Subprocessors List

Last updated: Oct 17, 2025

This page lists the third-party subprocessors engaged by Haxo Labs Ltd (trading as boafuo) (“we”, “us”, or “our”) to help deliver and support the boafuo platform and related services.
Each subprocessor has been assessed for compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Ghana Data Protection Act, 2012 (Act 843).
All subprocessors are bound by written agreements providing equivalent data protection, confidentiality, and security standards as required under our Data Processing Addendum (DPA).

  1. CORE PLATFORM INFRASTRUCTURE
    Amazon Web Services (AWS)
    Purpose: Cloud hosting, storage, and compute infrastructure for boafuo application and databases.
    Data processed: Customer and client data stored within the boafuo system, including messages, metadata, and order information.
    Location: United Kingdom and European data centres (with possible redundancy in the EU).
    Safeguards: UK GDPR and EU SCCs.


  2. WHATSAPP BUSINESS SOLUTION PROVIDER (META PLATFORMS, INC.)
    Purpose: Message delivery, encryption, and routing between boafuo and users via WhatsApp.
    Data processed: Message metadata, contact identifiers, and message content necessary for delivery.
    Location: Data routed through WhatsApp’s distributed infrastructure (EU and global).
    Safeguards: Meta’s UK GDPR-approved transfer mechanisms and Data Processing Terms.


  3. OPENAI, L.L.C.
    Purpose: AI-powered automation, text generation, and conversational analysis within boafuo.
    Data processed: User message text, prompts, and contextual data as needed for responses.
    Location: United States (with secure processing under SCCs and UK Addendum).
    Safeguards: UK Addendum to EU Standard Contractual Clauses; restricted model training (no reuse of data).


  4. GOOGLE LLC (GOOGLE ANALYTICS)
    Purpose: Website analytics for www.boafuo.com to measure traffic and performance.
    Data processed: Anonymised visitor IP addresses, device information, and site interaction metrics.
    Location: United States (under SCCs with UK Addendum).
    Safeguards: IP anonymisation and consent-based tracking only.


  5. SENDGRID (TWILIO INC.)
    Purpose: Transactional and system email delivery (e.g., confirmation, support, security notifications).
    Data processed: User names, email addresses, and message metadata.
    Location: United States (under SCCs with UK Addendum).
    Safeguards: Encrypted transport and restricted data retention.


  6. DEEL INC. (FOR BUSINESS CONTRACTS AND PAYMENTS)
    Purpose: Payroll and contract management for business engagements.
    Data processed: Staff or business contact details, invoice and payment information.
    Location: United States and EU.
    Safeguards: SCCs with UK Addendum; limited access.


  7. STRIPE PAYMENTS UK LTD
    Purpose: Payment processing for subscription or future paid plans.
    Data processed: Payment details, billing addresses, and limited transaction metadata.
    Location: United Kingdom, EU, and United States.
    Safeguards: FCA-regulated; PCI DSS compliant.


  8. INTERNAL SUBPROCESSORS (HAXO LABS LTD – GHANA BRANCH)
    Purpose: Local operational support, limited administrative processing of customer support data.
    Data processed: Support tickets and related communications.
    Location: Ghana (external branch under common ownership).
    Safeguards: Ghana Data Protection Act (Act 843) compliance; secure remote access.


  9. BACKUP AND MONITORING SERVICES
    Purpose: Data backup, monitoring, and performance logging.
    Providers: AWS CloudWatch, AWS Backup, and Sentry.
    Data processed: Application logs, performance metrics, error traces.
    Location: United Kingdom and European Economic Area.
    Safeguards: Encrypted and access-restricted; minimal personal data.

DATA TRANSFER MECHANISMS
All international data transfers outside the UK, EEA, or Ghana are protected by one or more of the following:

  • Standard Contractual Clauses (SCCs) and the UK Addendum (IDTA);

  • Adequacy decisions by the UK Government or European Commission; or

  • Binding Corporate Rules (where applicable).

UPDATES
We may add or replace subprocessors as needed. Material changes will be reflected here before the new subprocessor begins processing personal data.

CONTACT
For questions or objections regarding subprocessors, contact:
privacy@boafuo.com

This Data Processing Addendum (“DPA”) forms part of the Terms of Use or other written agreement between Haxo Labs Ltd (trading as boafuo) (“Processor”, “we”, “us”, or “our”) and the individual or business entity using boafuo (“Controller”, “you”, or “your”) (together, the “Parties”) that governs your use of boafuo’s products and services (“Agreement”).

This DPA ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Ghana Data Protection Act, 2012 (Act 843) as applicable. It governs how we process personal data on your behalf when you use boafuo to manage your customers’ information.

By using boafuo, you automatically accept this DPA.

  1. DEFINITIONS
    “Data Protection Laws” means all applicable privacy and data protection laws, including the UK GDPR, the Data Protection Act 2018, the Ghana Data Protection Act, 2012 (Act 843), and any related guidance or codes of practice.
    “Personal Data” means any information relating to an identified or identifiable natural person processed under the Agreement.
    “Processing” means any operation performed on Personal Data, including collection, recording, storage, use, or deletion.
    “Subprocessor” means any third party engaged by Haxo Labs Ltd to process Personal Data on behalf of the Controller.
    “Standard Contractual Clauses (SCCs)” means the clauses approved by the UK Government or the European Commission for international transfers of personal data.


  2. ROLE OF THE PARTIES
    (a) You act as Data Controller with respect to any Personal Data relating to your own clients, staff, or end users that you enter into boafuo.
    (b) Haxo Labs Ltd acts as Data Processor in relation to that data and processes it only in accordance with your documented instructions.
    (c) For Personal Data collected directly by Haxo Labs for its own purposes (such as user accounts, analytics, and billing), Haxo Labs acts as an independent Controller.


  3. PURPOSE AND SCOPE OF PROCESSING
    We process Personal Data only for the following purposes:

  • to provide, operate, and maintain the boafuo platform and related services;

  • to store, transmit, and manage messages, client data, measurements, and photos on your behalf;

  • to implement automation, reminders, and AI-powered features;

  • to provide technical and customer support;

  • to ensure system security, integrity, and compliance with law; and

  • to improve and enhance the boafuo platform while protecting confidentiality.

We will not process Personal Data for any other purpose unless required by law or with your written consent.

  1. DATA SUBJECT TYPES AND CATEGORIES OF DATA
    The Personal Data processed may include the following:

  • Clients and customers of the Controller;

  • Names, phone numbers, addresses, email addresses, measurements, photos, order information, and other data entered by you;

  • Communications exchanged between tailors and clients through the boafuo WhatsApp assistant.

We do not intentionally collect or process special category data (such as health, religion, or political views).

  1. DURATION
    This DPA remains in force for the duration of the Agreement. Upon termination, we will delete or return all Personal Data as described in Section 10.


  2. CONTROLLER INSTRUCTIONS
    We will only process Personal Data following your written or electronic instructions, including those provided through boafuo’s interface. If we are required by law to process data without instruction, we will notify you unless prohibited by law.


  3. CONFIDENTIALITY AND PERSONNEL
    All persons authorised to process Personal Data on our behalf are subject to confidentiality obligations and receive appropriate data protection training.


  4. SECURITY MEASURES
    We implement appropriate technical and organisational measures to ensure the security of Personal Data, including but not limited to:

  • encryption of data in transit and at rest;

  • secure data centre storage using AWS or equivalent providers;

  • firewalls, intrusion detection, and access controls;

  • incident monitoring and vulnerability management;

  • regular backups and business continuity measures;

  • multi-factor authentication and role-based access control.
    Details of our security measures are available upon request.

  1. SUBPROCESSORS
    We may engage third parties to process Personal Data. Our current subprocessors are listed at www.boafuo.com/legal/subprocessors. We ensure all subprocessors are bound by written agreements providing equivalent protections to this DPA.
    We will notify you of any intended changes to subprocessors and allow you to object on reasonable grounds.


  2. DATA RETURN AND DELETION
    Upon termination of the Agreement or upon your request, we will delete or return all Personal Data, unless retention is required by law, for dispute resolution, or to maintain system integrity. Backup copies will be securely deleted within 90 days after termination.


  3. DATA BREACH NOTIFICATION
    If we become aware of a personal data breach affecting your data, we will notify you without undue delay, providing details of the breach, the likely impact, and the measures taken to mitigate it. We will cooperate fully with you and any regulatory authority to resolve the incident.


  4. AUDITS AND COMPLIANCE
    Upon reasonable notice and not more than once per year, you may request written evidence of our data protection compliance, such as audit summaries, certifications, or penetration testing reports. Independent on-site audits may be performed at your expense where legally required.


  5. INTERNATIONAL DATA TRANSFERS
    We may transfer Personal Data outside the UK or Ghana where necessary for service delivery. All transfers will be protected by approved mechanisms, including Standard Contractual Clauses (SCCs) with the UK Addendum (IDTA) or equivalent safeguards.


  6. ASSISTANCE TO CONTROLLER
    We will assist you, to the extent reasonably possible, in fulfilling your obligations to respond to data subject requests, conduct impact assessments, and consult with regulators under applicable law.


  7. LIABILITY
    Each Party’s liability under this DPA is subject to the limitations set out in the main Agreement. The Controller remains responsible for obtaining any necessary consents and ensuring the accuracy of the data provided.


  8. GOVERNING LAW AND JURISDICTION
    This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction, except that either Party may seek injunctive relief in any competent court to protect its confidential or personal data.


  9. MISCELLANEOUS
    If any provision of this DPA is held invalid or unenforceable, the remainder shall remain in full force. This DPA replaces any prior data protection addendum between the Parties.

CONTACT DETAILS
Haxo Labs Ltd (trading as boafuo)
4th Floor, Radius House, 51 Clarendon Road, Watford, Hertfordshire WD17 1HP, United Kingdom
Email: privacy@boafuo.com
Support: support@boafuo.com

By continuing to use boafuo, you agree that this DPA applies to all processing of personal data you conduct through the Service.