Legal

WAIA Subprocessor List

Third-party providers used to host, operate, support, secure and improve WAIA where they may process customer personal data.

Last updated: 27 May 2026 Version: 1.0

Nineteen Point Two uses selected third-party providers to provide, host, secure, support and operate WAIA.

Where these providers process Customer Personal Data on behalf of Nineteen Point Two, they are treated as subprocessors.

This list is maintained as the technical setup changes.

Current confirmed supplier posture

  • Lovable should be treated as an active WAIA subprocessor while WAIA is hosted and operated through Lovable Cloud or related Lovable services.
  • Lovable’s published terms describe Lovable Cloud as a managed hosting and back-end environment that may include database hosting, authentication, file/object storage and API endpoints, provisioned on third-party infrastructure currently identified as Supabase.
  • Supabase should be treated as a core infrastructure subprocessor in the WAIA chain because WAIA uses Supabase-backed authentication, database-backed tenancy, learner records, progress, certificates, organisation guidance and acknowledgements.
  • Where Supabase is provided through Lovable Cloud, Supabase can be described as part of Lovable’s underlying infrastructure/subprocessor chain. If Nineteen Point Two later controls a standalone Supabase project directly, Supabase should also be listed as Nineteen Point Two’s direct subprocessor.
  • Lovable and/or Supabase should be treated as the current transactional email route for WAIA account and invite emails, based on the current operational understanding.
  • Microsoft 365 and Google Workspace should be treated as business operations suppliers for correspondence, documents and administration.
  • Google Search Console is currently used for website search visibility/performance only. No Google Analytics, advertising pixel or behavioural analytics tool is currently known to be active.
  • OpenAI, Anthropic, Gemini or similar AI model providers are not active WAIA runtime subprocessors based on current evidence and should not receive learner personal data unless a future feature is documented and approved.

Providers not intended to receive learner personal data

Some tools may be used for internal content creation, code generation, planning or marketing without intentionally receiving Customer Personal Data.

Customer Personal Data should not be entered into these tools unless:

  • the tool is listed as an active subprocessor where required
  • a data processing agreement is in place
  • the processing purpose is documented
  • the customer has been informed where required
  • the feature or workflow has been approved internally

Subprocessor updates

Nineteen Point Two may update this list as providers are added, removed or replaced.

Where required by the Data Processing Agreement, customers will be given notice of material subprocessor changes and the opportunity to object on reasonable data protection grounds.

Contact

For subprocessor questions, contact ben@nineteenpointtwo.com.