Overview
TrainMeUK Ltd ("TrainMeUK", "we") uses third-party subprocessors to deliver and support the TrainMeUK learning management platform and related services.
This page lists subprocessors that may process customer personal data on behalf of our customers when they use the Service. It supports transparency under UK GDPR and our Data Processing Addendum.
Controller / processor roles: For data processed through the LMS, the customer organisation is typically the data controller and TrainMeUK acts as processor. For TrainMeUK website accounts, billing, and marketing, TrainMeUK is controller — see section 3 below.
1. Platform subprocessors (LMS service)
These subprocessors support core platform operation. Customer personal data is processed under customer instructions via the Service.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Microsoft Azure | Cloud hosting, PostgreSQL database, Azure Cache for Redis, blob storage, Azure Functions, monitoring | Customer personal data and training records processed through the platform (e.g. user accounts, progress, compliance records, uploaded content, SCORM packages) | United Kingdom (UK South / UK West) |
| Microsoft 365 | Transactional email (notifications, reminders, system messages) | Email addresses, names, message content required to deliver notifications | United Kingdom / EEA (Microsoft datacentre region configured for tenant) |
2. Optional / feature subprocessors
These subprocessors are used only when the relevant feature is enabled or used by the customer organisation.
| Subprocessor | Feature | Data processed | Location / transfers |
|---|---|---|---|
| OpenAI | SCORM Course Builder AI (text generation only) | Text prompts and course content submitted by authorised admins when using AI authoring tools | May involve processing outside the UK; appropriate transfer safeguards applied |
| Microsoft Azure AI Face API | Learner Verify (optional, tenant-configured) | Facial images for identity comparison during course completion; explicit learner consent required | United Kingdom (Azure UK region) |
| Microsoft Graph | Microsoft 365 / Teams integration (optional) | User identity and calendar/session data where the customer connects Microsoft 365 | United Kingdom / EEA |
Learner Verify is not enabled for all tenants. Where enabled, processing is described in our Privacy Policy and customer DPIA materials.
3. TrainMeUK website and account billing
When you sign up for TrainMeUK or pay for a subscription, TrainMeUK is the data controller for account and billing data. The following subprocessors may apply:
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Stripe | Payment processing for TrainMeUK subscriptions | Billing contact details, payment metadata (TrainMeUK does not store full card numbers) | Stripe processing locations per Stripe policies; transfer safeguards applied |
| Xero | Accountancy and invoicing for TrainMeUK business operations | Customer organisation names, billing contacts, invoice and payment records for TrainMeUK subscriptions | United Kingdom / Australia (Xero Ltd); transfer safeguards per Xero terms |
| Microsoft Azure | Website hosting and related infrastructure | Website usage, contact form submissions, account data as applicable | United Kingdom |
4. Infrastructure not processing customer personal data
The following providers support TrainMeUK operations but do not routinely process customer personal data from the LMS in the course of service delivery:
- GitHub — source code and CI/CD (production customer data is not stored in GitHub)
- Namecheap — domain registration and DNS
5. Changes to subprocessors
We review subprocessors periodically and update this list when we add or replace subprocessors that process customer personal data.
Where required under our Data Processing Addendum, we will notify customer organisations before engaging a new subprocessor or making a material change, allowing a reasonable objection period.
Material updates to this page will be reflected in the "Last updated" date above. Customers may subscribe to change notifications by contacting privacy@trainmeuk.co.uk.
6. Security and due diligence
We select subprocessors that provide appropriate security assurances for the services they provide. Key platform providers (Microsoft Azure, Microsoft 365) maintain ISO 27001 and/or SOC 2 certifications.
Data processing terms and security obligations are imposed through vendor agreements and, where applicable, Microsoft's Data Protection Addendum and subprocessor terms.
Contact
Questions about subprocessors or data protection:
Email: privacy@trainmeuk.co.uk
DPO: dpo@trainmeuk.co.uk
Address: TrainMeUK Ltd, 8 George Myers Close, Ash, Guildford, Surrey, GU12 6FW
Company number: 16997573
Need Help?
If you have any questions about this policy or our practices, please don't hesitate to contact us.