INTRODUCTION
INTRODUCTION
INTRODUCTION
INTRODUCTION
WHAT IS A SUBPROCESSOR?
Definition:
WHAT IS A SUBPROCESSOR?
Key Characteristics:
- Data Processing: The subprocessor handles, stores, transmits, or otherwise processes user data
- On Our Behalf: Processing occurs as part of our service delivery, not for the subprocessor's own purposes
- Contractual Agreement: We maintain data processing agreements with all subprocessors
- Data Protection Obligations: Subprocessors must comply with applicable data protection laws and our security requirements
Examples:
- Cloud hosting providers that store user data
- Payment processors that handle financial transactions
- Email service providers that send transactional emails
- Analytics platforms that process usage data
WHY WE USE SUBPROCESSORS
WHY WE USE SUBPROCESSORS
Core Infrastructure:
- Cloud Hosting: Reliable, scalable infrastructure for our application
- Database Services: Secure storage and management of user data
- Content Delivery: Fast, global delivery of application assets
Payment Processing:
- Payment Gateway: Secure processing of subscription payments and payouts
- Banking Integration: Connection to users' bank accounts for financial data
- Fraud Detection: Protection against fraudulent transactions
Communication Services:
- Email Delivery: Transactional emails (account verification, notifications, etc.)
- SMS Services: Two-factor authentication and security alerts
- Push Notifications: Real-time app notifications
Analytics and Improvement:
- Usage Analytics: Understanding how users interact with our platform
- Error Tracking: Identifying and fixing technical issues
- Performance Monitoring: Ensuring fast, reliable service
Financial Data and Market Information:
- Stock Market Data: Real-time and historical stock prices
- Cryptocurrency Data: Crypto market information and prices
- Financial News: Market news and analysis
AI and Machine Learning:
- AI Assistant: Powering our conversational AI features
- Natural Language Processing: Understanding user queries and intent
GDPR REQUIREMENTS
GDPR REQUIREMENTS
Maintain Current List:
- Keep an up-to-date list of all subprocessors
- Make this list available to data subjects (users)
- Update the list when subprocessors are added or removed
Contractual Obligations:
- Enter into written data processing agreements with all subprocessors
- Ensure subprocessors provide sufficient guarantees of GDPR compliance
- Impose same data protection obligations on subprocessors that apply to us
Notification Requirements:
- Inform users of intended changes to subprocessors
- Provide opportunity to object to new subprocessors
- Allow users to terminate services if they object (where feasible)
Liability:
- We remain fully liable for subprocessor data protection compliance
- Users can hold us accountable for subprocessor violations
DATA PROTECTION SAFEGUARDS
DATA PROTECTION SAFEGUARDS
Contractual Protections:
DATA PROTECTION SAFEGUARDS
- Written agreements governing data processing activities
- Compliance with GDPR, CCPA, and applicable laws
- Restrictions on data use, retention, and sharing
- Requirements for data security measures
Requirements for data security measures
- For transfers to countries outside the EU/EEA
- EU Commission-approved contractual terms
- Legal mechanism for lawful international data transfers
Technical and Organizational Measures:
Legal mechanism for lawful international data transfers
- Encryption of data in transit (TLS 1.3 or higher)
- Encryption of data at rest (AES-256 or equivalent)
- Access controls and authentication
- Regular security audits and penetration testing
- Incident response and breach notification procedures
Incident response and breach notification procedures
- Subprocessors only receive data necessary for their specific function
- No excessive or unnecessary data sharing
No excessive or unnecessary data sharing
- Subprocessors must delete or return data upon contract termination
- Compliance with our data retention schedules
Compliance Certifications:
Compliance with our data retention schedules
- ISO 27001: Information security management
- SOC 2 Type II: Security, availability, and confidentiality controls
- PCI DSS: Payment card industry data security (for payment processors)
- GDPR Compliance: Self-certification or third-party audit
- Privacy Shield Successor Programs: For US-based processors handling EU data
SUBPROCESSOR NOTIFICATION AND CONSENT
How We Notify Users:
SUBPROCESSOR NOTIFICATION AND CONSENT
- 30-day advance notice via email to registered users
- Notice posted on this page with effective date
- Description of subprocessor, services provided, and data processed
Description of subprocessor, services provided, and data processed
- This List is updated whenever subprocessors are added or removed
- Version number and last updated date displayed at top of document
- Email notification for material changes
Your Right to Object:
Email notification for material changes
- Contact us at [email protected] within 30 days of notification
- Explain your objection and concerns
- We will work with you to address concerns or offer alternatives
- If we cannot resolve objections, you may terminate your account without penalty
If we cannot resolve objections, you may terminate your account without penalty
- Some subprocessors are essential for core service delivery (e.g., cloud hosting, payment processing)
- Objection to essential subprocessors may require service termination
- We will clearly indicate which subprocessors are essential
ACTIVE SUBPROCESSORS
ACTIVE SUBPROCESSORS
ACTIVE SUBPROCESSORS
Comprehensive Subprocessor Table
Detailed Subprocessor Information
7.1 STRIPE, INC.
ACTIVE SUBPROCESSORS
ACTIVE SUBPROCESSORS
- Payment processing for subscription payments (Premium, Enterprise plans)
- Stripe Connect for user payouts (referral commissions, withdrawal processing)
- Fraud detection and prevention using Stripe Radar
- Tax compliance and reporting (Form 1099-K, 1099-NEC)
- Identity verification for KYC/AML compliance
- Subscription billing lifecycle management
Subscription billing lifecycle management
Subscription billing lifecycle management
- Primary: United States (California data centers)
- EU users: Ireland (eu-west-1) with data residency guarantees
- Encrypted backups in multiple US and EU regions
Encrypted backups in multiple US and EU regions
- Name, email address, phone number
- Billing address and shipping address
- Payment method information (credit card last 4 digits, bank account routing/account numbers)
- Transaction history and payment status
- Tax identification numbers (SSN, EIN) for payout recipients
- Identity verification documents (driver's license, passport) for Connected Accounts
- IP address and device information for fraud detection
IP address and device information for fraud detection
IP address and device information for fraud detection
- Standard Contractual Clauses (SCCs) for EU-to-US data transfers
- EU-US Data Privacy Framework certification
- Adequacy Decision for Ireland-based operations (EU entity)
- End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)
- PCI DSS compliant tokenization for payment data
PCI DSS compliant tokenization for payment data
- PCI DSS Level 1 (highest level of payment security)
- SOC 2 Type II (security, availability, confidentiality)
- ISO 27001 (information security management)
- GDPR compliant with dedicated EU infrastructure
GDPR compliant with dedicated EU infrastructure
- In transit: TLS 1.3 with Perfect Forward Secrecy
- At rest: AES-256-GCM encryption for all stored data
- Payment card data: PCI DSS compliant tokenization (never stored in raw form)
Payment card data: PCI DSS compliant tokenization (never stored in raw form)
- Active payment methods: Duration of customer relationship + 7 years (tax/legal requirements)
- Transaction records: 7 years (financial regulations)
- Identity verification documents: As required by law
- Full details: Stripe Data Retention
Full details: Stripe Data Retention
Full details: Stripe Data Retention
Full details: Stripe Data Retention
7.2 PLAID, INC.
Full details: Stripe Data Retention
Full details: Stripe Data Retention
- Linking user bank accounts to XPlus Finance
- Retrieving transaction history and account balances
- Bank account verification for payouts
- Income and employment verification (if used)
Income and employment verification (if used)
- Bank account credentials (encrypted, not accessible to XPlus Finance)
- Account numbers and routing numbers
- Transaction history
- Account balances
- Account holder names
Account holder names
Account holder names
- SOC 2 Type II certified
- ISO 27001 certified
- Bank-level 256-bit encryption
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
7.3 OPENAI, L.L.C.
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
- ChatGPT-based financial assistant
- Natural language understanding and generation
- Financial guidance and educational content
- Query interpretation and response generation
Query interpretation and response generation
- User queries and conversation history
- User preferences and settings
- Anonymized usage patterns
- No financial credentials or sensitive financial data
No financial credentials or sensitive financial data
No financial credentials or sensitive financial data
- SOC 2 Type II certified
- Data encryption in transit and at rest
- GDPR compliant
- Data retention limited to 30 days (API data)
- Zero-data retention option available
Zero-data retention option available
Zero-data retention option available
Zero-data retention option available
7.4 ONESIGNAL, INC.
Zero-data retention option available
Zero-data retention option available
- Push notification delivery to iOS, Android, and web
- Notification scheduling and targeting
- Delivery analytics and reporting
- User engagement tracking
User engagement tracking
- Device tokens and identifiers
- User ID (internal identifier, not PII)
- Notification preferences
- Engagement data (opened, clicked, dismissed)
- IP address and location (city-level)
IP address and location (city-level)
IP address and location (city-level)
- SOC 2 Type II certified
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
- Data encryption in transit
- Privacy Shield certified (for pre-2020 transfers)
Privacy Shield certified (for pre-2020 transfers)
Privacy Shield certified (for pre-2020 transfers)
7.5 MAILGUN TECHNOLOGIES, INC. (Sinch)
Privacy Shield certified (for pre-2020 transfers)
Privacy Shield certified (for pre-2020 transfers)
- Email sending infrastructure
- Email deliverability optimization
- Email analytics (open rates, click rates)
- Bounce and complaint handling
Bounce and complaint handling
- Email addresses
- Names
- Email content (transactional emails only)
- Delivery and engagement metrics
- IP addresses
IP addresses
IP addresses
- SOC 2 Type II certified
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
- TLS encryption for email transmission
- ISO 27001 certified
ISO 27001 certified
ISO 27001 certified
7.6 TWILIO, INC.
ISO 27001 certified
ISO 27001 certified
- SMS delivery for 2FA codes
- Security alert notifications
- Account verification messages
- Delivery status tracking
Delivery status tracking
- Phone numbers
- SMS message content (verification codes, alerts)
- Delivery status
- User ID (internal identifier)
User ID (internal identifier)
User ID (internal identifier)
- SOC 2 Type II certified
- ISO 27001 certified
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
- HIPAA compliant (for applicable services)
HIPAA compliant (for applicable services)
HIPAA compliant (for applicable services)
7.7 AMAZON WEB SERVICES, INC. (AWS)
HIPAA compliant (for applicable services)
HIPAA compliant (for applicable services)
- Application hosting (EC2, ECS, Lambda)
- Database services (RDS, DynamoDB)
- Object storage (S3)
- Content Delivery Network (CloudFront)
- Load balancing and auto-scaling
- Backup and disaster recovery
Backup and disaster recovery
- All user data stored on XPlus Finance platform
- Application databases
- File uploads and documents
- Backup copies of data
- System logs
System logs
System logs
- ISO 27001, 27017, 27018 certified
- SOC 1, 2, and 3 certified
- PCI DSS Level 1 certified
- GDPR compliant
- Standard Contractual Clauses for international transfers
- Data residency controls (EU data stored in EU)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
Encryption at rest (AES-256) and in transit (TLS 1.3)
Encryption at rest (AES-256) and in transit (TLS 1.3)
7.8 CLICKHOUSE CLOUD (ClickHouse, Inc.)
Encryption at rest (AES-256) and in transit (TLS 1.3)
Encryption at rest (AES-256) and in transit (TLS 1.3)
- High-performance analytics queries
- User behavior analysis
- Aggregated reporting and dashboards
- Real-time analytics processing
Real-time analytics processing
- Anonymized user identifiers
- Usage events and interactions
- Session data
- Performance metrics
- Aggregated financial data (no individual transaction details)
Aggregated financial data (no individual transaction details)
Aggregated financial data (no individual transaction details)
- SOC 2 Type II certified
- ISO 27001 certified
- GDPR compliant
- Encryption at rest and in transit
- Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
7.9 REDIS LABS (Redis, Inc.)
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
- Session storage and management
- Application caching for performance
- Real-time data processing
- Rate limiting and API throttling
Rate limiting and API throttling
- Session tokens and identifiers
- Cached application data (temporary)
- User preferences (temporary cache)
- API rate limit counters
API rate limit counters
API rate limit counters
- SOC 2 Type II certified (Redis Cloud)
- Encryption in transit (TLS)
- Encryption at rest (if using Redis Cloud)
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
7.10 SENTRY (Functional Software, Inc.)
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
- Application error logging and alerts
- Performance monitoring and profiling
- Stack trace and debugging information
- Release tracking and deployment monitoring
Release tracking and deployment monitoring
- Error messages and stack traces
- User IDs (anonymized where possible)
- IP addresses
- Browser/device information
- Performance metrics
- URL paths and API endpoints
URL paths and API endpoints
URL paths and API endpoints
- SOC 2 Type II certified
- GDPR compliant
- Data scrubbing to remove sensitive information
- IP address anonymization
- Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
7.11 ALPHA VANTAGE, INC.
Standard Contractual Clauses for EU data transfers
Standard Contractual Clauses for EU data transfers
- Real-time and historical stock prices
- Stock market indicators and technical analysis data
- Company fundamentals and financial statements
- Global equity data
Global equity data
- User stock watchlist (if stored with identifiers)
- API request logs (anonymized)
- No personal user data transmitted
No personal user data transmitted
No personal user data transmitted
- HTTPS/TLS encryption for all API requests
- No storage of personal user data
- API usage is anonymized
API usage is anonymized
API usage is anonymized
7.12 YAHOO FINANCE API (Yahoo Inc.)
API usage is anonymized
API usage is anonymized
- Stock prices and historical data
- Financial news and analysis
- Market indices and commodities data
- Company profiles and statistics
Company profiles and statistics
- User stock search queries (anonymized)
- API request logs
- No personal user data transmitted
No personal user data transmitted
No personal user data transmitted
- HTTPS/TLS encryption for API requests
- GDPR compliant (Yahoo is a Verizon Media company)
- No storage of personal user data
No storage of personal user data
No storage of personal user data
7.13 COINMARKETCAP (CMC)
No storage of personal user data
No storage of personal user data
- Real-time cryptocurrency prices
- Market capitalization data
- Historical crypto price data
- Cryptocurrency exchange information
Cryptocurrency exchange information
- User cryptocurrency watchlist (if stored with identifiers)
- API request logs (anonymized)
- No personal user data transmitted
No personal user data transmitted
No personal user data transmitted
- HTTPS/TLS encryption for API requests
- GDPR compliant
- No storage of personal user data
- API usage is anonymized
API usage is anonymized
API usage is anonymized
7.14 FINNHUB STOCK API (Finnhub.io)
API usage is anonymized
API usage is anonymized
- Stock prices and market data
- Earnings reports and financial statements
- Market news and sentiment analysis
- Economic indicators and calendar events
Economic indicators and calendar events
- API request logs (anonymized)
- User stock queries (no PII)
- No personal user data transmitted
No personal user data transmitted
No personal user data transmitted
- HTTPS/TLS encryption for API requests
- GDPR compliant
- No storage of personal user data
No storage of personal user data
No storage of personal user data
7.15 BINANCE API
No storage of personal user data
No storage of personal user data
- Cryptocurrency prices and market data
- Trading volume and liquidity information
- Historical cryptocurrency data
- Exchange rate information
Exchange rate information
- API request logs (anonymized)
- No personal user data transmitted
- Read-only API access (no trading functionality)
Read-only API access (no trading functionality)
Read-only API access (no trading functionality)
- HTTPS/TLS encryption for API requests
- API keys with read-only permissions
- No storage of personal user data
- Rate limiting and security controls
Rate limiting and security controls
Rate limiting and security controls
Rate limiting and security controls
7.16 PAYPAL HOLDINGS, INC.
Rate limiting and security controls
Rate limiting and security controls
- Payment processing for subscriptions
- Recurring billing management
- Refund processing
- Fraud prevention
Fraud prevention
- Name, email address
- PayPal account information
- Transaction history
- Billing address
Billing address
Billing address
- PCI DSS Level 1 certified
- SOC 2 Type II certified
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
- ISO 27001 certified
ISO 27001 certified
ISO 27001 certified
ISO 27001 certified
7.17 GOOGLE LLC (Google Cloud Platform)
ISO 27001 certified
ISO 27001 certified
- Address autocomplete and validation
- Geocoding and reverse geocoding
- Maps display (if used in UI)
Maps display (if used in UI)
- User addresses (for verification)
- Location coordinates
- IP addresses
- Device identifiers
Device identifiers
Device identifiers
- ISO 27001, 27017, 27018 certified
- SOC 2 and SOC 3 certified
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
- Encryption in transit and at rest
Encryption in transit and at rest
Encryption in transit and at rest
Encryption in transit and at rest
7.18 CLOUDFLARE, INC.
Encryption in transit and at rest
Encryption in transit and at rest
- Global content delivery and caching
- DDoS attack mitigation
- Web application firewall (WAF)
- DNS management and resolution
- SSL/TLS certificate management
SSL/TLS certificate management
- IP addresses
- HTTP request data (URLs, headers, user agents)
- Cookies (if used for rate limiting)
- DNS query logs
- No personal data stored beyond network logs
No personal data stored beyond network logs
No personal data stored beyond network logs
- SOC 2 Type II certified
- ISO 27001 certified
- GDPR compliant
- Standard Contractual Clauses for EU data transfers
- Data localization options for EU customers
- Encryption in transit
Encryption in transit
Encryption in transit
Encryption in transit
HOW TO OBJECT TO A SUBPROCESSOR
HOW TO OBJECT TO A SUBPROCESSOR
Objection Process
HOW TO OBJECT TO A SUBPROCESSOR
- Email: [email protected]
- Subject Line: "Subprocessor Objection - [Subprocessor Name]"
- Deadline: You have 30 days from the date of notification to object
Deadline: You have 30 days from the date of notification to object
Deadline: You have 30 days from the date of notification to object
- Your full name and account email address
- The specific subprocessor you are objecting to
- Detailed reason for your objection (e.g., data protection concerns, jurisdiction concerns, security concerns)
- Any supporting documentation or evidence
- Preferred alternative solutions (if applicable)
Preferred alternative solutions (if applicable)
- Acknowledgment: We will acknowledge receipt of your objection within 3 business days
- Investigation: We will conduct a thorough review of your concerns
- Assessment: We will evaluate if we can accommodate your objection through:
- Removing the subprocessor
- Implementing additional safeguards
- Offering alternative service options
- Restricting data shared with the subprocessor
Restricting data shared with the subprocessor
- Timeline: We will respond within 15 business days with our decision
- Outcomes:
- Objection Accepted: We will remove or replace the subprocessor, or implement additional safeguards
- Alternative Offered: We may offer an alternative service configuration
- Objection Not Feasible: If we cannot accommodate your objection (e.g., essential subprocessor for core service), we will explain why and offer you the right to terminate your account without penalty
Objection Not Feasible: If we cannot accommodate your objection (e.g., essential subprocessor for core service), we will explain why and offer you the right to terminate your account without penalty
Objection Not Feasible: If we cannot accommodate your objection (e.g., essential subprocessor for core service), we will explain why and offer you the right to terminate your account without penalty
- You have the right to terminate your account without penalty
- You will receive a full refund for any unused subscription period
- Your data will be deleted according to our Data Retention Policy
- Export your data before termination via Data Export Tool
Pre-Notification for New Subprocessors
Export your data before termination via Data Export Tool
- Email notification to your registered email address 30 days before adding a new subprocessor
- In-app banner notification displayed for 30 days
- Update to this Subprocessor List with the new subprocessor details and effective date
Update to this Subprocessor List with the new subprocessor details and effective date
- Name and legal entity of the new subprocessor
- Services the subprocessor will provide
- Data categories that will be processed
- Data location and applicable safeguards
- Effective date of engagement
- Your right to object and the objection deadline
Your right to object and the objection deadline
- Primary: Email to your account email address
- Secondary: Push notification (if enabled)
- Tertiary: In-app banner on dashboard
- Permanent: Update to this page with version history
Essential vs. Non-Essential Subprocessors
Permanent: Update to this page with version history
- Stripe (payment processing - required for subscriptions and payouts)
- Plaid (bank account connection - required for financial data aggregation)
- AWS (cloud hosting - required for platform infrastructure)
- Mailgun/Twilio (transactional communications - required for account security)
Mailgun/Twilio (transactional communications - required for account security)
Mailgun/Twilio (transactional communications - required for account security)
- OpenAI (AI assistant - optional feature)
- OneSignal (push notifications - optional feature)
- Market data providers (optional for portfolio tracking)
Market data providers (optional for portfolio tracking)
Contact for Objections
Market data providers (optional for portfolio tracking)
- Email: [email protected]
- Subject: "Subprocessor Objection - [Name]"
Subject: "Subprocessor Objection - [Name]"
- Email: [email protected]
- Response Time: 3 business days for acknowledgment, 15 business days for resolution
ALIGNMENT WITH SECURITY POLICY
ALIGNMENT WITH SECURITY POLICY
Required Security Controls
ALIGNMENT WITH SECURITY POLICY
ALIGNMENT WITH SECURITY POLICY
- In Transit: TLS 1.2 or higher (TLS 1.3 preferred)
- At Rest: AES-256 encryption or equivalent
- Key Management: Secure key storage using HSMs or equivalent
Key Management: Secure key storage using HSMs or equivalent
- Authentication: Multi-factor authentication (MFA) for administrative access
- Authorization: Role-based access control (RBAC) with principle of least privilege
- Audit Logging: Comprehensive logging of all data access and administrative actions
Audit Logging: Comprehensive logging of all data access and administrative actions
Audit Logging: Comprehensive logging of all data access and administrative actions
- SOC 2 Type II (security, availability, confidentiality)
- ISO 27001 (information security management)
- PCI DSS Level 1 (for payment processors)
- Other equivalent industry-recognized certifications
Other equivalent industry-recognized certifications
- Documented incident response procedures
- Breach notification to XPlus Finance within 24 hours
- User notification within 72 hours (GDPR compliance)
- Post-incident forensics and remediation
Post-incident forensics and remediation
- Written DPA in place for all subprocessors
- GDPR Article 28 compliance
- Standard Contractual Clauses (SCCs) for international transfers
- Liability and indemnification provisions
Security Verification Process
Liability and indemnification provisions
- Security Questionnaire: Comprehensive assessment of security posture
- Certification Review: Verification of SOC 2, ISO 27001, or equivalent
- Contract Negotiation: DPA with security obligations
- Risk Assessment: Evaluation of data processing risks
Risk Assessment: Evaluation of data processing risks
- Annual Audits: Review of security certifications and compliance status
- Quarterly Check-ins: Security updates and incident reviews
- Continuous Monitoring: Automated alerts for security incidents
- Penetration Testing: Annual third-party penetration tests (for critical subprocessors)
Penetration Testing: Annual third-party penetration tests (for critical subprocessors)
- Immediate Notification: Subprocessor must notify us within 24 hours of any security incident
- Joint Investigation: Collaborative investigation and forensics
- User Notification: We notify affected users within 72 hours (GDPR requirement)
- Remediation: Required remediation plan with timeline
- Termination Rights: We reserve the right to terminate subprocessors who fail to meet security standards
Cross-Reference: Security Policy Sections
Termination Rights: We reserve the right to terminate subprocessors who fail to meet security standards
- Section 8: Third-Party Security - Subprocessor security requirements
- Section 3: Encryption and Data Protection - Encryption standards
- Section 10: Security Monitoring and Incident Response - Incident procedures
- Section 13: Compliance and Certifications - Required certifications
Subprocessor Security Verification Table
Section 13: Compliance and Certifications - Required certifications
- All active subprocessors have executed DPAs
- All international transfers covered by SCCs
- All subprocessors meet minimum encryption standards
- Security audits current within last 6 months
CONTACT INFORMATION
CONTACT INFORMATION
CONTACT INFORMATION
- Email: [email protected]
- Subject Line: "Subprocessor Inquiry"
Subject Line: "Subprocessor Inquiry"
- Email: [email protected]
- Subject Line: "Subprocessor Objection - [Subprocessor Name]"
- Include: Your account email, specific objection, and concerns
- Deadline: 30 days from notification
Deadline: 30 days from notification
- Email: [email protected]
- See our Privacy Policy for comprehensive data protection information
See our Privacy Policy for comprehensive data protection information
- Email: [email protected]
- For security-related questions about subprocessors
For security-related questions about subprocessors
For security-related questions about subprocessors
For security-related questions about subprocessors
For security-related questions about subprocessors
UPDATES AND CHANGES
UPDATES AND CHANGES
- Whenever a new subprocessor is added
- When a subprocessor is removed
- When subprocessor services or data processing activities change significantly
- At least annually for accuracy verification
At least annually for accuracy verification
- Version 1.0 (November 15, 2025): Initial publication
Version 1.0 (November 15, 2025): Initial publication
- Subscribe to email notifications for subprocessor changes (opt-in in Account Settings)
- Check this page periodically for updates
- Version number and last updated date are always displayed at the top
Version number and last updated date are always displayed at the top
Version number and last updated date are always displayed at the top
Version number and last updated date are always displayed at the top