Legal

Sub-Processors

Last Updated: 12 June 2026

1. Overview

This page lists the third parties that process personal data on behalf of FiqhEngine Ltd in the course of providing the Service. It is published in support of our obligations under GDPR Articles 13 and 28 and is referenced from our Privacy Policy.

Each sub-processor below has a written Data Processing Agreement in place, covers personal data only to the extent needed to deliver the function described, and is reviewed at least annually.

2. Infrastructure & Hosting

Vercel Inc. (Frontend Hosting & CDN)

Purpose:
Hosts the public website and the FiqhEngine web application; serves static assets through a global edge network.
Data processed:
IP addresses and standard HTTP request metadata (for delivery, caching, and abuse prevention). No application database content.
Location:
United States, with global edge caching.
Safeguards:
SOC 2 Type II; TLS 1.3 in transit; Standard Contractual Clauses for transfers outside the UK/EEA.

Railway Corp. (Backend Hosting & Managed PostgreSQL)

Purpose:
Runs the FiqhEngine API service and hosts the primary application database.
Data processed:
All application data (engagements, documents, fatwas, user accounts, encrypted OAuth tokens) — encrypted at rest.
Location:
United States (Railway runs on AWS infrastructure).
Safeguards:
SOC 2 Type II; AES-256-GCM at rest; TLS 1.3 in transit; automated daily backups with 30-day retention; Standard Contractual Clauses.

3. Email Delivery

Twilio SendGrid (Transactional & Notification Email)

Purpose:
Delivers transactional, notification, and (where you have opted in) marketing email on our behalf.
Data processed:
Recipient email address, sender name, subject and body of the message, basic delivery metadata (opens, bounces).
Location:
United States.
Safeguards:
SOC 2 Type II; ISO 27001; TLS encryption in transit; Standard Contractual Clauses; DPA available on request.

SendGrid is the only email provider in production. Alternative providers (Gmail API, Amazon SES, generic SMTP) are configurable in the codebase but are not currently active.

4. Optional Calendar & Contact Integrations

These integrations are only activated when an individual user explicitly connects the relevant account from within their profile. They can be disconnected at any time from the Calendar widget's Settings, which immediately revokes our access and deletes the stored tokens.

Google LLC (Google Calendar, Google People, OpenID)

Purpose:
Two-way sync of meetings, audits, and SSB sessions with the user's Google Calendar; optional read-only access to contacts for attendee suggestions; OpenID sign-in.
Data processed:
OAuth access and refresh tokens (encrypted), calendar events created or modified by the user within FiqhEngine, contact name and email when the user invites an attendee.
Location:
United States and other regions operated by Google.
Safeguards:
Our use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements (no advertising use, no training of generalised AI models, no transfer to third parties beyond what is necessary to deliver the feature).

Microsoft Corporation (Microsoft Graph — Calendar & Contacts)

Purpose:
Two-way sync of meetings with the user's Outlook / Microsoft 365 calendar; optional read-only access to contacts for attendee suggestions.
Data processed:
OAuth access and refresh tokens (encrypted), calendar events created or modified by the user within FiqhEngine, contact name and email when the user invites an attendee.
Location:
Determined by the user's Microsoft 365 tenant region.
Safeguards:
TLS in transit; Microsoft Online Services DPA; tokens stored encrypted (AES-256-GCM) in our database; user-initiated revocation at any time.

5. Authentication & Security

Two-factor authentication is implemented in-process using the open-source speakeasy (TOTP generation) and qrcode libraries. Neither transmits data to any external service. 2FA secrets are stored encrypted in our database and never leave our infrastructure.

6. Analytics & Tracking

FiqhEngine does not use Google Analytics, Mixpanel, advertising networks, social-media tracking pixels, or any third-party profiling service. Product usage telemetry is stored in our own database and used solely to operate and improve the Service.

7. Development & Operations

GitHub, Inc.

Purpose:
Source-code repository and CI/CD for the FiqhEngine application.
Data processed:
Source code and commit history. No customer data, production secrets, or personal data is stored in the repository.
Location:
United States.
Safeguards:
SOC 2 Type II; ISO 27001; access restricted to the development team via SSO and 2FA.

8. International Data Transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the EU Commission and the UK International Data Transfer Addendum, supplemented by encryption in transit (TLS 1.3) and at rest (AES-256-GCM).

Sub-ProcessorDestinationTransfer Mechanism
VercelUSASCCs + UK IDTA
RailwayUSASCCs + UK IDTA
SendGrid (Twilio)USASCCs + UK IDTA
Google (optional)USA / GlobalSCCs (Google Cloud DPA)
Microsoft (optional)Tenant-dependentMicrosoft Online Services DPA
GitHubUSASCCs + UK IDTA

9. Changes to This List

We will update this page whenever we add, remove, or change a sub-processor. For material changes affecting how Customer Data is processed, we will provide reasonable advance notice by email to account administrators.

10. Contact

Questions about our sub-processors or DPA requests should be directed to our Data Protection Officer at dpo@fiqhengine.com.

FiqhEngine Ltd

128 City Road

London EC1V 2XN

United Kingdom