GDPR Article 28 — third-party processors engaged by {{COMPANY_NAME}} to process personal data on our behalf. Last reviewed: {{LAST_UPDATED}}.
About this page
We engage carefully selected sub-processors to deliver the service. Each sub-processor is bound by a written Data Processing Agreement (DPA) in compliance with GDPR Article 28. Where personal data is transferred outside the EU/EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs, Module 2 — Controller to Processor, 2021/914) and, where applicable, the EU–US Data Privacy Framework as a transfer mechanism under Articles 44–49.
Signed copies of each DPA are retained in our internal compliance documentation. Enterprise customers may request access to signed copies under NDA by contacting our DPO at {{DPO_EMAIL}}.
International data transfers
Where a sub-processor stores or processes personal data outside the European Economic Area (EEA) or the United Kingdom, we rely on the following safeguards under GDPR Chapter V and the UK GDPR:
- EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module 2 (Controller-to-Processor), incorporated into each DPA.
- UK International Data Transfer Addendum — issued by the ICO under s.119A of the UK Data Protection Act 2018, appended to SCCs for UK data exports.
- EU–US Data Privacy Framework — where the sub-processor is DPF-certified (verified at dataprivacyframework.gov).
- Transfer Impact Assessments (TIAs) — conducted prior to onboarding any non-EEA sub-processor, per the EDPB Schrems II recommendations (06/2020).
Changes to sub-processors
We will provide reasonable prior notice of the addition or replacement of any sub-processor that processes personal data. Customers may object to a new sub-processor by contacting {{DPO_EMAIL}} within 30 days of notification. Material changes will be reflected on this page and announced via email to organisation owners.
Requesting our DPA
Customers acting as data controllers can request a counter-signed Data Processing Agreement with {{COMPANY_NAME}} (incorporating the EU SCCs and UK Addendum where applicable) by contacting our DPO at {{DPO_EMAIL}}. Our standard DPA is available to all paid plans at no additional cost.