, voice samples and prompts) and Outputs of image- and video-generation operations. May contain personal data (likeness, voice).	United States (fal.ai is US-headquartered; processing is described in fal.ai's privacy policy as occurring on servers in the United States and in other countries).	UK / EEA → US restricted transfer under Chapter V of UK / EU GDPR. The applicable transfer mechanism for this transfer category is the EU Standard Contractual Clauses (Module 2 / 3 — Controller-to-Processor / Processor-to-Sub-processor) and the UK Addendum, as published by fal.ai in its standard terms. Operational safeguards include encryption in transit, no use of Inputs to train fal.ai or upstream model providers absent a separate authorisation, and deletion on Customer request.
6	ElevenLabs, Inc. (Delaware, United States)	Hosted access to text-to-speech and dialogue models for voice synthesis. Used by the script-to-video pipeline to generate dialogue and narration audio from Customer-provided scripts, and for inline audio-tag generation (`ELEVENLABS_TTS_MODEL_ID`, `ELEVENLABS_DIALOGUE_MODEL_ID`).	Inputs (scripts, prompts, voice IDs and, where the Customer supplies a reference sample, the reference audio) and Outputs (synthesised audio). May contain personal data (likeness of voice where a Customer supplies a reference sample).	United States (ElevenLabs is US-headquartered; processing is described in ElevenLabs's privacy policy as occurring on servers in the United States).	UK / EEA → US restricted transfer under Chapter V of UK / EU GDPR. The applicable transfer mechanism for this transfer category is the EU Standard Contractual Clauses (Module 2 / 3 — Controller-to-Processor / Processor-to-Sub-processor) and the UK Addendum, as published by ElevenLabs in its standard terms. Operational safeguards include encryption in transit, "Zero Retention" / no-training configuration where the Customer's plan supports it, and deletion on Customer request.
7	OpenAI Ireland Limited (Dublin, Ireland), contracting for the OpenAI group including OpenAI, L.L.C. (United States)	Hosted access to GPT-family foundation models for structured-output text generation (e.g. script parsing, shot extraction).	Inputs and Outputs (which may include personal data); prompt and completion content.	United States and other countries. OpenAI is a global service; GATA does not offer or guarantee EU / EEA data residency for OpenAI processing.	UK / EEA → US restricted transfer under Chapter V of UK / EU GDPR, under the OpenAI Data Processing Addendum, the EU Standard Contractual Clauses (Module 2 / 3) and the UK Addendum, supplemented by OpenAI's certification under the EU–US Data Privacy Framework and the UK Extension where in force. API data is not used to train OpenAI's models under OpenAI's API terms.
8	Google Cloud EMEA Limited (Dublin, Ireland) — Vertex AI and Google Cloud Storage	(a) Vertex AI: hosted access to Google's Gemini foundation models for structured-output text generation and video analysis (used in the localisation pipeline to analyse uploaded video). (b) Google Cloud Storage: object storage of localisation video uploads (browser uploads via v4-signed URLs; staging for Vertex AI calls).	Customer Content (uploaded video, derived frames and audio) and prompt / completion content for Vertex AI calls. May contain personal data.	United States and other countries. Google Cloud is a global service; while certain operations currently run in the EEA (europe-west4, Netherlands), GATA does not offer or guarantee EU / EEA data residency, and the regions used may change.	Controller-to-processor processing under Article 28 UK GDPR / EU GDPR under the Google Cloud Data Processing and Security Terms, supplemented by EU Standard Contractual Clauses (Module 2 / 3) and the UK Addendum for transfers to and access by Google LLC (United States), plus Google's certification under the EU–US Data Privacy Framework and the UK Extension where in force.
9	Stripe Payments Europe, Limited (Ireland) — billing entity for EEA Customers; Stripe Payments UK, Limited (United Kingdom) — billing entity for UK Customers	Subscription billing, payment-card processing, Top-Up Batch processing, invoicing, dunning, chargeback handling, Stripe Tax (where enabled), Customer Portal. Stripe acts as an independent controller in respect of payment-card data and a processor in respect of certain billing metadata; see Stripe's published Data Processing Agreement.	Billing name, billing address, VAT/tax-registration number, business email, payment-method metadata (card brand, last 4 digits, expiry — full PAN is processed by Stripe and is not received or stored by GATA), invoice records, Charge records, Subscription state.	Stripe's primary processing locations for UK / EEA business: Ireland and the European Union, with onward transfers to the United States under Stripe's intra-group arrangements.	Intra-UK / EEA at the billing-entity level. Onward UK / EEA → US transfers occur under the EU Standard Contractual Clauses and the UK Addendum between Stripe entities, plus Stripe's certification under the EU–US Data Privacy Framework and UK Extension where in force.
10	Google LLC (Mountain View, California) and Google Ireland Limited (Dublin) — Google Analytics 4 (measurement ID `G-NFPBEF1HB4`) — third-party recipient acting as an independent controller, not a sub-processor under Article 28 UK / EU GDPR.	Website and product measurement: page views, custom events, post-sign-in account-bound `user_id` and `user_properties`. Loaded only after end-user opt-in via the cookie consent banner described in the Cookie Notice.	Online identifiers (GA4 cookie identifiers, IP address); event metadata; post-sign-in `user_id` (internal pseudonymous identifier) and `user_properties` (account type, plan, admin role). No Customer Content.	United States (with a UK / EEA front-door).	UK / EEA → US restricted transfer. The transfer is operated by Google under the EU Standard Contractual Clauses (Module 1 — Controller-to-Controller) and the UK Addendum / UK IDTA, both incorporated into Google's Measurement Controller-to-Controller Data Protection Terms, supplemented by Google LLC's certification under the EU–US Data Privacy Framework and the UK Extension where in force.
11	Google LLC — Google Fonts (`fonts.googleapis.com`) — third-party recipient acting as an independent controller, not a sub-processor under Article 28.	Web-font CDN serving the "JetBrains Mono" typeface. No cookie set on `gata.ai`; visitor IP exposed to Google's CDN.	IP address; standard HTTP request metadata.	United States.	UK / EEA → US restricted transfer under Google's transfer-mechanism stack (SCCs / UK Addendum + DPF / UK Extension).
12	Prospect One sp. z o.o. (Kraków, Poland) — jsDelivr — fronted by Cloudflare, Inc. and Fastly, Inc. (United States) — third-party recipients acting as independent controllers, not sub-processors under Article 28.	Web-font CDN serving the "Geist" typeface family from `cdn.jsdelivr.net`. No cookie set on `gata.ai`; visitor IP exposed to jsDelivr and the underlying CDN providers.	IP address; standard HTTP request metadata.	EEA (jsDelivr origin in Poland) and United States (Cloudflare / Fastly edge).	Intra-UK / EEA at jsDelivr; UK / EEA → US edge-routing under Cloudflare and Fastly's published transfer-mechanism stacks (SCCs / UK Addendum + DPF / UK Extension certifications where in force).
13	Professional advisers, banks and corporate-services providers (UK; EEA) — not strictly Sub-Providers under the Terms, but listed for transparency.	Legal, accounting, tax, audit and corporate-services support to GATA. Engaged on a need-to-know basis under professional confidentiality.	Account, contractual and billing data (limited disclosure where relevant to the engagement).	United Kingdom (and, for some advisers, the European Economic Area).	Intra-UK / intra-EEA professional engagement under contracts of service. Where applicable, controller-to-processor terms or Article 28 GDPR clauses are in place.

We do not currently use any of the following categories of sub-processor:

error monitoring or browser-side crash reporting (e.g. Sentry, Datadog RUM, Bugsnag, Rollbar) — none deployed;
third-party customer-support tooling (e.g. Intercom, Zendesk, Help Scout, HubSpot Service Hub) — none deployed; support is handled by direct email to support@gata.ai routed through Amazon SES and the GATA team's own mailboxes;
outbound marketing-email platforms (e.g. HubSpot, Mailchimp, Brevo, Customer.io) — none deployed;
session-replay or behavioural-recording tools (e.g. Hotjar, FullStory, LogRocket) — none deployed;
advertising or retargeting platforms — none deployed.

If we add any of the above, we will update this list and follow the change-notification process described in Section 3 below.

2. Onward Sub-Processors

Each Sub-Processor in Section 1 may itself engage onward sub-processors to perform parts of the service. Where the Sub-Processor is acting as a processor on GATA's instructions, the Sub-Processor is contractually required to flow down equivalent processor obligations to its onward sub-processors. The principal onward sub-processors operated by our Sub-Processors are:

for AWS (rows 1 to 4): the AWS group of companies, including AWS Inc. (United States) for parent-company-level access to AWS infrastructure. AWS publishes a list of its sub-processors at https://aws.amazon.com/compliance/sub-processors/.
for fal.ai (row 5): the upstream foundation-model providers whose models fal.ai exposes (which may include US-based providers). fal.ai is contractually required to ensure that those upstream providers do not use Customer Inputs or Outputs to train their models without a separate authorisation, save where such training is described in the relevant model's published terms and a corresponding consent has been obtained from GATA (and, through GATA, from the Customer).
for ElevenLabs (row 6): ElevenLabs's US group entities and its infrastructure providers (which include hyperscale cloud providers in the United States). ElevenLabs publishes its sub-processor list at https://elevenlabs.io/legal/list-of-sub-processors.
for OpenAI (row 7): OpenAI, L.L.C. (United States) and other OpenAI group entities, and OpenAI's infrastructure providers. OpenAI publishes its sub-processor list at https://openai.com/policies/subprocessor-list/.
for Google Cloud (row 8): Google LLC (United States) and other Google group entities for parent-company-level access. Google publishes its Google Cloud sub-processor list at https://cloud.google.com/terms/subprocessors.
for Stripe (row 9): Stripe Inc. (United States) and other Stripe group entities. Stripe publishes its sub-processor list at https://stripe.com/legal/sub-processors.

GATA reviews the published sub-processor lists of its Sub-Processors periodically and assesses material changes against the change-notification process in Section 3 below.

3. Change-Notification Process

GATA may from time to time appoint new sub-processors or replace existing ones. We commit to the following process, which forms part of the DPA (Annex III):

3.1 Notification. GATA will give Customers at least 30 days' prior written notice of any new or replacement sub-processor that will process Customer Personal Data ("Change Notice"). Notice will be given by:

updating this list at https://gata.ai/subprocessors and updating the "Last updated" date at the top; and
emailing the Account administrator on each Customer's Account.

Customers may subscribe to email notifications of sub-processor changes by emailing support@gata.ai with the subject line "Subscribe — Sub-Processor Updates". Subscription is free of charge and may be cancelled at any time by emailing the same address.

3.2 Right to object. A Customer may object, on reasonable data-protection grounds, to a proposed new or replacement sub-processor by giving GATA written notice of objection within 15 days of the Change Notice. The notice of objection must set out the data-protection grounds for the objection in reasonable detail.

3.3 Resolution. Where a Customer objects under clause 3.2, GATA and the Customer will discuss the objection in good faith and consider commercially reasonable alternatives (which may include workarounds or configuration changes where available; GATA does not, however, offer EU / EEA data residency or EU-only Processing as a standard or Enterprise option). If the parties cannot agree within a further 30 days, the Customer's exclusive remedy is to terminate the affected Subscription on written notice with effect at the end of the then-current Subscription Term (clause 14.2 of the Terms). For Enterprise Customers, the remedy in any executed Order Form prevails to the extent inconsistent with this clause 3.3.

3.4 Emergency replacement. Where a sub-processor must be replaced urgently (for example, where the existing sub-processor has a material outage, a security incident, or has materially breached its agreement with GATA, or where required by Applicable Law), GATA may give shorter notice than 30 days, in which case GATA will give as much notice as is reasonably practicable in the circumstances and will document the urgent-replacement basis in the next Change Notice.

3.5 Equivalent obligations. GATA will procure that each new or replacement sub-processor is bound by data-protection obligations no less protective than those in the DPA, in accordance with Article 28(4) UK GDPR and EU GDPR.

4. How We Choose Sub-Processors

When we engage a sub-processor that will process Customer Personal Data, we apply a documented selection process that includes:

a review of the sub-processor's published security and privacy posture (including SOC 2 / ISO 27001 attestations, where available);
execution of a written Article 28-compliant data-processing agreement, including instructions on processing, confidentiality, security obligations, sub-processor management, audit, and return / deletion on termination;
for any restricted transfer outside the UK / EEA, a transfer-impact assessment and execution of an appropriate transfer mechanism (UK IDTA, UK Addendum to EU SCCs, EU SCCs, and reliance on adequacy regulations or certifications where applicable);
configuration of the sub-processor's service to minimise personal data sent (region selection, opt-out from training where available, retention configuration); and
a periodic re-assessment of the sub-processor against the matters in (a) to (d).

5. Contact

Questions about this Sub-Processor List, the underlying transfer mechanisms, or our use of any specific sub-processor may be sent to support@gata.ai.

Exchester Ltd (trading as GATA AI)
Registered in England and Wales, company number 12601661.
Registered office: 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom.