Sub-processor list
This page lists the third-party service providers (sub-processors) that COHO uses to help deliver the COHO platform. We use these sub-processors to process personal data on behalf of our customers, where our customers are data controllers and COHO is their data processor.
This list does not include third parties that act as independent controllers in their own right — for example, referencing providers, open banking providers, and payment institutions — which are listed separately under “Independent controllers” below.
Last updated: 12th May 2026
Effective date for the latest change: 12th May 2026
Current sub-processors
| Sub-processor | Purpose | Data categories | Hosting | Transfer mechanism |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting, email delivery (SES), backups, monitoring | All platform data | UK | UK adequacy (Luxembourg contracting entity) |
| Twilio Inc. | SMS delivery | Mobile numbers, message content | US | Twilio Binding Corporate Rules (BCRs); EU SCCs + UK Addendum as fallback |
| Google Workspace (Google Ireland Ltd) | Internal email, calendar, storage; FastTrack onboarding staging in COHO-managed Drive | FastTrack import files, internal communications referencing customer data | EU | UK adequacy (Google Ireland Ltd as Workspace contracting entity); any sub-processing by Google LLC covered by UK Extension to EU-US DPF |
| Google LLC | Google Tag Manager, Google Analytics, Google Maps | IP address, browser data, page usage; map tile requests with address data | US | UK Extension to EU-US DPF (active until 13 Sep 2026) |
| Zoho Desk (Zoho Corporation B.V.) | Customer support ticketing (until Intercom migration completes) | Support correspondence, account contact details | EU | UK adequacy (Netherlands entity) |
| Intercom R&D Unlimited Company | Customer support ticketing (post-migration) | Support correspondence, account contact details | US | UK Extension to EU-US DPF (active until 14 Nov 2026) |
| Linear Orbit, Inc. | Engineering ticket management; carries Intercom conversation content into engineering tickets | Support correspondence excerpts | EU (some account metadata always in the US per Linear’s documentation) | EU SCCs + UK Addendum (per Linear’s published DPA) |
| India-based contractors (9 individuals) | FastTrack onboarding (data import); first-line customer support; operations and management oversight | Customer-uploaded data, support correspondence | India | International Data Transfer Agreement (IDTA) |
Notes on selected sub-processors
Amazon Web Services. COHO’s production infrastructure runs on AWS in the United Kingdom.
Twilio. Contracting entity is Twilio Inc., a US company. SMS messages are processed in Twilio’s United States infrastructure. Transfers governed by Twilio’s Binding Corporate Rules, with EU SCCs and the UK Addendum applying as a contractual fallback under Twilio’s published Data Protection Addendum. Onward carrier-network delivery of the SMS to the recipient’s mobile network is part of standard telecoms infrastructure and is not a separate sub-processor.
Google Workspace. COHO’s Google Workspace is configured to restrict covered data (Gmail, Drive, Calendar, Docs) to European infrastructure.
Google LLC. Google Tag Manager, Google Analytics, and Google Maps are loaded on customer-facing properties. Data shared with Google is limited to standard analytics events and map tile requests.
Intercom. Hosted in the United States. Transfers covered by Intercom’s active certification under the UK Extension to the EU-US Data Privacy Framework, with EU SCCs and the UK Addendum as a contractual fallback.
Linear. Linear is used by COHO’s engineering team for issue tracking. Linear is a sub-processor (rather than a tool processing only COHO’s own data) because the Intercom integration imports conversation content into engineering tickets, which can contain personal data uploaded by customers. The COHO workspace is configured to keep data in Europe. Some account-level metadata is always stored in the United States regardless of the selected region, per Linear’s documentation. Transfers are governed by Linear’s published DPA, which uses EU SCCs with the UK Addendum.
India-based contractors. COHO works with nine India-based contractors across FastTrack onboarding, first-line customer support, and operations. All transfers are covered by an executed International Data Transfer Agreement (IDTA) and a Transfer Risk Assessment that COHO reviews at least annually.
Independent controllers
The following third parties may receive personal data from a property manager through COHO’s platform, but they are independent controllers in their own right, not COHO’s sub-processors. The contractual relationship for each is between the property manager and the third party directly.
| Recipient | Purpose | Notes |
|---|---|---|
| Advanced Rent | Tenant referencing | Property manager initiates the referencing request and contracts with Advanced Rent directly. |
| Canopy | Tenant referencing | Property manager initiates the referencing request and contracts with Canopy directly. |
| Salt Edge | Open banking (AIS) | FCA-regulated AISP under the Payment Services Regulations 2017. Salt Edge processes the tenant’s bank data under its own privacy policy. |
| GoCardless | Direct Debit collection | Property manager holds their own GoCardless account; GoCardless is a regulated payment institution and processes data under its own privacy policy. |
Self-hosted tooling
The following tools handle customer personal data but are operated by COHO using software we run ourselves. They are not separate sub-processors:
- OpenReplay (session replay).
- Metabase (internal analytics).
Notice of changes
We publish changes to this list in advance of them taking effect, typically with at least 14 days’ notice. Please check this page periodically.
Other tools
For completeness, the following tools are used by COHO internally to manage our own business but do not process customer personal data on a controller’s behalf, and so are not sub-processors under Article 28: Xero (accounting), Notion (internal knowledge management), Discord (internal communications), Granola (internal meeting notes), Zoho CRM (sales pipeline). Where any of these tools incidentally hold information about a controller’s organisation (e.g. account contact details), they are governed by our Privacy Policy.
