DATA PROCESSING AGREEMENT
SCHEDULE
| TERM | MEANING |
|---|---|
| we, us or our | Aktura Technology Pty Ltd (ACN 146 513 868, ABN 99 146 513 868) Address: 84 Brunswick Street, Fortitude Valley QLD 4006, Australia Email: privacy@contentsnare.com Phone: +61 7 3106 3450 Key contact person’s contact details and role: Prighter Group (our appointed UK and EU privacy representative and your point of contact). To exercise your data subject rights or contact us via our representative, visit https://app.prighter.com/portal/18663619460 Role: Where you provide personal data to us to sign up to our Services, we are acting as a data controller. Where you input personal data into the Services and we process it on your behalf, we are acting as a data processor. We are the data importer. |
| you or your | You: the customer that accepts these terms or enters into an order form or subscription with us for the Services. You are the data controller for the personal information you collect and upload, and the data exporter. |
| Linked Agreement | The agreement between you and us under which we provide the Services, being our Terms of Service and any order form or subscription you enter into. |
TERMS AND CONDITIONS
A. This DPA is entered into between the Controller and the Processor, together the Parties and each a Party.
B. This DPA supplements the Linked Agreement entered into between the Parties and applies to the provision of Services under the Linked Agreement.
1. Commencement and Term
1.1 This DPA will commence on the date it is executed by the last of the Parties and will continue for as long as the Linked Agreement remains in effect, or the Processor retains any of the Company Personal Data in its possession or control (whichever is the longer).
1.2 By entering into this DPA, each Party agrees to be bound by the terms and conditions set out in this DPA, in exchange for the other Party also agreeing to be bound by this DPA.
2. Processing of Personal Data
2.1 The Processor agrees to:
(a) comply with all Applicable Data Protection Laws in the Processing of Company Personal Data; and
(b) not process Company Personal Data other than on the Controller’s documented instructions.
2.2 The Controller instructs the Processor to process Personal Data in accordance with this DPA (including in accordance with Annexure 1).
2.3 Where and to the extent the Processor is also acting as a Controller, it agrees to process the Company Personal Data in accordance with Applicable Data Protection Laws, and to the extent applicable, clause 11 of this DPA.
2.4 Where acting as a ‘service provider’ or ‘contractor’ under the CCPA (as those terms are defined in the CCPA), the Processor agrees to:
(a) process Personal Data only for the limited and specified purposes set out in this DPA and the Linked Agreement;
(b) not sell Personal Data or use it outside the direct business relationship; and
(c) notify the Controller immediately if it determines it can no longer meet its CCPA obligations.
2.5 The Controller has the right to take reasonable steps to ensure the Processor uses Personal Data consistently with the Controller’s obligations under Applicable Data Protection Laws, and upon notice of non-compliance, to stop and remediate any unauthorised use.
3. Processor Personnel
3.1 The Processor agrees to take reasonable steps to ensure the reliability of any of the Contracted Processor’s Personnel who may have access to the Company Personal Data, ensuring in each case that:
(a) access is strictly limited to those individuals who need to know or access the relevant Company Personal Data, as strictly necessary for the purposes of the Linked Agreement; and
(b) the relevant Personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees to implement appropriate technical and organisational measures in relation to the Company Personal Data to ensure a level of security appropriate to that risk in accordance with Applicable Data Protection Laws, and as further particularised in Annexure 2.
4.2 In assessing the appropriate level of security, the Processor agrees to take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub-Processing
5.1 The Controller authorises the Processor’s engagement of the Sub-Processors already engaged by the Processor at the date of this DPA that are set out in Annexure 3.
5.2 Where the Processor wishes to engage a new Sub-Processor, the Processor agrees to provide written notice to the Controller of the details of the engagement of the Sub-Processor at least 14 days’ prior to engaging the new Sub-Processor (including details of the processing it will perform). The Controller may object in writing to the Processor’s appointment of a new Sub-Processor within 7 days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, the Processor may, at its election:
(a) not appoint the proposed Sub-Processor;
(b) not disclose any Company Personal Data it processes on the Controller’s behalf to the proposed Sub-Processor; or
(c) inform the Controller that it may terminate the Linked Agreement (including this DPA) for convenience, in which case, clause 13.2 will apply.
5.3 The Controller agrees that the remedies described above in clauses 5.2(a) to 5.2(c) are the only remedies available to the Controller if it objects to any proposed Sub-Processor by the Processor.
5.4 Where the Processor engages a Sub-Processor to process Company Personal Data, the Processor agrees to enter into a written agreement with the Sub-Processor containing data protection obligations no less protective that those in this DPA with respect to the Company Personal Data (including in relation to Restricted Transfers), and to remain responsible to the Controller for the performance of such Sub-Processor’s data protection obligations under such terms.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, the Processor agrees to assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws.
6.2 The Processor agrees to:
(a) promptly notify the Controller if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of Company Personal Data; and
(b) ensure that it does not respond to that request except on the documented instructions of the Controller or as required by Applicable Data Protection Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Data Protection Laws, inform the Controller of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1 The Processor agrees to notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.
7.2 The Processor agrees to co-operate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3 If the Controller decides to notify a Supervisory Authority, Data Subjects or the public of a Personal Data Breach, the Controller agrees to provide the Processor with advance copies of the proposed notices and, subject to Applicable Data Protection Laws (including any mandated deadlines under the GDPR), allow the Processor an opportunity to provide any clarifications or corrections to those notices.
8. Data Protection Impact Assessment and Prior Consultation
8.1 The Processor agrees to provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with any relevant Supervising Authority or other competent data privacy authority, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws (to the extent the Controller does not otherwise have access to the relevant information and such information is in the Processor’s control).
9. Deletion or Return of Personal Data
9.1 Subject to this clause 9, and subject to any document retention requirements at law, the Processor agrees to promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of Company Personal Data (Cessation Date), return or delete (at the Controller’s discretion) and procure the return or deletion of all copies of those Company Personal Data.
10. Audit Rights
10.1 Subject to this clause 10, where required by law, the Processor shall make available to the Controller on request all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Company Personal Data by the Contracted Processors.
10.2 The Processor may satisfy the Controller's information and audit requests under clause 10.1 in the first instance by providing its then-current certifications and independent third-party audit reports, including its ISO 27001 certification and any SOC 2 report or equivalent attestation. Where those certifications and reports do not reasonably enable the Controller to verify the Processor's compliance with this DPA, or where an audit is required by a competent Supervisory Authority or follows a Personal Data Breach affecting the Company Personal Data caused by the Processor, the Controller may conduct an on-site audit or inspection in accordance with this clause 10.
10.3 Where clause 10.1 applies, any audit (or inspection):
(a) must be conducted during the Processor’s regular business hours, with reasonable advance notice (which shall not be less than 30 days);
(b) will be subject to the Processor’s reasonable confidentiality procedures;
(c) must be limited in scope to matters specific to the Controller and agreed in advance with the Processor;
(d) must not require the Processor to disclose to the Controller any information that could cause the Processor to breach any of its obligations under Applicable Data Protection Laws;
(e) to the extent the Processor needs to expend time to assist the Controller with the audit (or inspection), will be funded by the Controller, in accordance with pre-agreed rates; and
(f) may only be requested by the Controller a maximum of one time per year, except where required by a competent Supervisory Authority or where there has been a Personal Data Breach in relation to Company Personal Data, caused by the Processor.
10.4 Information and audit rights of the Controller only arise under clause 10.1 to the extent that the Linked Agreement does not otherwise give it information and audit rights meeting the relevant requirements of Applicable Data Protection Laws.
11. Restricted Transfers
11.1 The Parties agree that where the transfer of Company Personal Data between the Parties is a Restricted Transfer protected by the EU GDPR, it will be subject to the EU SCCs, which shall be deemed to be incorporated into this DPA and form part of this DPA, subject to Annexure 1, and are considered an appropriate safeguard.
11.2 The Parties agree that where the transfer of Company Personal Data between the Parties is a Restricted Transfer protected by the UK GDPR, it will be subject to the UK Addendum (and any documents or legislation referred to within it), which shall be deemed incorporated into this DPA, and:
(a) the tables in Part 1 of the UK Addendum shall be populated with the relevant information set out in Annexure 1 to this DPA; and
(b) the Parties agree that the UK Addendum is considered an appropriate safeguard.
12. Liability
12.1 Despite anything to the contrary in the Linked Agreement or this DPA, to the maximum extent permitted by law, the Liability of each Party and its affiliates under this DPA is subject to the exclusions and limitations of Liability set out in the Linked Agreement, or if no limitation is specified, then each Party’s aggregate liability to the other Party arising out of or related to this DPA (excluding the SCCs) will be limited to $100,000, and neither Party will be liable to the other for any indirect, special or consequential losses, including any real or anticipated lost profits, lost revenue, or lost opportunity.
13. Termination
13.1 Each Party agrees that a failure or inability to comply with the terms of this DPA or the Applicable Data Protection Laws constitutes a material breach of the Linked Agreement. In such event, the Controller may, without penalty:
(a) require the Processor to suspend processing of Company Personal Data until such compliance is restored; or
(b) terminate the Linked Agreement effective immediately on written notice to the Processor.
13.2 In the case of such suspension or termination, the Processor shall provide a prompt pro-rata refund of all sums paid in advance under the Linked Agreement which relate to the period of suspension or the period after the date of termination (as applicable).
13.3 Notwithstanding the expiry or termination of this DPA, this DPA will remain in effect until, and will terminate automatically upon, deletion by the Processor of all Company Personal Data covered by this DPA, in accordance with this DPA.
14. General
14.1 Amendment: Other than as expressly permitted under this DPA and to the extent permitted by law, this DPA may only be amended by written instrument executed by the Parties.
14.2 Assignment: A Party must not assign or deal with the whole or any part of its rights or obligations under this DPA without the prior written consent of the other Party (such consent not to be unreasonably withheld).
14.3 Competent Supervisory Authority: If the EU SCCs apply, then the competent Supervisory Authority is the Data Protection Commission of the Republic of Ireland. If the UK Addendum applies, the competent Supervisory Authority is the UK Information Commissioner’s Office.
14.4 Confidentiality: Each Party agrees to keep this DPA and any information it receives about the other Party and its business in connection with this DPA (Confidential Information) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law; or
(b) the relevant information is already in the public domain.
14.5 Contracts (Rights of Third Parties) Act 1999 (UK): Notwithstanding any other provision of this DPA, nothing in this DPA confers or is intended to confer any right to enforce any of its terms on any person who is not a party to it. For the avoidance of doubt, nothing in this Agreement is intended to override the rights of any Data Subjects under Applicable Data Protection Laws.
14.6 Counterparts: This DPA may be executed in any number of counterparts that together will form one instrument.
14.7 Governing Law: This DPA is governed by the laws of Queensland. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of the courts operating in Queensland and any courts entitled to hear appeals from those courts and waives any right to object to proceedings being brought in those courts.
14.8 Order of Precedence: In the event of any conflict or inconsistency between the agreements entered into between the Parties, the Applicable Data Protection Laws shall prevail, then the Annexures, followed by this DPA and then the Linked Agreement.
14.9 Notices: Any notice given under this DPA must be in writing addressed to the relevant address last notified by the recipient to the Parties. Any notice may be sent by standard post or email, and will be deemed to have been served on the expiry of 48 hours in the case of post, or at the time of transmission in the case of transmission by email.
14.10 Severance: If a provision of this DPA is held to be void, invalid, illegal or unenforceable, that provision is to be read down as narrowly as necessary to allow it to be valid or enforceable, failing which, that provision (or that part of that provision) will be severed from this DPA without affecting the validity or enforceability of the remainder of that provision or the other provisions in this DPA.
15. Definitions and Interpretation
15.1 In this DPA, unless the context otherwise requires, all terms have the meanings given to them in the Annexures, and:
Applicable Data Protection Laws means the laws and regulations applicable to the processing of Personal Data by the Parties in connection with the Linked Agreement, including:
(a) the EU GDPR;
(b) the UK GDPR; and
(c) the CCPA.
CCPA means the California Consumer Privacy Act of 2018, as amended.
Company Personal Data means any Personal Data Processed by a Contracted Processor on behalf of a Controller in connection with the Linked Agreement (and where the Processor is also acting as a Controller, any Personal Data it processes in connection with the Linked Agreement).
Contracted Processor means the Processor or a Sub-Processor.
Controller means the Party specified in the Schedule as the Controller that performs the role of a Controller as that term is defined under the EU GDPR, or UK GDPR, as applicable.
Data Subject means any individual person that is identified or identifiable by way of Personal Data.
DPA means this Data Processing Agreement and all Annexures attached to it.
EEA means the European Economic Area.
EU GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
EU SCCs means in respect of the EU GDPR, the standard contractual clauses annexed to the European Commission’s implementing decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as may be amended, superseded or replaced from time to time.
GDPR means the EU GDPR or UK GDPR (as applicable).
Liability means any expense, cost, liability, loss, damage, claim, notice, entitlement, investigation, demand, proceeding or judgment (whether under statute, contract, equity, tort (including negligence), misrepresentation, restitution, indemnity or otherwise), howsoever arising, whether direct or indirect and/or whether present, unascertained, future or contingent and whether involving a third party or a Party to this DPA or otherwise.
Linked Agreement has the meaning given to it in the Schedule.
Personnel means in respect of a Contracted Processor, any of its employees, consultants, and subcontractors.
Processor means the Party specified in the Party Details in the Schedule as a Processor that performs the role of a Processor as that term is defined under the EU GDPR, or UK GDPR, as applicable.
Restricted Transfer means:
(a) where the EU GDPR applies, a transfer of personal data from a country within the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; or
(b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
Schedule means the schedule to this DPA.
Services means the services the subject of the Linked Agreement.
Sub-Processor means any person appointed by or on behalf of the Processor to process Company Personal Data on behalf of the Controller in connection with the Linked Agreement.
UK Addendum means the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers implemented by the UK Information Commissioner’s Office pursuant to the United Kingdom Data Protection Act 2018, as may be amended, superseded or replaced from time to time.
UK GDPR means the United Kingdom Data Protection Act 2018 and the EU GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
15.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the EU GDPR or UK GDPR, as applicable.
15.3 The terms, “Data Exporter” and “Data Importer” shall have the same meaning as in the EU SCCs and/or the UK Addendum (as applicable).
15.4 The word include shall be construed to mean include without limitation.
ANNEXURE 1 – Description of Transfer
| Categories and Treatment of Personal Data | |
|---|---|
| Personal Data Transferred | Data the Controller chooses to collect, which may include identity and contact details, business information, and the contents of documents and files uploaded into a request. The specific categories are determined by the Controller. Identity verification and KYC/AML: Where the Controller uses the Processor's identity-verification or KYC/AML features, that processing is performed by the Processor's providers (Stripe, ComplyCube) through their own SDKs. Any biometric data is collected and processed by those providers directly and is never received, transmitted or stored by the Processor. Verification reports (extracted identity fields and document images) are delivered by direct download to the relevant individual's browser and are not stored by the Processor. Where the Controller uses a feature that imports verification report data (identity fields or document images) into the Processor's platform, that data is processed by the Processor as the Controller's processor as ordinary personal data; the Processor does not at any time receive biometric data. |
| Special Categories of Personal Data and Criminal Convictions and Offences | The service is not intended for special-category data. The Controller is instructed not to submit or upload special-category data (and not health or medical data). We do not knowingly process it. Where the Controller nonetheless chooses to collect such data, it does so as controller, at its own risk and responsibility, and must ensure an appropriate lawful basis and safeguards. |
| Relevant Data Subjects | Select all that apply: ☒ Anyone about whom Personal Data is input into the Service. ☒ Authorised users of the Services. ☐ Business contact representatives. ☒ Employees, Contractors and other Personnel. ☐ Other: |
| Frequency of the Transfer | Select one: ☒ Continuous ☐ Ad hoc, on the Controller’s instructions. |
| Nature of the Transfer | As specified in the Linked Agreement, this DPA and as instructed by the Data Exporter (if applicable), including without limitation: use of Company Personal Data to provide the Services, as contemplated by the Linked Agreement; collection, organisation, storage (hosting), retrieval and other processing of Company Personal Data as necessary to provide, maintain and improve the Services, as contemplated by the Linked Agreement; and transmission, disclosure and dissemination of Company Personal Data to provide or receive the Services (as applicable) in accordance with the Linked Agreement or as required by law. |
| Purpose of the Processing | The purpose of the transfer and processing are as specified in the Linked Agreement and this DPA. |
| Duration of the Processing | The term of the Linked Agreement and for a period of 30 days after termination or expiry of the Linked Agreement. |
| Information required for Sections I – IV of the SCCs | ||||||
|---|---|---|---|---|---|---|
| Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
| 1 | N/A | N/A | ||||
| 2 | Yes | Incorporated | Not incorporated | General authorisation | 14 days | No |
| 3 | N/A | N/A | N/A | N/A | ||
| 4 | N/A | N/A | N/A | |||
| Clause 17 of the EU SCCs (Governing Law) | The governing law for the purposes of clause 17 shall be the (i) the laws of the Republic of Ireland where the relevant transfer falls within the territorial scope of application of the EU GDPR; or (ii) the laws of England & Wales where the relevant transfer falls within the territorial scope of the UK GDPR. | |||||
| Clause 18 of the EU SCCs (Choice of forum and jurisdiction) | The choice of forum and jurisdiction for the purposes of clause 18 shall be (i) the courts of the Republic of Ireland where the relevant transfer falls within the territorial scope of application of the EU GDPR; or (ii) the courts of England & Wales where the relevant transfer falls within the territorial scope of the UK GDPR. | |||||
| Information required for Table 4 of the UK Addendum | |
|---|---|
| Ending this Addendum when the Approved UK Addendum changes | Which Parties may end this Addendum as set out in Section 19 of Part 2 of the UK Addendum: ☐ Importer ☐ Exporter ☒ Neither Party |
ANNEXURE 2 – TECHNICAL AND ORGANISATIONAL MEASURES
Data Encryption and Pseudonymisation
The Processor encrypts personal data in transit using SSL/TLS. Data is encrypted at rest, including databases, stored files and communications. User and company information is pseudonymised in the Processor's logs to enhance privacy.
In addition to database encryption at rest, the answers and content collected through the Processor's platform are encrypted with a unique per-tenant (per-company) key, held in a secure key vault outside the main application and not retrievable once created, so that one Controller's data is cryptographically segregated from another's. When the Controller's account is deleted, the per-tenant keys are destroyed, rendering any residual encrypted data unrecoverable (crypto-shredding).
Access Control
Access to data is strictly controlled according to the Processor's internal policies and processes which limit staff access to what is necessary for their duties. Support staff access to data is granted only upon the Controller's request.
Authentication and Identification
The Processor's authentication measures include hashed and salted passwords, exclusion of passwords in logs, TOTP, and 2FA with anti-brute force measures. All endpoints are secured to return data scoped to authenticated users only, enhancing protection against unauthorized access. Operational application access keys are stored in an encrypted vault with extremely limited and controlled access.
Monitoring and Response
The Processor maintains comprehensive application and infrastructure monitoring to detect anomalies and potential security threats. Regular manual reviews are conducted to identify malicious activities. An incident response plan is in place for unauthorized or incorrect data processing, including a framework to identify lessons learned. Policies cover response times, communications (to the public, affected parties, and authorities) and retroactive actions.
Data Backup
The Processor maintains encrypted backups for databases and files to ensure data integrity and limit data loss. Files are backed up to a separate storage location for redundancy.
Data Quality, Minimisation and Retention
The Processor's backups have a structured retention policy that includes two weeks for database backups and defined procedures for the removal of cancelled accounts after 90 days of inactivity.
Compliance and Risk Management
The Processor maintains a dedicated data protection contact who oversees GDPR compliance, with privacy and GDPR considerations integrated into director meetings and a risk register for compliance-related risks. Regular testing and evaluation of the Processor's measures are conducted to ensure effectiveness.
Data Transmission Security
The Processor's data transmission leverages HTTPS, rotating bearer tokens, and OAuth 2.0 authorization, with support for strong TLS protocols and ciphers. Direct paths to files are securely managed with signed URLs for time-limited access.
Physical Security
The Processor processes data on AWS and Google, which adhere to high physical security standards, and maintain ISO 27001 and SOC 2 compliance.
Data Portability and Erasure
The Processor maintains documented processes to support data portability and erasure, with a clear identity verification process for data subject requests. Secure file-sharing methods are used for data transfer requests. Records are kept by the Processor for all portability and erasure requests.
Staff Training and Internal Audits
The Processor maintains an internal auditing program to assess adherence to privacy policies, and a training register maintains records on data privacy protection and compliance.
Continuous Improvement
The Processor maintains a robust Continuous Improvement Program encompassing regular testing, assessment, and evaluation of its technical and organisational measures. The Processor maintains a comprehensive list of sub-processors, including third-party service providers, to ensure all parties involved in data handling meet the Processor's strict security standards. Through regular reviews of internal processes, security assessments of its applications, and vigilant monitoring of third-party compliance, the Processor proactively identifies and addresses any gaps or weaknesses.
ANNEXURE 3 – LIST OF SUBPROCESSORS
The organisations below process the Personal Data provided to the Processor’s software platform, on the Controller’s instructions, as the Processor’s sub-processors under Article 28 of the GDPR.
| List of Sub-Processors | |||
|---|---|---|---|
| Sub-Processor Name | Location | Purpose/Services | Website & Contact Details |
| Amazon Web Services (AWS) | United States | Application, database and file hosting | https://aws.amazon.com/ |
| United States | File backups | https://cloud.google.com/ | |
| Postmark | United States | Transactional email (sending your requests and reminders to your clients) | https://postmarkapp.com/ |
| Rollbar | United States | Error reporting (may incidentally include personal data in error logs) | https://rollbar.com/ |
| OpenAI | United States | AI features (only when using Smart Request) | https://openai.com/ |
| Stripe | United States | Identity verification (only when using the ID feature) | https://stripe.com/ |
| ComplyCube | Australia | Identity verification / KYC and AML screening (only when using that feature) | https://complycube.com/ |
| PostHog | United States | Product and usage analytics (usage events from users and end-clients, which may include IP addresses) | https://posthog.com/ |
Where a recipient is also certified under the EU-US Data Privacy Framework, that provides additional assurance; the SCCs remain the transfer mechanism in every case. Among these recipients, AWS (under Amazon.com, Inc.), Google, Rollbar, Stripe and PostHog are certified under the Data Privacy Framework; OpenAI is not, and Postmark is covered under ActiveCampaign's certification.
For Stripe (ID feature) and ComplyCube, identity verification runs through the providers' SDKs. Biometric data is processed by them directly and is never received or stored by the Processor (see Annexure 1).
Processor’s Own Providers
The Processor is the controller for these. They support the Processor's own operations (billing, marketing, support, analytics) and do not process the data the Controller collects from the Controller's clients. They are listed here for transparency and are not Article 28 sub-processors of the Controller's customer data. Transfers of this data are made by the Processor as controller under its own controller-to-processor arrangements (EU SCCs Module 2 where applicable) with each provider, not under this DPA.
| List of Processors | ||
|---|---|---|
| Processor Name | Location | Purpose/Services |
| Active Campaign | United States | Email marketing and support to the Processor’s users. |
| Intercom | United States | Customer support (processes an individual’s data only if they contact the Processor directly) |
| Chargebee | United States | Subscription management and invoicing |
| Stripe | United States | Billing |
| FirstPromoter | United States | Affiliate and referral tracking (email address only) |
| Zapier | United States | Internal workflow automation |
| Make | United States | Internal workflow automation |
| Google Analytics | United States | Website analytics |
| United States | Advertising | |
| United States | Advertising | |
Where the Controller connects their own Zapier or Make account to the Processor's platform, that integration moves data under the Controller's own agreement with those providers and is operated by the Controller as controller, not by the Processor as a sub-processor.