Sub-Processors (Quick Links)

• Fasthosts Internet Ltd
• Amazon Web Services (AWS)
• Google Cloud (Google LLC)
• Sinch AB (Sinch)
• Infobip Ltd (Infobip)
• 8x8, Inc. (8x8)
• JT Group Limited (JT Global)
• Telesign Corporation (Telesign)

Sub-Processor Description: Fasthosts Internet Ltd

Purpose of Processing

Fasthosts Internet Ltd (“Fasthosts”) provides web hosting, domain registration, email hosting, and related IT infrastructure services. As a sub-processor, Fasthosts is engaged to support hosting, storage, and delivery of data required for the operation of websites, email services, and other cloud-based solutions.

Data Categories Processed

• Hosting and email content data
• Customer and end-user information (e.g., IP addresses, log files, email metadata)
• Technical information for infrastructure management (e.g., server logs, application performance data)

Processing Location

Data processed by Fasthosts is primarily hosted in their data centers within the European Economic Area (EEA). They ensure compliance with GDPR requirements for cross-border data transfers if applicable.

Security Measures

Fasthosts employs robust security measures to protect customer data, including:

• Encryption of data in transit and at rest
• Firewalls and intrusion detection/prevention systems
• Regular vulnerability assessments and penetration testing
• ISO 27001 certification of data centers, ensuring compliance with recognized security standards

Sub-Processor Obligations

Fasthosts processes personal data strictly under the instructions of the data controller (or main processor) in accordance with GDPR Article 28. This includes implementing appropriate technical and organizational measures to ensure the protection of personal data and assisting in responding to data subject rights requests.

DPA Status

We have a Data Processing Agreement (DPA) in place with Fasthosts Internet Ltd.

Third-Party Transfers

Fasthosts does not engage any additional sub-processors without prior authorization and ensures that any third-party processors used adhere to GDPR compliance.

Contact Information

For further details about Fasthosts’ role as a sub-processor, please refer to their privacy policy or contact their data protection officer

Sub-Processor Description: Amazon Web Services (AWS)

Purpose of Processing

Amazon Web Services, Inc. (“AWS”) provides cloud computing services, including infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) solutions. As a sub-processor, AWS supports the hosting, storage, and processing of data required for web applications, databases, content delivery, and other cloud-based services.

Data Categories Processed

• Hosting and storage data
• Customer and end-user information (e.g., IP addresses, log files, user-generated data)
• Technical and operational data for infrastructure and service management (e.g., monitoring, performance metrics)

Processing Location

AWS processes data in data centers located within specified regions, as determined by the data controller. AWS offers customers the ability to choose their data storage location and ensures compliance with GDPR for cross-border data transfers, including adherence to Standard Contractual Clauses (SCCs) where necessary.

Security Measures

AWS implements industry-leading security practices and certifications to ensure data protection, including:

• Encryption of data at rest and in transit
• Multi-factor authentication and role-based access controls
• Regular vulnerability scans and penetration testing
• ISO 27001, SOC 1/2/3, PCI DSS, and other certifications
• AWS Shield for Distributed Denial of Service (DDoS) protection

Sub-Processor Obligations

AWS processes personal data under the strict instructions of the data controller in compliance with GDPR Article 28. AWS provides robust contractual guarantees to maintain the confidentiality, integrity, and availability of customer data.

DPA Status

We have a Data Processing Agreement (DPA) in place with Amazon Web Services, Inc.

Third-Party Transfers

AWS ensures that any third parties engaged in processing adhere to GDPR standards. AWS does not transfer customer data to additional sub-processors without authorization and maintains a list of sub-processors in their AWS GDPR Data Processing Addendum.

Contact Information

For further details about AWS’s role as a sub-processor, including their security and compliance measures, please visit the AWS GDPR Center

Sub-Processor Description: Google Cloud (Google LLC)

Purpose of Processing

Google Cloud, operated by Google LLC (“Google”), provides cloud-based services, including infrastructure, storage, analytics, and machine learning tools. As a sub-processor, Google facilitates the hosting, processing, and delivery of data to support web applications, databases, collaboration tools, and other cloud-based solutions.

Data Categories Processed

• Hosting and storage data
• Customer and end-user information (e.g., IP addresses, log files, email content)
• Technical and operational data for infrastructure and application management (e.g., monitoring logs, usage metrics)

Processing Location

Google Cloud processes data in data centers located worldwide, with customers retaining control over data residency. Google complies with GDPR requirements for cross-border data transfers, including adherence to Standard Contractual Clauses (SCCs) and participation in the EU-U.S. Data Privacy Framework, as applicable.

Security Measures

Google employs advanced security measures and certifications to protect customer data, including:

• Encryption at rest and in transit
• Zero Trust architecture for access controls
• Threat detection and prevention systems powered by machine learning
• Regular security audits and penetration testing
• Compliance certifications such as ISO 27001, SOC 1/2/3, PCI DSS, and FedRAMP

Sub-Processor Obligations

Google processes personal data exclusively under the instructions of the data controller, adhering to GDPR Article 28. Google maintains comprehensive Data Processing Agreements (DPAs) that outline its obligations, including safeguarding personal data and facilitating data subject rights.

DPA Status

We have a Data Processing Agreement (DPA) in place with Google (Google Cloud).

Third-Party Transfers

Google provides a publicly available list of its sub-processors and ensures compliance with GDPR standards for any third-party processing. Google requires its sub-processors to meet equivalent data protection and security obligations.

Contact Information

For more information about Google Cloud’s role as a sub-processor, its security practices, and compliance with GDPR, please visit the Google Cloud GDPR Resource Center

Sub-Processor Description: Sinch AB (Sinch)

Purpose of Processing

Sinch provides communications platform services (CPaaS) including SMS, MMS, and related messaging delivery. As a sub-processor, Sinch facilitates the transmission and delivery of application-to-person (A2P) messages and associated delivery reporting.

Data Categories Processed

• Message content and metadata (sender, recipient MSISDNs, timestamps)
• Delivery receipts and routing information
• Technical logs for service operation and troubleshooting

Processing Location

Sinch operates globally and may process data in the EEA and other regions depending on routing and service configuration. Cross-border transfers comply with GDPR requirements, including use of Standard Contractual Clauses (SCCs) where applicable.

Security Measures

• Encryption in transit
• Network and application firewalls
• Access controls with least-privilege and audit logging
• Regular security testing and industry certifications

Sub-Processor Obligations

Sinch processes personal data only under our documented instructions and implements appropriate technical and organizational measures consistent with GDPR Article 28.

DPA Status

We have a Data Processing Agreement (DPA) in place with Sinch AB.

Third-Party Transfers

Sinch ensures any onward processing complies with GDPR and contractual obligations, including SCCs where required.

Contact Information

For more information, please visit https://www.sinch.com.

Sub-Processor Description: Infobip Ltd (Infobip)

Purpose of Processing

Infobip provides omnichannel communications services including SMS and messaging delivery. As a sub-processor, Infobip facilitates the routing and delivery of A2P messages and related delivery receipts.

Data Categories Processed

• Message content and metadata (sender, recipient MSISDNs, timestamps)
• Delivery status data and routing information
• Technical and operational logs

Processing Location

Infobip operates a global infrastructure with processing in the EEA and other regions based on service routing. Cross-border transfers follow GDPR requirements and may rely on SCCs.

Security Measures

• Encryption in transit
• Role-based access controls and monitoring
• Network segmentation and intrusion detection
• Regular audits and recognized security certifications

Sub-Processor Obligations

Infobip processes personal data only under our documented instructions and maintains technical and organizational measures aligned to GDPR Article 28.

DPA Status

We have a Data Processing Agreement (DPA) in place with Infobip Ltd.

Third-Party Transfers

Infobip ensures onward processors adhere to equivalent data protection obligations and GDPR transfer mechanisms.

Contact Information

For more information, please visit https://www.infobip.com.

Sub-Processor Description: 8x8, Inc. (8x8)

Purpose of Processing

8x8 provides cloud communications services and CPaaS capabilities including SMS messaging. As a sub-processor, 8x8 supports the sending, routing, and delivery of A2P messages and delivery receipts.

Data Categories Processed

• Message content and delivery metadata
• Recipient and sender identifiers (e.g., MSISDNs)
• Logs required for service reliability and troubleshooting

Processing Location

8x8 operates globally with processing in the EEA and other regions depending on routing. GDPR-compliant transfer safeguards, including SCCs, are applied where applicable.

Security Measures

• Encryption in transit
• Access controls and audit logging
• Network protections and vulnerability management
• Regular security assessments and certifications

Sub-Processor Obligations

8x8 processes personal data only under our instructions and implements appropriate technical and organizational measures per GDPR Article 28.

DPA Status

We have a Data Processing Agreement (DPA) in place with 8x8, Inc.

Third-Party Transfers

8x8 ensures any onward processing meets GDPR requirements and contractual obligations.

Contact Information

For more information, please visit https://www.8x8.com.

Sub-Processor Description: JT Group Limited (JT Global)

Purpose of Processing

JT Global is a telecommunications provider offering connectivity and messaging services. As a sub-processor, JT Global facilitates SMS routing and delivery with associated delivery reporting.

Data Categories Processed

• Message content and delivery metadata
• Sender and recipient identifiers (e.g., MSISDNs)
• Operational logs for service performance and troubleshooting

Processing Location

JT Global operates internationally with processing that may occur in the EEA and other regions depending on routing paths. Cross-border transfers use GDPR-approved mechanisms such as SCCs where required.

Security Measures

• Encryption in transit
• Access controls and monitoring
• Network security controls and DDoS protections
• Regular security testing and compliance programs

Sub-Processor Obligations

JT Global processes personal data under our documented instructions and maintains appropriate technical and organizational measures in line with GDPR Article 28.

DPA Status

We have a Data Processing Agreement (DPA) in place with JT Group Limited.

Third-Party Transfers

JT Global ensures any onward processing is subject to equivalent data protection obligations and GDPR-compliant transfer mechanisms.

Contact Information

For more information, please visit https://www.jtglobal.com.

Sub-Processor Description: Telesign Corporation (Telesign)

Purpose of Processing

Telesign provides phone number verification, SMS and messaging delivery, identity verification, and related communications APIs. As a sub-processor, Telesign facilitates the transmission and delivery of application-to-person (A2P) messages, verification flows, and associated delivery reporting.

Data Categories Processed

• Message content and metadata (sender, recipient MSISDNs, timestamps)
• Delivery receipts and routing information
• Identity and verification-related data where applicable
• Technical logs for service operation and troubleshooting

Processing Location

Telesign operates globally with coverage in 230+ countries and territories. Data may be processed in the EEA and other regions depending on routing and service configuration. Cross-border transfers comply with GDPR requirements, including use of Standard Contractual Clauses (SCCs) and participation in applicable data transfer frameworks where applicable.

Security Measures

• Encryption in transit
• Access controls and audit logging
• Network and application security controls
• Regular security assessments and industry certifications

Sub-Processor Obligations

Telesign processes personal data only under our documented instructions and implements appropriate technical and organizational measures consistent with GDPR Article 28.

DPA Status

We have a Data Processing Agreement (DPA) in place with Telesign Corporation.

Third-Party Transfers

Telesign ensures any onward processing complies with GDPR and contractual obligations, including equivalent data protection and transfer mechanisms where required.

Contact Information

For more information, please visit Telesign.