Sub-Processors
Last updated: 21 April 2026
Instance Labs Ltd engages the sub-processors listed below to operate CDK Insights and Last Command. Each acts under the direction of Instance Labs (the controller for our own marketing data and the processor for customer-supplied data) and is bound by a data processing agreement that meets UK GDPR Article 28 requirements.
Change-notification commitment
We will give at least 30 days' notice of material sub-processor additions or changes via email to the primary account holder. During that notice period, you may object in writing to privacy@instancelabs.dev; unresolved objections give you a right to terminate the affected subscription with a pro-rata refund of any prepaid fees.
Current sub-processors
Amazon Web Services
- Legal entity:
- Amazon Web Services EMEA SARL
- Purpose:
- Cloud hosting, authentication (Cognito), database (DynamoDB), AI processing (Bedrock), transactional email (SES), object storage (S3), event bus (EventBridge).
- Data categories:
- All customer data at rest and in transit (encrypted), authentication identifiers, transactional email content.
- Processing region:
- EU-West-2 (London), eu-west-2
- Products:
- CDK Insights, Last Command
- Safeguards:
- GDPR Data Processing Addendum in place. Data primarily processed in the United Kingdom.
- Privacy policy:
- https://aws.amazon.com/compliance/gdpr-center/
Stripe
- Legal entity:
- Stripe, Inc.
- Purpose:
- Payment processing, subscription billing, invoicing.
- Data categories:
- Customer name, email, billing address, payment method metadata (we never receive full card details).
- Processing region:
- United States
- Products:
- CDK Insights, Last Command
- Safeguards:
- Standard Contractual Clauses (UK IDTA / EU SCCs). Stripe acts as an independent data controller for payment data.
- Privacy policy:
- https://stripe.com/gb/privacy
Sentry
- Legal entity:
- Functional Software, Inc.
- Purpose:
- Application error tracking and performance monitoring.
- Data categories:
- Error context (URL, user agent, stack traces) and, for authenticated requests, the user's internal identifier. Request bodies and email addresses are scrubbed before leaving our infrastructure.
- Processing region:
- United States
- Products:
- CDK Insights, Last Command
- Safeguards:
- Standard Contractual Clauses in place.
- Privacy policy:
- https://sentry.io/privacy/
Google Analytics
- Legal entity:
- Google Ireland Ltd / Google LLC
- Purpose:
- Anonymous usage analytics on our marketing sites.
- Data categories:
- Pseudonymous device identifiers, page views, session data. IP addresses are anonymised. Only loaded where the visitor has granted analytics consent.
- Processing region:
- European Union / United States
- Products:
- CDK Insights (enabled), Last Command (gated on consent)
- Safeguards:
- Standard Contractual Clauses. Consent Mode v2 enforced — all measurement signals default to denied until consent is granted.
- Privacy policy:
- https://policies.google.com/privacy
AI Model Providers (CDK Insights)
- Legal entity:
- Providers of large-language-model APIs used by the analysis pipeline.
- Purpose:
- Processing of CDK source code snippets submitted for analysis.
- Data categories:
- CDK code content and metadata submitted for analysis; not retained by the provider beyond the request duration per our data-processing agreements.
- Processing region:
- Varies by provider; United States for the primary model.
- Products:
- CDK Insights only
- Safeguards:
- Data Processing Agreements with each provider disable training on our traffic and enforce zero-retention where supported.
Questions
Send data-protection enquiries to privacy@instancelabs.dev. Per-product data-protection contacts are also listed on the relevant product's privacy policy.