

Subprocessors
Last updated: 29/06/2026
Caterlytix uses trusted third-party providers to support the delivery, operation, security, and maintenance of Trac.
This page provides information about the third-party subprocessors and service providers used by Caterlytix Ltd in connection with the Trac platform.
Trac is a secure cloud-based integration and interoperability platform that enables the controlled exchange, validation, transformation, and synchronisation of operational data between authorised systems.
This page should be read alongside our:
- Privacy Notice
- Data Processing Addendum
- Security Overview
- Integration Partner Terms
- API Terms
1. What is a Sub-processor?
A subprocessor is a third-party organisation engaged by Caterlytix to process personal data on behalf of Caterlytix where Caterlytix is acting as a processor or subprocessor.
Not every third-party system connected to Trac is a subprocessor of Caterlytix. Some third-party systems are independent controllers, processors appointed directly by the customer, or integration partners operating under their own contractual relationship with the relevant school, trust, caterer, or organisation.
2. Scope of this page
The subprocessors and system service providers listed below may process personal data where required to provide, operate, support, secure, monitor, maintain, or improve the Trac platform and associated integration services.
Trac supports a broad range of integration capabilities through its API and connected services. Depending on the configuration of the relevant integration, the platform may process data relating to organisations, users, pupils, staff, contacts, entitlements, dietary information, transactions, payments, products, orders, finance, reporting, audit activity, technical events, and other operational data made available through the Trac API.
The specific scope of personal data processed for any customer, integration partner, or connected system will be limited to the agreed purpose and shall be documented in the applicable Data Processing Addendum, Integration Specification, Schedule of Works, customer agreement, or other relevant contractual documentation.
Not every Trac integration uses every data category or API endpoint. Data access is configured according to the authorised integration scope, customer instructions, technical requirements, and applicable third-party system permissions.
The categories of personal data processed may include, where applicable and authorised:
- organisation, school, trust, site, and catering location data
- pupil, staff, user, customer, parent, guardian, and authorised contact information
- relationship, parental responsibility, priority contact, and communication details
- year, registration, class, house, group, and other organisational structure data
- Targeted Free School Meals eligibility and Extended Free School Meals eligibility
- dietary preferences, allergens, and other catering-related requirements, where authorised
- meal ordering, menu, product, service, and fulfilment data
- point of sale, online payment, balance, transaction, and reconciliation data, where expressly within scope
- finance, billing, reporting, and operational management data
- administrator, staff, support, and business contact details
- API logs, audit logs, error logs, diagnostic logs, synchronisation records, authentication identifiers, and system event logs
Payment card information and banking information are not processed as part of the standard MIS integration unless expressly documented within the applicable Data Processing Addendum, Integration Specification, Schedule of Works, or other agreed contractual documentation.
3. Current Trac subprocessors and system service providers
4. Integration partners and connected systems
Trac may integrate with third-party systems such as MIS platforms, EPOS systems, payment systems, finance platforms, catering systems, kitchen management systems, and reporting tools.
These connected systems may include organisations listed on the Caterlytix partners page.
Integration partners and connected systems are not automatically subprocessors of Caterlytix. Their role will depend on the applicable data flow and contractual relationship. They may act as:
independent controllers
processors appointed directly by the customer
subprocessors appointed by a customer’s processor
integration partners operating under their own agreement with the customer
subprocessors of Caterlytix, where expressly appointed by Caterlytix to process personal data on its behalf
Where a connected system processes personal data under the control or instruction of a school, trust, caterer, or other customer, the customer remains responsible for ensuring that the appropriate lawful basis, authorisation, and contractual arrangements are in place.
5. Customer-authorised integrations
Certain integrations are enabled only where authorised by the relevant customer or data controller.
Depending on the integration, data may be exchanged with systems such as:
- Management Information Systems
- EPOS systems
- online payment systems
- finance systems
- catering management platforms
- meal ordering platforms
- data platforms and reporting tools
The scope of data shared through each integration is limited to the agreed purpose and the data fields required to deliver the relevant service.
6. International transfers
Where personal data is transferred outside the United Kingdom or European Economic Area, Caterlytix will ensure that appropriate safeguards are in place. These may include:
- an adequacy decision
- Standard Contractual Clauses
- the UK International Data Transfer Addendum
- the UK International Data Transfer Agreement
- equivalent contractual protections required by applicable data protection law
7. Security and confidentiality
Caterlytix requires subprocessors to implement appropriate technical and organisational measures to protect personal data.
These measures may include, where appropriate:
- encryption in transit
- encryption at rest
- access controls
- least privilege access
- logging and monitoring
- secure credential management
- confidentiality obligations
- incident response procedures
- vulnerability management
- backup and resilience controls
8. Changes to subprocessors
Caterlytix may update this page from time to time as its platform, infrastructure, systems, and services develop.
Where required under an applicable Data Processing Agreement, Caterlytix will provide notice of material changes to subprocessors and give customers or integration partners the opportunity to object in accordance with the relevant agreement
9. Contact
Questions about Caterlytix subprocessors can be directed to:
Caterlytix Ltd
Spaceworks
Benton Park Road
Newcastle upon Tyne
England
NE7 7LX