Sub-processors
Effective starting: 11 June, 2025
Program owner and administrator specific sub-processors
Sub-processor services we use to engage and support your organisation. Entrants/applicants, nominators and judges/reviewers do not make use of these services.
| Sub-processor | Business location | Data processing location(s) | Description of services provided |
|---|---|---|---|
| AnnounceKit https://announcekit.app | United States | United States | Product communication platform. Processes personal data. Uses Standard Contractual Clauses. Technical security measures: https://announcekit.app/security |
| Chargebee https://www.chargebee.com | United States | Germany (Frankfurt) | Subscription management platform. Processes personal data. Uses Standard Contractual Clauses. Technical security measures: https://www.chargebee.com/security |
| Databricks https://www.databricks.com | San Francisco, California, US | United States | Data pipeline management. May process personal data. Uses Standard Contractual Clauses. Technical security measures: https://www.databricks.com/trust |
| Elevio https://elev.io | Collingwood, Victoria, Australia | United States | In-app support panel. Processes email addresses. Uses Standard Contractual Clauses. |
| Hubspot https://www.hubspot.com | Ireland | United States | Software products for inbound marketing, sales, and customer service. Processes personal data. Uses Standard Contractual Clauses. Technical security measures: https://www.hubspot.com/security |
| Intercom https://www.intercom.com | San Francisco, California, US | United States (Virginia) | Chat and support management within our software product. Processes personal data. Uses Standard Contractual Clauses. Technical security measures: https://www.intercom.com/security |
| Klaus https://klausapp.com | Estonia | Germany (Frankfurt) | Support team conversation review and QA platform. Processes personal data. Data is not processed outside of the EU. Technical security measures: https://www.klausapp.com/security |
| Zendesk https://www.zendesk.com | San Francisco, California, US | Australia (Sydney) | Client support management. Processes personal data. Uses Standard Contractual Clauses. Technical security measures: https://www.zendesk.com/product/zendesk-security |
All user sub-processors
Sub-processor services we use to engage and support your organisation, your program and your participants. All roles including program owners, administrators, entrants, applicants, nominators, judges and reviewers make use of these services.
| Subprocessor | Business location | Data processing location(s) | Description of services provided |
|---|---|---|---|
| Amazon Web Services https://aws.amazon.com |
Seattle, Washington, US | Australia (Sydney) Canada (Montreal) Hong Kong Europe (Frankfurt, Germany) Singapore United States (Oregon and California) |
Cloud hosting infrastructure for whole application stack. Processes personal data. Uses Standard Contractual Clauses. Technical security measures: https://aws.amazon.com/blogs/security/aws-and-eu-data-transfers-strengthened-commitments-to-protect-customer-data https://aws.amazon.com/security |
| Datadog https://www.datadoghq.com |
New York, US | Europe | Application monitoring. May process personal data. Uses Standard Contractual Clauses. Technical security measures: https://www.datadoghq.com/security/ |
| Embeddable https://embeddable.com |
London, United Kingdom | Europe United States |
Dashboard caching. May process personal data. Uses Standard Contractual Clauses. Technical security measures: https://embeddable.com/policies/dpa (see Exhibit B of DPA) |
| Google Cloud https://cloud.google.com |
Dublin, Ireland | Australia Canada Europe Hong Kong Singapore United States |
Cloud infrastructure for collaboration and backup. Processes personal data. Uses Standard Contractual Clauses. Technical security measures: https://cloud.google.com/security |
| Heap https://www.heap.io |
San Francisco, California, US | United States | Application insights. May process personal data. Uses Standard Contractual Clauses. Technical security measures: https://www.heap.io/legal (see Schedule 2 of DPA) |
| Imgix https://www.imgix.com |
San Francisco, California, US | United States (rendering) Various edge nodes (caching) |
Image processing service. May process personal data captured in uploaded images and PDFs. Uses Standard Contractual Clauses. |
| MailGun https://www.mailgun.com |
San Francisco, California, US | Germany (Frankfurt) | Email sending service. Processes personal data used in the delivery and communication of email messages. Uses Standard Contractual Clauses. Technical security measures: https://www.mailgun.com/legal/dpa (see Annex 2 of DPA) |
| Prismatic https://prismatic.io |
Sioux Falls, South Dakota, US | Europe (Ireland) | Optional integration service. May process personal data when marketplace integrations are activated. Uses Standard Contractual Clauses. Technical security measures: https://prismatic.io/legal/security/ |
| Pusher https://pusher.com |
London, United Kingdom | United States (North Virginia) | Push service. Background processes use Pusher to send notifications on progress and file scanning. May process IP addresses and cookies. Uses Standard Contractual Clauses. Technical security measures: https://pusher.com/legal/data-protection (see Appendix II of DPA) |
| Twilio https://www.twilio.com |
San Francisco, California, US | United States | Optional SMS sending service. May process personal data if included in SMS messages. Uses Standard Contractual Clauses. Technical security measures: Security Overview Technical and Organizational Security Measures |
| Vonage https://www.vonage.com |
San Francisco, California, US | Singapore | Optional SMS sending service. May process personal data if included in SMS messages. Uses Standard Contractual Clauses. Technical security measures: https://www.vonage.com/communications-apis/platform/security https://www.vonage.com/legal/technical-organizational-security-practices |