Sub-processors List

Last updated: September 6, 2025

Comprehensive third-party service provider transparency and governance framework

Sub-processor Governance and Risk Management Framework

This comprehensive disclosure provides transparency regarding third-party service providers engaged to support our platform operations and business activities. All sub-processors undergo rigorous security assessments, compliance verification, and are bound by contractual obligations meeting or exceeding our own data protection commitments while supporting essential business operations and service delivery requirements.

1. Sub-processor Selection and Comprehensive Governance Framework

Our sub-processor engagement follows comprehensive evaluation criteria, ongoing management procedures, and business continuity requirements:

  • Extensive due diligence including security assessments, compliance verification, financial stability evaluation, and operational capability analysis
  • Comprehensive data processing agreements incorporating Article 28 UK GDPR requirements, enhanced protection standards, and business operational safeguards
  • Continuous monitoring, periodic review of security posture, compliance status, operational performance, and business relationship management
  • Regular audit procedures, certification verification, and ongoing compliance assessment to ensure contractual obligations and business requirements
  • Incident response coordination, security breach notification procedures, and business continuity planning
  • Performance monitoring, service level agreement enforcement, escalation procedures, and relationship optimization
  • Business risk assessment, vendor management, and strategic partnership evaluation for operational sustainability

2. Change Management and Business-Focused Notification Procedures

Sub-processor modifications follow structured notification and evaluation processes designed to protect business interests:

  • Standard thirty (30) days advance written notification for routine sub-processor changes via registered account email addresses and official communication channels
  • Comprehensive information provision including security assessments, compliance documentation, processing scope details, and business impact analysis
  • Formal objection mechanisms allowing customers to raise concerns regarding proposed changes within specified timeframes and reasonable justification
  • Alternative arrangement consultation for customers with legitimate objections, subject to technical feasibility and commercial viability
  • Service modification or termination rights where objections cannot be resolved through operational or technical alternatives
  • Emergency sub-processor engagement procedures for critical security incidents, business continuity, or operational requirements with expedited notification protocols
  • Business necessity sub-processor changes may proceed regardless of customer objections where required for operational continuity, legal compliance, or security purposes

3. Current Sub-processor Infrastructure and Service Providers

The following entities provide essential infrastructure, operational support services, and business capabilities:

DigitalOcean LLC

Primary cloud infrastructure platform providing comprehensive hosting, computational services, and scalable infrastructure solutions

Critical Infrastructure

Geographic Locations: Netherlands (AMS3), Germany (FRA1), United Kingdom (LON1), United States (NYC1, SFO3)

Processing Activities: Application hosting, data storage, computational processing, network infrastructure, content delivery

Data Categories: Customer account data, monitoring configurations, application logs, system metadata, performance analytics

Security Certifications: SOC 2 Type II, ISO 27001, PCI DSS Level 1, GDPR compliance framework

Transfer Safeguards: EU hosting with enhanced GDPR compliance, Standard Contractual Clauses for global operations

Business Justification: Essential for service delivery, operational scalability, and performance optimization

Contact Information: digitalocean.com/legal/privacy-policy

MongoDB Inc.

Advanced database services providing scalable document storage, analytics capabilities, and high-performance data management

Database Services

Geographic Locations: Ireland (EU-WEST-1), Netherlands (EU-CENTRAL-1), Germany (EU-NORTH-1), United Kingdom (EU-WEST-2)

Processing Activities: Document storage, data indexing, backup management, performance optimization, analytics processing

Data Categories: Monitoring archives, extracted content, historical data, analytical metadata, performance metrics

Security Framework: SOC 2 Type II, ISO 27001, encryption at rest and in transit, advanced access controls

Compliance Standards: GDPR, HIPAA, PCI DSS with comprehensive audit trails and monitoring

Business Necessity: Critical for data storage, analytics, and service performance optimization

Legal Framework: mongodb.com/legal/privacy-policy

Redis Ltd.

High-performance caching and queue management services essential for operational efficiency and service responsiveness

Performance Optimization

Service Locations: Germany (AWS Frankfurt), Ireland (AWS Ireland), United Kingdom (AWS London)

Processing Functions: Queue management, session caching, performance optimization, temporary data storage, real-time analytics

Data Handling: Job queues, session data, temporary caching, performance metrics, operational analytics

Security Controls: TLS encryption, access controls, automatic expiration policies, audit logging

Data Residency: EU-based processing with limited retention periods and data minimization

Operational Necessity: Essential for service performance, user experience, and system reliability

Documentation: redis.com/legal/privacy-policy

Stripe Inc.

Comprehensive payment processing and financial transaction management services essential for business operations

Financial Services

Operation Centers: Ireland (EU operations), United Kingdom (UK operations), United States (global processing)

Financial Processing: Payment processing, subscription management, fraud prevention, financial reporting, compliance monitoring

Data Types: Payment information, billing addresses, transaction histories, fraud detection metadata, financial analytics

Compliance Framework: PCI DSS Level 1, SOC 2 Type II, ISO 27001, comprehensive financial regulations

Transfer Mechanisms: EU-US Data Privacy Framework, Standard Contractual Clauses, adequacy decisions

Business Criticality: Essential for revenue processing, subscription management, and financial compliance

Regulatory Information: stripe.com/privacy

Postmark (Wildbit LLC)

Professional email delivery services and transactional communication systems critical for customer engagement

Communications

Service Regions: United States (primary), Global delivery network with EU infrastructure

Communication Functions: Transactional emails, notification delivery, bounce management, delivery optimization, engagement tracking

Data Processing: Email addresses, notification content, delivery analytics, engagement metrics, communication preferences

Security Measures: TLS encryption, DKIM signing, reputation management, spam protection

Retention Policies: Extended retention for business operations with automatic purging procedures

Business Justification: Essential for customer communication, notifications, and service delivery

Legal Framework: postmarkapp.com/privacy-policy

Sentry (Functional Software Inc.)

Advanced application performance monitoring and error tracking services essential for service reliability and optimization

Performance Monitoring

Processing Locations: United States (primary), European Union (data residency options), global monitoring infrastructure

Monitoring Activities: Error tracking, performance monitoring, system diagnostics, usage analytics, reliability metrics

Data Collection: Application errors, performance metrics, system diagnostics, user interaction data (configured anonymization)

Privacy Controls: Configurable data scrubbing, anonymization, access controls, retention management

Security Standards: SOC 2 compliance, data encryption, retention limits, access monitoring

Operational Necessity: Critical for service reliability, performance optimization, and issue resolution

Privacy Documentation: sentry.io/privacy

Professional Services Providers

Specialized legal, accounting, consulting, and business advisory services under strict confidentiality and professional privilege

Professional Services

Service Categories: Legal counsel, accounting services, business consulting, regulatory compliance, strategic advisory

Data Access: Strictly limited to specific engagements under professional privilege, confidentiality, and need-to-know basis

Geographic Scope: United Kingdom, European Union, selected international jurisdictions as required

Confidentiality Framework: Professional privilege, attorney-client privilege, comprehensive confidentiality agreements

Data Minimization: Strict need-to-know basis, limited retention, secure destruction, professional standards

Business Necessity: Essential for legal compliance, business operations, and strategic development

Regulatory Oversight: Professional body regulation, ethical standards, ongoing compliance monitoring

Security Service Providers

Specialized cybersecurity, threat detection, and security monitoring services essential for infrastructure protection

Security Services

Service Categories: Threat monitoring, incident response, vulnerability assessment, security consulting, compliance auditing

Data Processing: Security logs, threat intelligence, incident data, vulnerability reports, compliance documentation

Geographic Operations: United Kingdom, European Union, United States, global threat monitoring networks

Security Standards: ISO 27001, SOC 2, industry-specific certifications, government security clearances

Business Criticality: Essential for infrastructure protection, threat prevention, and regulatory compliance

Confidentiality Measures: Enhanced confidentiality agreements, security clearance requirements, strict access controls

Oversight Framework: Regular security audits, compliance verification, performance monitoring

4. Comprehensive Data Protection Safeguards and Business Protections

All sub-processor relationships incorporate multiple layers of contractual, technical, and business protection mechanisms:

Enhanced Contractual Protections

  • Comprehensive Data Processing Agreements (Article 28 UK GDPR) with enhanced business protections
  • Standard Contractual Clauses for international transfers with supplementary business safeguards
  • Enhanced confidentiality and security obligations with business continuity provisions
  • Data subject rights assistance commitments balanced with operational requirements
  • Comprehensive breach notification and incident response procedures with business impact considerations
  • Service level agreements with business continuity and performance guarantees

Advanced Technical Safeguards

  • Advanced encryption in transit and at rest with key management systems
  • Granular access controls and comprehensive authentication systems
  • Continuous security monitoring, alerting, and incident response capabilities
  • Regular security assessments, penetration testing, and vulnerability management
  • Advanced incident response and forensic investigation capabilities
  • Business continuity planning with disaster recovery and failover systems

Compliance and Governance Standards

  • Industry certifications (SOC 2, ISO 27001, PCI DSS) with ongoing compliance monitoring
  • Regular third-party security audits and assessments with business impact analysis
  • GDPR compliance verification and ongoing monitoring with business risk assessment
  • Data localization requirements where applicable with business flexibility
  • Continuous compliance monitoring and reporting with business performance metrics
  • Regulatory compliance management with business operational considerations

Business Operational Governance

  • Purpose limitation and data minimization principles balanced with business needs
  • Defined retention and secure deletion procedures with business retention requirements
  • Audit rights and compliance verification mechanisms with business confidentiality protections
  • Termination and data return/destruction obligations with business transition planning
  • Performance monitoring and service level enforcement with business continuity planning
  • Strategic partnership management with long-term business relationship planning

5. International Data Transfer Compliance and Business Framework

For sub-processors operating outside the UK/EU, we implement comprehensive transfer safeguards while maintaining business operational flexibility:

5.1 Transfer Mechanism Selection and Business Considerations

Destination Region Primary Transfer Mechanism Business Safeguards Monitoring Procedures
European Economic Area Adequacy (free flow) GDPR compliance, enhanced business protections Ongoing compliance and business performance monitoring
United States EU-US DPF / Standard Contractual Clauses Certification verification, enhanced business contractual protections Regular certification review, legal assessment, business impact monitoring
Other Jurisdictions Standard Contractual Clauses Enhanced measures, local law assessment, business risk mitigation Transfer impact assessment, continuous review, business continuity planning

5.2 Transfer Impact Assessment and Business Enhancement

  • Comprehensive assessment of destination country legislation affecting data protection, access rights, and business operations
  • Implementation of supplementary measures where transfer risk assessments indicate additional protection requirements for business continuity
  • Regular monitoring of legal and regulatory developments in destination countries with business impact analysis
  • Contractual enhancement and technical safeguard implementation based on evolving risk assessments and business requirements
  • Business continuity planning for potential transfer mechanism changes or regulatory developments

6. Ongoing Monitoring and Comprehensive Compliance Verification

We maintain continuous oversight of sub-processor compliance, performance, and business relationship management:

6.1 Performance and Security Monitoring with Business Focus

  • Annual comprehensive security and compliance assessments including on-site evaluations where applicable and business performance review
  • Continuous monitoring of security certifications, audit reports, compliance documentation, and business service levels
  • Regular review of incident reports, security events, breach notifications with business impact assessment and continuity planning
  • Periodic evaluation of data processing activities, security controls, operational procedures, and business performance metrics
  • Quarterly business continuity and disaster recovery capability assessments with service level verification
  • Strategic business relationship review and partnership optimization for long-term operational sustainability

6.2 Compliance Documentation and Business Reporting

  • Maintenance of comprehensive sub-processor compliance files including contracts, certifications, assessment reports, and business performance documentation
  • Regular documentation updates reflecting changes in processing activities, security measures, compliance status, and business relationship evolution
  • Annual sub-processor risk assessment reports with business continuity planning and relationship optimization recommendations
  • Customer-accessible compliance summaries and certification verification upon reasonable request with business confidentiality protections
  • Business impact analysis for sub-processor changes with risk mitigation and continuity planning

7. Customer Rights and Control Mechanisms with Business Considerations

Customers maintain rights regarding sub-processor arrangements, balanced with business operational requirements:

7.1 Information and Objection Rights with Business Limitations

  • Information Access: Right to receive detailed information about sub-processor data processing activities and security measures, subject to business confidentiality requirements
  • Objection Procedures: Formal objection mechanisms for proposed sub-processor changes with detailed evaluation and response procedures, subject to business operational requirements
  • Alternative Arrangements: Consultation on alternative processing arrangements where legitimate objections can be accommodated without significant business impact
  • Service Modification Rights: Service modification or termination options where sub-processor objections cannot be resolved through operational alternatives, subject to business continuity requirements

7.2 Audit and Verification Rights with Business Protections

  • Access to relevant sub-processor compliance documentation and security assessment reports, subject to confidentiality and business protection requirements
  • Rights to review sub-processor data processing agreement summaries and security obligation overviews with business confidentiality protections
  • Audit coordination for customer-initiated sub-processor assessments with reasonable advance notice and business operational constraints
  • Independent verification of sub-processor compliance through recognized third-party assessment organizations with business confidentiality safeguards

8. Emergency and Business Continuity Sub-processor Arrangements

Critical business continuity situations may require expedited sub-processor engagement for operational sustainability:

  • Emergency sub-processor engagement for security incidents, natural disasters, critical infrastructure failures, or business continuity requirements
  • Expedited notification procedures with shortened notice periods (minimum 7 days where operationally feasible) for business critical situations
  • Enhanced security requirements and monitoring for emergency sub-processor arrangements with business risk assessment
  • Retroactive documentation and customer notification with detailed justification for emergency engagement and business necessity
  • Customer objection rights maintained with accelerated review and response procedures, subject to business operational requirements
  • Business continuity sub-processor arrangements may proceed regardless of objections where essential for service delivery and operational sustainability

9. Contact Information and Change Management

For sub-processor related inquiries and notification management:

Sub-processor Inquiries

  • Legal Team: [email protected]
  • Privacy Team: [email protected]
  • Subject Format: "Sub-processor Inquiry - [Specific Topic] - [Business Impact]"
  • Response Timeline: 5-30 business days depending on inquiry complexity and business operational requirements

Notification Management

  • Notification Channel: Registered account email address and official communication channels
  • Standard Notice Period: 30 days for routine changes, subject to business operational requirements
  • Emergency Procedures: Expedited notification within 7 days for business critical situations
  • Documentation Access: Annual comprehensive reports available upon request with business confidentiality protections

10. Legal Framework and Comprehensive Compliance Integration

Sub-processor arrangements integrate with our comprehensive legal, compliance, and business operational framework:

  • Full integration with our Data Processing Agreement, privacy policy obligations, and business operational requirements
  • Compliance with UK GDPR, EU GDPR, applicable international data protection legislation, and business regulatory requirements
  • Alignment with industry-specific regulations, professional standards, and business operational standards where applicable
  • Coordination with regulatory authorities and supervisory body requirements while protecting business interests
  • Integration with our incident response, breach notification procedures, and business continuity planning
  • Business risk management and operational sustainability integrated with compliance and data protection requirements

Transparency and Business Excellence Commitment

We maintain this comprehensive sub-processor disclosure to ensure transparency while protecting the confidentiality of our business relationships and operational requirements. Our sub-processor management framework prioritizes customer data protection while enabling operational excellence, service reliability, and business sustainability for long-term success.

Data Processing Agreement Privacy Policy